Event
Summary
You want to
start doing on-line banking but you keep hearing about information security
incidents that make you skeptical of the process. How do you know if your financial
institution has done due diligence to protect your assets from wily hackers,
cavalier administrators, and other information technology sepulchers? If a large
sum of money disappeared from your account, and banking records indicated that
you made the withdrawal, but you know you didn't, how could you prove this?
These are questions that consumers should be asking themselves before jumping
on-line to do financial transactions.
The FDIC has
been protecting financial accounts since 1933, when it was first instituted
by Congress in response to the Great Depression. Essentially, the FDIC is a
government managed insurance company. Since the FDIC is insuring deposits, it
makes sense that they are also concerned with financial systems integrity and
network security. Traditionally, the FDIC has been used as a safety-net for
bank failures. Since the FDIC began official operations in 1934, at least one
bank a year has failed. This year, so far, six banks have failed, according
to the FDIC.
Though half
a dozen bank closings a year is not impressive, the reasons commonly cited for
the closings, "inadequate supervision by the banks board of directors," may
concern anyone interested in how banks secure their internal networks. When
it comes to system and network security, there are no formal procedures or guidelines
for network or information security audits. Banks audit themselves. It is up
to the Board of Directors of each bank to provide the FDIC with an information
technology and security audit report. The FDIC then reads the report and assigns
an URSIT rating. URSIT stands for "Uniform Rating System for Information Technology."
URSIT ratings
run on a scale from 1 to 5, with 1 being the highest rating with least degree
of concern, and 5 being the lowest rating with most degree of concern. URSIT
ratings are only assigned every other year, and only began being assigned this
past April. With technology changing so quickly, and the pace at which financial
institutions are jumping on-line, one wonders if once every 24 months is enough.
Furthermore, if a bank receives an egregious URSIT rating of 5, which holds
the description "Risk management processes are severely deficientand strategic
plans do not exist or are ineffective." wouldn't you want to know this before
doing on-line business with them? Unfortunately, URSIT ratings are not available
to the general public.
In a letter
dated August 24, 1998, to all CEOs and CIOs of national banks, the Office of
the Comptroller of the Currency, (the OCC) stipulated that "To manage strategic
risk, banks should establish an effective planning process to implement and
monitor PC banking systems." This simply means that banks must have a process.
What that process involves is very loosely defined. Our understanding is that
the majority of banks don't have the expertise to do their own security audits.
An assumption is made that if this is the case, the majority of banks outsource
network vulnerability assessments. But how can one be sure that their bank is
actually outsourcing network vulnerability assessments to reliable security
consultants?
As an example,
in a recent security audit done by a major bank in the U.K. for a new e-commerce
site, the security auditor only scanned TCP ports and failed to scan any of
the e-commerce site's UDP ports. What this means is that the security audit
as defined by the consultant was only half-way useful since there are many well-known
exploits of UDP ports that hackers can take advantage of that were not taken
into consideration. In general, the depth of the security audit will vary by
consulting firms. Every company defines their own audit procedure, if they have
any. It is not uncommon for companies to create "procedures" in the midst of
a business opportunity.
While, the
FDIC acknowledges the seriousness of the situation, it admits that it is currently
too bogged down with Y2K concerns to take any action on system and network security.
The FDIC further concedes that after the 1st of the year, the FDIC will step
up the amount of person power put into managing system and network security
regulations for financial institutions. In the meantime, the FDIC assures people,
"All deposits are insured by the FDIC, so the public should not be concerned
with URSIT ratings."
Market
Impact
For corporations
planning on going on-line and signing up with a financial institutions "on-line
store service," there is little information that can be gleaned to help understand
how safe a financial institution's on-line transaction systems are. With internet
usage expected to exceed 500 million 1 by the year 2000, and on-line
investing accounts tripling in the next four years, there is much to be concerned
about. For companies selling system and network security technologies, the market
is ripe for the picking. There are enough potential customers and a big enough
market out in the wild, wild, west of on-line banking and electronic commerce
to keep even the most remedial security consultants working overtime.
User
Recommendations
It is currently
not possible to know how safe your bank's on-line electronic commerce system
is. Big and reputable banks are not necessarily safer than smaller banks. One
way to mitigate some risk is to ask your financial institution some key questions:
-
Has a system
and network security audit of their on-line websites been done?
-
What outside
third-party did the system and network security audit?
-
What is
the date that the last security audit was done?
-
Are all
financial transactions encrypted?
-
Do they
have a network security team?
Doing on-line
banking is clearly a risk. One needs to determine if the risk is worth the benefit
before jumping on-line.
1
The Industry Standard http://www.thestandard.com