Long gone are the days when the primary threat to a community bank was a local outlaw with a gun and bandana. The external perimeter of community banks is no longer limited to the brick and mortar building in which their money and information resides. The security landscape of today’s Internet connected bank has expanded to include global threats, such as Foreign Terrorist Organizations. Therefore, banks must take a strong stance on security to ensure their information and assets are protected from a wide variety of threats.
A recent Attack
On January 18, 2008, the information security team of a regional bank detected fraudulent activity on several customer accounts. Bank response to the breach included sending letters to customers, as well as issuing new check cards, ATM cards, and personal identification numbers. In a statement issued by the bank, the president and CEO stated: "Unfortunately, the threat of cybercrime is a risk faced by all financial institutions. We must remain vigilant in attempting to thwart such activity through the updating and continual monitoring of technologically advanced security systems, as well as through professional diligence."
Through the Eyes of the Enemy
Criminal organizations, including Foreign Terrorist Organizations, have begun targeting community banks. They feel many community banks do not have the resources or sophistication to defend themselves in the cyber world, and sadly they are right all too often. Recent breaches have included:
- Direct Internet attacks against the bank’s external firewall(s) and router(s).
- Social engineering tactics, including phone calls, phishing, pharming, etc.
- Attacks against vendors of a bank, primarily the bank’s Internet Service Provider (ISP). These attacks will typically change the code of the bank’s website to redirect users to "enemy" servers that trick customers into entering their confidential information.
- Attacks directed at bank customers.
So what can a community bank do?
Secure the Perimeter:
The perimeter includes both the physical building(s) as well as electronic boundaries. The physical perimeter is much easier to control since we can see it, and it is bound geographically. The electronic perimeter is much more elusive. It includes all electronic “doorways” and “windows” from the bank to the world, for example, connections to the Internet, connections to vendors, modems, wireless access, etc.
Implement Logging and Monitoring:
During a Penetration Test conducted for a community bank by our company about a year ago, we observed multiple security risks on the bank’s border router, including a management account with no password enabled. Upon connecting to the device we discovered several other connected systems with IP addresses appearing to originate from several other countries. We immediately called the bank, and they secured the device.
During later discussions with the bank, bank officials asked how they might know if any attackers had breached key systems, or how deep their reach might have been. The answer was based on the effectiveness of system logs. Monitoring (to assist in the detection) and logging (to support investigation) are key components for an overall security posture.
Apply Internal Controls:
While external controls are critical, internal controls should not be ignored. A few years ago, a large retail company neglected to implement antivirus protection on their systems (including checkout lanes) at a new location. A manager visiting from another location brought a disk into the store to copy some Excel files, unleashing a virus which subsequently shutdown all systems and brought the store to a halt for several hours . . . not the impression they were hoping for during their Grand Opening!
Internal controls include malicious software protection, password controls, encryption, access controls, segregation of duties, training, etc.
Maintain an Information Security Program:
Make sure you have completed an Information Security Program, including Risk Assessment, Security Policies, Incident Response Plan, Business Continuity Plan, and Employee Security Awareness Training. Walking through the development and maintenance of an overall Information Security Program can help identify weakness and raise awareness to high risk areas within the bank.
Conduct Security Testing:
Banks should conduct regular IT audits and security testing to ensure controls are satisfactory. The FFIEC recommends "High-risk systems should be subject to an independent test at least once a year", and "firewall policies and other policies addressing access control between the financial institution’s network and other networks should be audited and verified at least quarterly"; however, they include a footnote that the quarterly verification need not be by an independent source.