05:25 PM
Nancy Feig
Nancy Feig
Connect Directly

Bank’s IT Security Vulnerability Growing

NTA Monitor study finds that flaws in banks' IT security are growing, while other industry's flaws are shrinking. Vulnerability management is one way to mitigate the risk to banks' systems.

Improvements in overall security have been achieved in most industry sectors, but the financial services industry has seen an increase in the average number of IT vulnerabilities, according to London-based NTA Monitor's 2007 Annual Security Report. The study analyzed vulnerability tests conducted on a variety of U.K. companies, including financial services firms.

While the number of vulnerabilities that could have enabled hackers to gain access or disrupt service has almost halved for all organizations, the average number of risks for financial institutions increased by 16 percent from the previous year, the report found. "Flaws that our testing discovered could permit hackers to gain entry to corporate networks and change users' passwords or delete files, which could wreak corporate havoc," said Roy Hills, technical director at NTA Monitor, in a release announcing the findings.

Experts suggest that banks tend to be more vulnerable to fraud and theft because they are balancing the dual demands of providing user-friendly Internet banking capabilities and securing their customers' data. Hackers also are more likely to target financial institutions because that's where the money is.

Identifying Vulnerabilities

But to fix a vulnerability, banks first must know what it is. According to Microsoft's (Redmond, Wash.) Web site, a security vulnerability "is a flaw in a product that makes it infeasible -- even when using the product properly -- to prevent an attacker from usurping privileges on the user's system, ... compromising data on it."

Still, IT vulnerabilities can be mitigated if banks take steps to minimize their exposure, according to NTA Monitor. First, banks should stay up to date on the latest vulnerabilities and apply patches and updates as soon as they are available. They should allocate sufficient management time, focus and control to ensure the preventative actions are carried out on an ongoing basis. Management also should educate staff on Internet security issues and have a clear security policy that is publicized and updated regularly, NTA advises.

According to Stamford, Conn.-based Gartner, the four main technology categories of vulnerability management are: vulnerability assessment, security configuration management and policy compliance, IT security risk management, and security information and event management.

To keep up with its IT vulnerabilities, Boston-based Eastern Bank ($6.5 billion in assets) in June purchased the NeXpose vulnerability scanning appliance and software from Boston-based Rapid7. "We were looking for a solution that is out-of-the box and easy to use, yet robust, and we found that with NeXpose," said Robert Gabrielski, assistant vice president of data and network security at Eastern Bank, in a release.

The NeXpose solution scans Web server applications, databases, operating systems and network devices to locate threats, assess their risk to the environment, devise a remediation plan and implement the ticketing process, according to Alan Matthews, the vendor's president.

But vulnerability management is just one link in the chain of IT security, Matthews stresses. Firewalls and intrusion prevention systems also are required to help secure banks' systems, he says.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.