Improvements in overall security have been achieved in most industry sectors, but the financial services industry has seen an increase in the average number of IT vulnerabilities, according to London-based NTA Monitor's 2007 Annual Security Report. The study analyzed vulnerability tests conducted on a variety of U.K. companies, including financial services firms.
While the number of vulnerabilities that could have enabled hackers to gain access or disrupt service has almost halved for all organizations, the average number of risks for financial institutions increased by 16 percent from the previous year, the report found. "Flaws that our testing discovered could permit hackers to gain entry to corporate networks and change users' passwords or delete files, which could wreak corporate havoc," said Roy Hills, technical director at NTA Monitor, in a release announcing the findings.
Experts suggest that banks tend to be more vulnerable to fraud and theft because they are balancing the dual demands of providing user-friendly Internet banking capabilities and securing their customers' data. Hackers also are more likely to target financial institutions because that's where the money is.
But to fix a vulnerability, banks first must know what it is. According to Microsoft's (Redmond, Wash.) Web site, a security vulnerability "is a flaw in a product that makes it infeasible -- even when using the product properly -- to prevent an attacker from usurping privileges on the user's system, ... compromising data on it."
Still, IT vulnerabilities can be mitigated if banks take steps to minimize their exposure, according to NTA Monitor. First, banks should stay up to date on the latest vulnerabilities and apply patches and updates as soon as they are available. They should allocate sufficient management time, focus and control to ensure the preventative actions are carried out on an ongoing basis. Management also should educate staff on Internet security issues and have a clear security policy that is publicized and updated regularly, NTA advises.
According to Stamford, Conn.-based Gartner, the four main technology categories of vulnerability management are: vulnerability assessment, security configuration management and policy compliance, IT security risk management, and security information and event management.
To keep up with its IT vulnerabilities, Boston-based Eastern Bank ($6.5 billion in assets) in June purchased the NeXpose vulnerability scanning appliance and software from Boston-based Rapid7. "We were looking for a solution that is out-of-the box and easy to use, yet robust, and we found that with NeXpose," said Robert Gabrielski, assistant vice president of data and network security at Eastern Bank, in a release.
The NeXpose solution scans Web server applications, databases, operating systems and network devices to locate threats, assess their risk to the environment, devise a remediation plan and implement the ticketing process, according to Alan Matthews, the vendor's president.
But vulnerability management is just one link in the chain of IT security, Matthews stresses. Firewalls and intrusion prevention systems also are required to help secure banks' systems, he says.