News

04:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Financial Firms Declare War On Hacking

The focus is on eliminating vulnerabilities by building security into applications rather than relying on perimeter security tools.

Financial-services companies are ramping up efforts to protect themselves from hacking incidents, especially ensuring that software developers and business units take responsibility for building security into their applications.

The focus of application security is "evolving from the perimeter," said Wendy Walasek, VP at Morgan Stanley & Co., at the Cyber Security Executive Summit in New York Thursday. The company has taken a multifaceted approach to information security, including developing security "blueprints," providing developers with tools and services for information security, and training.

Information-security experts can help developers by pointing out potential vulnerabilities, such as exposure to an "SQL injection attack," said Walasek, referring to a form of attack that bypasses firewalls to steal information from a database or gain access to an organization's host systems.

The consciousness level of business users has been raised by the barrage of incidents involving lost and stolen data this year, as well as regulations such as Sarbanes-Oxley that stress the need for security access controls.

"Users are more accepting of the need to build security into applications," said Jennifer Bayuk, chief information security officer at Bear, Stearns & Co. Business users are consulting with information-security staff prior to launching IT projects, she said.

At Investors Bank and Trust Co., which administers $1.4 trillion in assets, all high-risk applications are subjected to tests called "ethical hacking attempts," said Kevin O'Neil, director of application security architecture. In addition, all source code is scanned for security flaws prior to being put into production.

Given the right tools and education, developers can easily build secure software that eliminates many vulnerabilities. The idea is to "engage developers by teaching them defensive security techniques," O'Neil said.

Web-facing applications make a particularly tempting target for hackers. Rather than penetrate perimeter defenses, attackers can, in effect, walk through the front door by taking advantage of weaknesses in the code used to authenticate users. On Monday, Symantec Corp. released its Internet Security Threat Report, covering the six-month period from Jan. 1 to June 30, 2005, which said that hackers are devising new methods of using malicious code to target desktops rather than enterprise perimeters. During the first half of 2005, malicious code that exposed confidential information represented 74% of the top 50 malicious code samples reported to Symantec, up from 54% in the previous six months.

Action also is being taken to stop phishing and pharming attacks, with which thieves trick consumers into disclosing access credentials such as user names and passwords. M&T Bank, a $52-billion asset institution, uses regular mail instead of E-mail to communicate with its online banking customers, said John Walp, VP of network security solutions. It's also experimenting with different techniques around spam filtering, he said.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology Dec. 2, 2014
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.