When Barclays introduced a software upgrade to its online banking service last summer, it unwittingly opened a security rift. The upgrade,written in-house, provided customers with immediate decisions on personal loan and overdraft applications but also left them staring at one another's account data. The bank quickly removed the software and rewrote parts of the program, testing it internally for days at high and low volumes.
But Barclays didn't restore the software to its Web site until a crew of hired hackers pronounced it impenetrable.
Ethical hackers, counter hackers, white hats or penetration testers...the names refer to individuals legally hired to crack company networks, servers, desktop terminals and Web sites to reveal security holes. As corporate networks expand, new vulnerabilities and threats turn up on the Internet every day, and banks have started to engage their services.
"Some people call it tiger team penetration testing," said Pete Murphy, senior vice president of information protection at Bank of America. "It's a protective measure that helps us find where we might have certain weaknesses in our security, and allows us to make the upgrades and changes where we might be a little weaker than we would otherwise want to be."
While some bank security officers might use ethical hackers to uncover unknown security breaches, others employ them to validate system weaknesses they already suspect. Nothing can convince a CIO to devote more resources to online security quicker than a hacked site.
Bank North Group, a $19 billion financial holding company headquartered in Portland, Maine, hired Digital Defense, a San Antonio computer and network security consultancy, to test its retail e-commerce initiative. "I was fighting a politically losing battle here, feeling I was the one voice of reason against all the other voices of budget," said Gary Casselman, vice president of network security at Bank North Group. The test included an internal penetration scan on the content management distribution server and an external scan on the home page. "Because of a snafu in standards and policies here, the content management distribution server was not built as securely as I would have liked. So I expected this to be hacked."
And it was, in minutes. "It wasn't even hard," said Casselman, who won his fight. "We got to harden the server down. It was an abject lesson. As a financial institution we are a target, and we have to pay attention to that."
A PERILOUS CLIMATE
Banks today face an environment where vigilance has become ever-more crucial. "Cyber crime and intrusion are on the rise," said Ron Dick, director of the FBI's National Infrastructure Protection Center, or NIPC.
Apart from the assorted worms, viruses, Trojan horses, logic bombs, spoofs, zombies and denial of service attacks that hit such mega sites as Yahoo!, eBay and E*Trade last year, the NIPC has repeatedly warned against several Eastern European hacking and extortion rings that have attacked the computer systems of more than 40 U.S. companies in 20 states. By exploiting vulnerabilities in unpatched Microsoft NT operating systems, the hackers, mostly from Russia and the Ukraine, have stolen more than 1 million credit card numbers, along with sensitive information from customer databases.
These are just the latest in a line of attacks that began seven years ago when a Russian computer cabal led by Vladimir Levin broke into Citibank's network and fraudulently transferred $10 million to its own accounts.
The federally funded Computer Emergency Response Team at Carnegie Mellon University reported almost 22,000 hacking attacks on U.S. corporations last year alone, more than double the number reported in 1999. The Computer Security Institute and the FBI's 2001 Computer Crime and Security Survey found that 85% of the 538 companies surveyed-which included financial institutions-said they detected computer security breaches within the last year, and 64% said the security gaps caused financial damage. For the 186 companies, or 35%, that provided financial details, losses totaled almost $378 million, up from $266 million reported by 249 companies in 2000.
THE WHITE HATS
Given the statistics and the new information security procedures required by the Gramm-Leach-Bliley Act, an industry has spawned around vulnerability assessment and white hat hacking. It includes big accounting firms like Ernst & Young, PricewaterhouseCoopers and KPMG, computer behemoths like IBM and Cisco, and a slew of smaller security consulting firms.
"Banks hire us to answer the question, What can a hacker do to me?" said Joseph Cooper, president and founder of Digital Defense, whose clients include several banks and credit unions.
Stereotypes aside, legally hired hackers are not convicted felons looking to go legit. "Usually, we insist they come from a trusted source, meaning they've had a multitude of this type of technical experience," said Keith Frederick, CEO of SecureInfo, another San Antonio security consultancy, which splits its work between government and corporate clients, about a fourth of which are banks. "We do a lot of work for the Department of Defense, so all our guys have top security clearances."
All the senior analysts at nearby Digital Defense come out of the military, said Cooper. Nearby Kelly Air Force Base and its Information Warfare Center feed employees to both companies, and have helped turn San Antonio into a mini mecca for computer security.
Out of Digital Defense's 25 employees, 18 do penetration testing, or ethical hacking, usually in teams of two, doing much of the testing from their San Antonio headquarters. "When a client hires us for that one-time test, we'll begin by testing here, looking at them the way a hacker would," said Cooper. "Then we send them a network appliance that gives us internal access, and we look at them from a disgruntled employees point of view. The internal risk is enormous."
The intrusion test usually costs between $5,000 and $50,000, depending on the size of the financial institution or the scope of the deal. Community banks usually pay between $15,000 to $25,000 for penetration testing, said Cooper. "We've got some banks in the $100,000 to $200,000 range, but that's a rarity."
What's all too common is how frequently Digital Defense breaks into a system. "We see stuff every day where an unskilled 12-year-old could basically get in and wire out all the money from the institution," said Cooper. "About 70% of the time, we can transfer funds via the Internet, either between accounts or money out.
Cooper went on to describe a test on a multibillion dollar financial institution. "Because of the way they were connected to their clearinghouse, we had a straight path into that. And because of the way everything was set up, we could see everyone else connected into the clearinghouse as well. And this was over the Internet, without having any prior knowledge of their network."
Bruce Hartley, president and CEO at e-business technology, a security firm in Colorado Springs, Colo., said his company has never failed to break into a system yet, via the Internet and dial-in phone lines, even with firewalls present. In one financial institution, his team gained full-system access by exploiting known network file system vulnerabilities, spring-boarding from an intranet Unix server. "Most of the vulnerabilities are publicly known and correctable," he said. They may simply stem from misconfigurations, user default settings or out of date files.
What's hard is keeping up with new exploits and alerts. "We tried to do something ourselves, but it was complicated," said Butch Hill, Internet security manager at the $181 million Air Academy Federal Credit Union in Colorado Springs. "There's a lot of stuff to stay on top of, and we didn't have the expertise in-house."
So the credit union hired e-business technology for a penetration test last November. It has since signed on for quarterly testing. "There's potential exposure any time you allow folks to log into your network from remote locations, like from home," said Hill. "We wanted to be sure we had all those types of holes closed, or at least secure."
Banks' increasing reliance on outsourcers can introduce chinks in security. "For every system, hire hackers to break it," said Brent Tanner, vice president and director of e-commerce and technology project risk review at Citigroup. "We get the results and then modify it. You should do this before every new vendor contract."
Often the problem lies not in the individual systems but in the way they link together. "With one ISP, a different Web site, home banking vendor and data processor...when you plug them together, you really don't know how that affects your overall posture," said Digital Defense's Cooper.
Mergers and acquisitions introduce more vulnerabilities. "You inherit the other company's risk profile," said e-business technology's Hartley. "You might have a tight security posture in your organization, but once you've merged and as soon as you make that network connection, you've inherited every vulnerability they have on their network, and you might not know what those are."
"Mergers multiply the likelihood of weaknesses," said Todd Waskelis, a senior security adviser at NetSec, a security consultancy near Washington, D.C., whose founders came from the National Security Agency. "We had a client that picked up some subsidiary banks and during the conversion noticed that some monitoring devices were getting some activity from a Chinese ISP. What they were doing was relaying Web requests for pornography...funneling traffic through a legitimate site so that the Chinese government wouldn't see the pornography and redirect it back."
Despite such findings, tiger team testing does little good without a security policy to support it, said experts.
"If you don't know what you're trying to protect or how you're going to protect it, there's no way you're going to have a secure environment," said Hartley. "The bank may spend time fixing one or two machines, but you've got to consistently configure all your platforms. Otherwise, you've got that weakest link problem. That weak link system is trusted by other systems, and when I break into it, I cascade through your entire network."
2001 CMP Media LLC.
7/1/01, Issue # 3807, page 30.