July 05, 2004

  • Adel Melek, Partner, Deloitte & Touche (Toronto)
  • Eric G. Trapp, Partner, Security Solutions Group, Accenture (New York)
  • Mark Horvath, Director of Security, Commercial Sector, Microsoft (Redmond, Wash.)
  • Jack Danahy, President and chief executive officer, Ounce Labs (Waltham, Mass.)

-----

A virus can grind a bank's operations to a halt and expose billions of dollars. Technology offers a line of defense against attacks, but to really safeguard their systems, banks must implement strict security policies - and communicate them to employees and technology partners.

---

Q: Do banks understand the risks viruses and worms pose? What security measures should banks implement to protect against attacks?

Adel Melek, Deloitte & Touche: Many of the risks associated with viruses arose from the misalignment of technology, people and processes, as well as the lack of an end-to-end enterprise process to address this issue. Many banks have robust technical components in place to defend themselves against worms and viruses. However, they are only as strong as their weakest link. Many of the worms and viruses take advantage of users with a weak sense of security or a small number of vulnerable hosts within a large network. The introduction of a mobile force, use of consultants and off-shoring are also relatively new trends, and the security associated with these trends is not up to the same standards utilized across the organizations. Proactive patch management, proper systems and patches testing, systems monitoring and enhanced user awareness of security are now required.

Eric G. Trapp, Accenture: Assuming "virus" to mean any kind of malicious code, I say, yes, the financial services industry has accepted and is actively addressing the continuity risks posed by viruses. However, two conditions exist that can undermine the best anti-viral programs: First, there is a lack of sound asset management in the industry; and second, there is a lack of sound security configuration management. The solution is simple: Eradicating a virus means knowing where it can hide.

Mark Horvath, Microsoft: After several years at the forefront of the security battle, banks have a pretty good idea about where they stand with viruses and the kind of destructive potential they have. That said, most banks are still working on tightening their perimeter security. Securing the edges of the network and minimizing the exposure surface continues to be a battle.

Q: How can banks train employees - both in-house and remote workers - to guard against viruses?

Melek, Deloitte & Touche: Employees at all levels should be well educated and advised about the potential impact of a virus outbreak. Strong policies should be in place and well-communicated to users at all levels, not just administrators. In addition, the enforcement of the policies is the key - technologies exist for the automated enforcement of the policies. However, this requires that companies have the resources to properly manage, maintain and monitor them. Many organizations are rolling out awareness and training programs to all their employees, and some organizations demand that their employees provide an annual sign-off that they have reviewed the policies, attended training and are in compliance with their organization's policies and practices.

Trapp, Accenture: Organizations should establish a comprehensive set of security policies that clearly delineate employee responsibility. That means addressing and setting appropriate-use guidelines for all company technology and educating employees on e-mail security, incident response procedures, remote access security, Internet filtering, spyware protection, and asset and configuration management. Policies and procedures are only effective when supported by employee training and awareness programs. For remote workers, the leading practice is to require the use of approved virus protection software on all equipment used to access company technology from a remote location.

Horvath, Microsoft: Banks should continue to enforce common sense approaches to virus elimination with guidance around things like e-mail attachments and spam filters. Most known viruses can be eliminated at the network edge through scanning and filtering, but firms need to continue to stress care in handling attachments to e-mail, especially from sources outside the bank. Don't auto-open attachments, always scan unsolicited e-mail and, when possible, build white-lists of e-mail addresses known to be safe.

Jack Danahy, Ounce Labs: User education is an ongoing process, and it must be in the context of the work users do every day. The most successful programs I've seen do some sort of quarterly or semi-annual training and then conduct regular reminders and spot checks throughout the remainder of the year. Anti-virus signature updates should be automatic, and some firewalls do not have the capability to block users without the latest configurations. Diligence and end-user awareness of dangerous events is key.

Protection against worms has to happen on the developer side as well, with a serious training effort on how to write secure code. We teach our developers how to write faster code with greater functionality and availability but do not arm them with the knowledge to make that expanding functionality safe. It is critical, particularly for financial institutions, to implement this training.

Q: What requirements should banks place on their technology partners to minimize the risk of viruses?

Trapp, Accenture: Contractors and vendors should be held to the same standards as employees. Too many cases have been cited recently where viruses are introduced into an organization by way of an outside business partner. Contractual provisions that address vendor responsibility should be secured by companies before a vendor is formally engaged.

Danahy, Ounce Labs: Knowledge and technology have combined to make it possible for companies to hold outsourcers and vendors accountable for the security of the code they deliver. It should start with your outsourcing vendors. Build into the agreement your requirements for secure code, specify the vulnerabilities that must not be present and outline an audit procedure that must deem the software secure before the application will be accepted and paid for. Regulations demand this chain of trust be established, and there are now automated source code analysis tools to help speed and inform that process. Start the trend with the outsourcers and the pressure on packaged software vendors to get their software certified will continue to build.

Q: How will changing technologies affect the battle against viruses and worms in the future?

Melek, Deloitte & Touche: Many technologies already exist, such as the automation of security operations (e.g., patch management and updates) or the monitoring of networks, and many vendors are releasing more secure systems out of the box. These technologies have to be deployed properly and uniformly. As technology advances, more and more components are added to the IT infrastructure, and there are more entry points for viruses and worms. The key is to ensure a consistent security approach to be applied on all components and technologies.

Danahy, Ounce Labs: More protection, risks, vulnerability and new technologies will enhance not only our response but our proactive efforts to reduce risk. I think the greatest ally in this fight is knowledge. And technologies are arriving that will help security officers understand better their risk and exposure on even a daily basis and provide more intelligence about the actions to take that provide the greatest return on a security investment. The only way to respond to greater danger is to be smarter than the bad guys. Technology helps, education is critical and vigilance will be key.

Horvath, Microsoft: Anti-virus software will continue to evolve as time goes on and will become a larger part of banks' security platforms, almost in the same way that spell-checking works for their professional correspondence. Quarantine technologies are being developed which will allow applications access to only limited parts of a network or to run with only the minimum permissions it needs and no more. In short, anti-virus technology will get closer to the applications, further from the users - self-adapting and aware of expected and unexpected behaviors. This will reduce the burden on the end-user while at the same time increasing the security of the system overall.