Banks Remain Vulnerable to Cybercrime, Study Finds

MBA (9/11/2008 ) Palaparty, Vijay
Cybercrime or physical crime could compromise bank account records and Social Security numbers at 95 percent of financial institutions in the U.S. within 30 minutes or less, according to a study from TraceSecurity, Baton Rouge, La.
The company, which conducts IT risk assessments and provides security compliance, tested financial institutions by simulating physical and virtual breaches, often successfully bypassing security policies, procedures and technology. The tests focused on the company’s three best practices areas: penetration testing, remote social engineering and onsite social engineering.

Ninety-five percent of the time, TraceSecurity engineers disguised as fire marshals or pest inspectors gained access to bank areas that contained sensitive data that could be easily compromised. The study said backup tapes were easiest to target, along with other items such as loan applications, hardware and keyboard data.

“When in disguise, TraceSecurity engineers were only questioned on a couple of occasions,” said Jim Stickley, co-founder and CTO of TraceSecurity. “Financial institutions are under attack via physical breaches or the internet. It takes only one branch location for all customers’ sensitive data to be at risk, and recent data breaches have shown these losses can amount to billions of dollars—a huge cost for what’s usually a small, avoidable error.”

But another survey from Finjan Inc., San Jose, Calif., said 95 percent of organizations in the banking and financial sector perceive cybercrime as a major business risk—matching their level of vulnerability. The study said these organizations are concerned over repercussions of cybercrime, which could result in loss of customers, brand name damage and lawsuits. Seventy-three percent of CIOs and CSOs surveyed were more concerned about data theft than about downtime and loss of productivity due to virus infections.

“As the web has become the major malware infection channel, crimeware-filtering capability has become a critical component in organizations’ web security strategy,” said Yuval Ben-Itzhak, CTO of Finjan. “Today, more and more corporate data is at risk of being stolen by cyber criminals.”

From a technology vendor perspective, Jay Meadows, CEO of Rapid Reporting, Fort Worth, Texas, said the biggest deal with data security is that lenders should better understand with whom they are doing business.

“You can have the most secure network in the world, but if you are shipping it out to a partner that doesn’t, you’re putting your company at risk,” Meadows said. “In a world where everyone is concerned about cost, lenders need to realize there is a cost to security. Choosing a vendor based on lowest price, without checking their security measures, is being penny-wise and pound-foolish. Everyone is watching the front door, but the back door is unlocked. Lenders need to know who they are doing business with.”

In the Finjan survey, 68 percent of respondents indicated that their corporate intellectual property and sensitive information is at risk of data theft. Furthermore, 54 percent said they worry about their corporate employee information being stolen.

Forty-seven percent listed theft of their corporate customer information as a major concern. Twenty-five percent reported that their data had been breached and 42 percent could not exclude the possibility of a breach.

Watchguard Technologies, Seattle, identified unpatched vulnerabilities in companies, which are open to known exploits, as the number one security threat to small and medium-sized businesses. “More than 90 percent of automated attacks try to leverage known vulnerabilities,” the report said. “Although patches are issued regularly, a short staffed SMB may likely fail to install the latest application updates and patches to their systems, leaving them vulnerable to an otherwise easily stopped attack.”

Also on the list of top 10 security threats was loss of portable devices (fifth) and compromised web servers (fourth).

Meadows said vendors are often required to prove their own security through countless security checks. “There should be a standard security certification that vendors should be able to provide—one that requires regular testing and proof of security,” he said. “An increased number of lenders are increasing their security requirements, and are asking us to show proof of the security measures we undertake. They are checking all the way down the chain of custody. People are more concerned with whom they are doing business with, and we’re getting about 40 percent to 50 percent more requests for security verification than we did last year.”