Beating the Cyber Threat
European Banker, © Lafferty Publications
Bank security now has to include prevention
against hackers or cyber attack, A
threat which one specialist puts higher than Y2K risks.
WHILE THE Internet presents tremendous opportunities for growth for Europe's
banks, managers need to be aware of the risks and take precautions. Use of
the Internet by organisations has fundamentally altered the security landscape.
In a report to the insurer Lloyd's of London, some of whose syndicates have
recently revised their policies for banks to include e-commerce, UK security
specialists mi2g says that the millennium bug (Y2K bug) is small in
comparison to cyber-warfare, which places financial institutions at substantial
"The Internet security solutions deployed
in many financial institutions today are similar to a standard Yale lock.
At risk is any installation using branded security packages such as Checkpoint
which has about 60 percent of the Internet firewall market,"
said mi2g Managing Director Diwakar Matai. The techniques to gain
illegal access exploit loopholes and default settings in standard security
With branded software, such as Checkpoint, managers should be aware that
the default settings are widely known. If the defaults are left, then it is
easier for hackers to find a way to access the local network. If Checkpoint
software is installed by an expert, then it is very secure, said Andreas Jakob
of Avantec Communications. Avantec counts as clients many of Switzerland's
leading banks and financial institutions.
Clearly, attackers or criminals who want to access can do so with relative
ease if standard software and hardware has been used in the network. "While
the majority of medium to large financial institutions do have some form of
an information security policy in place, the problem is that in this dynamic
marketplace it becomes obsolete in the space of months rather than years,"
said Matai. Network security needs to be continually assessed.
To find out how secure banks' networks are, Internet security consultants
can run 'penetration tests' on financial institutions (in other words, they
can hack into the bank). According to mi2g, which has tested US and
European financial institutions as requested by the institutions in question,
both corporate and retail banks are equally vulnerable. "Our
penetration testers can get into them in between 45 minutes and 24 hours,"
said Matai. The procedures used to hack into systems are easily
found on the Internet by using search engines with 'hack' or 'hacking' as
search terms. The mi2g testers, who work from sites in South Africa,
Singapore and New Zealand, have sometimes used a supercomputer to decrypt
a password in under eight minutes but it is also possible to use normal networked
PCs or Linux workstations; it just takes a little longer.
Should they gain access, a hacker can:
networked computers resulting in potential data loss and attendant hazards,
such as fire;
· steal, copy, reroute or delete files from any of the Windows-based
machines and some Unix-based machines depending on configuration;
· access mainframe computers (in Cisco-based networks) even without
a user ID;
· deny access to the mainframes;
· and read incoming and outgoing e-mail or it can be rerouted, copied,
intercepted, altered or deleted at will.