Beating the Cyber Threat

ByValerie Thompson

European Banker, © Lafferty Publications Ltd 1999

Bank security now has to include prevention against hackers or cyber attack, A threat which one specialist puts higher than Y2K risks.

WHILE THE Internet presents tremendous opportunities for growth for Europe's banks, managers need to be aware of the risks and take precautions. Use of the Internet by organisations has fundamentally altered the security landscape. In a report to the insurer Lloyd's of London, some of whose syndicates have recently revised their policies for banks to include e-commerce, UK security specialists mi2g says that the millennium bug (Y2K bug) is small in comparison to cyber-warfare, which places financial institutions at substantial risk.

"The Internet security solutions deployed in many financial institutions today are similar to a standard Yale lock. At risk is any installation using branded security packages such as Checkpoint which has about 60 percent of the Internet firewall market," said mi2g Managing Director Diwakar Matai. The techniques to gain illegal access exploit loopholes and default settings in standard security software.

With branded software, such as Checkpoint, managers should be aware that the default settings are widely known. If the defaults are left, then it is easier for hackers to find a way to access the local network. If Checkpoint software is installed by an expert, then it is very secure, said Andreas Jakob of Avantec Communications. Avantec counts as clients many of Switzerland's leading banks and financial institutions.

Clearly, attackers or criminals who want to access can do so with relative ease if standard software and hardware has been used in the network. "While the majority of medium to large financial institutions do have some form of an information security policy in place, the problem is that in this dynamic marketplace it becomes obsolete in the space of months rather than years," said Matai. Network security needs to be continually assessed.

To find out how secure banks' networks are, Internet security consultants can run 'penetration tests' on financial institutions (in other words, they can hack into the bank). According to mi2g, which has tested US and European financial institutions as requested by the institutions in question, both corporate and retail banks are equally vulnerable. "Our penetration testers can get into them in between 45 minutes and 24 hours," said Matai. The procedures used to hack into systems are easily found on the Internet by using search engines with 'hack' or 'hacking' as search terms. The mi2g testers, who work from sites in South Africa, Singapore and New Zealand, have sometimes used a supercomputer to decrypt a password in under eight minutes but it is also possible to use normal networked PCs or Linux workstations; it just takes a little longer.

Should they gain access, a hacker can:

· crash networked computers resulting in potential data loss and attendant hazards, such as fire;
· steal, copy, reroute or delete files from any of the Windows-based machines and some Unix-based machines depending on configuration;
· access mainframe computers (in Cisco-based networks) even without a user ID;
· deny access to the mainframes;
· and read incoming and outgoing e-mail or it can be rerouted, copied, intercepted, altered or deleted at will.