Financial Services Firms are under attack – Are you prepared?

April 4, 2013 Ken Rode

Cyber Attacks

It is no secret that for the past 6 months there have been continual cyber attacks underway against banks and large financial services firms.  Bank of America, JP Morgan Chase and American Express have all experienced targeted and sophisticated cyber attacks*.  Could you be next?  Are you prepared?

The bottom line is there is nothing you can do to prevent your firm from being a target.  Just like a burglar entering your home, you can’t stop them from trying; but there are things you can do to make it more difficult and, ultimately, provide them incentive to attack somewhere else.  To accomplish this, the best use of your time and effort is to reduce exposure, detect attacks and have a recovery plan in place.  In this first blog we will address reducing exposure.

Five Common Vulnerabilities

Are you sure that you know all the available services and open ports on your network?  If not, now is the time to find out.  Some items we frequently find exposed that are not used are:

1.)   Microsoft Small Business Server – This product is a great value for many small financial services firms and it provides a wide range of remote access options including VPN, Remote Web Workplace and Outlook Web Access.  However, all of these tools run on well known ports that are regularly attacked by automated scanners.  Any that are not needed should be disabled to reduce exposure.

2.)    Virtual Private Networking to Home PCs – In this day and age we all expect to be able to work from anywhere at any time we desire.  This has resulted in a proliferation of client-server and site-to-site VPNs between home networks and the office.  While this is great for productivity, it provides many people with a false sense of security; by providing automatic connection of home networks to the office, you are essentially connecting every system on that home network directly to your corporate network.  Is every machine on this home network monitored and protected against compromise at the same level as your corporate systems?  Typically the answer is no.  So, while the VPN protects traffic to and from the corporate network from interception or eavesdropping along the way, there is nothing to prevent a compromised home PC from being used to attack the corporate network from the inside.  So it is important to ask whether every employee needs remote access and whether direct connectivity between the two networks is required or if there is a more limited solution to meet the need.

3.)    Remote Access to Critical Infrastructure – Many IT Support organizations (internal and contractual) expose direct access to servers, firewalls and other critical components for remote management and troubleshooting.  As with the Small Business Server tools, these run on well known ports and are subject to automated scanning from the Internet.  If this access is required, is it locked down to specific source IP addresses?  If not, your sole protection is the username and password combination chosen; if these aren’t extremely complex, you will be compromised at some point.

4.)    Firewall Rules – The firewall is the primary protection for all your network systems from attackers on the Internet.  As such, it is a crucial component in your security posture.  For smaller firms, the rules that allow and block specific traffic are typically pretty simple.  However, if all changes and updates are not tested, you are asking for trouble.  Even the simplest rule set can be compromised by a firmware problem or configuration oversight.  This can be prevented by ensuring a full scan is completed anytime a firewall installation, change or update is done.

5.)    Web Sites – This area is much too vast to address in a paragraph or two.  The bottom line is if you offer access to sensitive information on your web site or interactive access into client accounts, you need to ensure all the software, web sites and tools are tested and verified by proper support personnel to ensure the design and operation is secure.

As you can see, there are many points of exposure that we may not ever think about.  Stay tuned for the next blog about detecting attacks and having a recovery plan in place for when and if those attacks are successful.

Well-Funded Hacktivism

American Express Knocked Offline

Ken Rode is the Director of IT Services at UNAPEN