The financial services sector needs to boost its IT security defences, says Geoff Sweeney.
Reliance on IP communications to process data exposes the UK financial services industry to a greater risk from attack. This is especially true for companies that rely on the web to generate business and interface with customers.
The biggest problem facing an IT manager wanting to protect the company's web and IP-linked resources is the threat of a distributed denial-of-service (DDoS) attack - if the web servers fall silent, then revenues stop streaming.
This type of attack is usually orchestrated using one or more botnets, with thousands of internet-linked computers under malicious remote control, all placing a fatal load on the targeted website. To counter the DDoS threat, the best solution is to distribute the company's web presence across a geographically spread set of servers, as well as taking the IP diversity option for their primary and secondary connections to the internet. This process also dramatically reduces the possibility that a website can be hijacked by criminals for any reason.
Applying a rigorous approach to analysing the security risks posed by an organisation's communications resource should not be confined to external connections. IT managers should also analyse the internal communications infrastructure, right down to the risks that portable appliances, such as USB sticks and MP3 players, pose to their IT operations.
A growing number of portable devices, from advanced smartphones to MP3 players, are now equipped with Bluetooth and WiFi connections. Even with the best of intentions, employees can end up compromising the security of the internal network by hooking up a portable device to the company IT resource. Furthermore, if the smartphone's 3G or GPRS capability is enabled, a hacker could dial into using the public network, tap a Trojan horse application and gain access to the company's internal network using a back-door approach.
The possibility of a serious network interruption is reinforced by the growing levels of corporate governance legislation that is on the horizon in the UK.
Many financial firms have already had to comply with the US Sarbanes-Oxley Act or face heavy penalties. Something similar has quietly arrived in the UK in the form of the Companies Act 2006, a piece of legislation which received Royal Assent late last year, and the provisions of which are due to be phased in by October 2008.
More immediately, however, UK financial institutions are bracing their security systems and policies for MiFID - the Markets in Financial Instruments Directive - which comes into effect on 1 November.
Among MiFID's many provisions is one designed to protect investors, requiring financial firms to prove that they have provided the best execution for every financial trade. This is aimed at making markets deeper, more competitive and more robust against fraud and abuse. Put simply, MiFID requires high levels of investment in up-to-date IT compliance and security systems by the financial services sector.
It's legislation such as this that is causing many IT managers to review their corporate security measures. And for good reason, since most legacy IT security systems are only designed to defend against known types of attacks. Unfortunately, the modern breed of criminal hackers are using previously unknown methodologies to break into systems.
One method by which systems managers can defend their IT resource against these new types of attack is through the use of behavioural analysis software, which acts as a safety net to protect from unknown, as well as known threats.
For the financial services industry, behavioural analysis IT security technology is a useful weapon in a much-needed arsenal of hardware and software weapons to discern unexpected activities and protect the IT and allied systems from external as well as internal attack. In this context, behavioural analysis software both complements and augments existing security systems in the financial services sector.
Geoff Sweeney is CTO of behavioural analysis IT security software company Tier-3.