Click to return to BOL home page
Banker Store Read A Reg Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Checks BOL Conferences CrimeDex FREE Briefings Banker Tools

   

















    Site Map

    Our Sponsors

    Home



Print Friendly! Email This Article! Discuss NOW!


An Alternative to Penetration Testing
by Wayne Barnett

Constant Penetration Monitoring is cheaper, and, potentially more reliable

Computer Hackers have greatly complicated all of our lives. And it will get worse as technology improves.

Banks are attractive targets for Hackers. And while few have suffered Hacker break-ins, the ones that have incurred significant financial losses.

What is a Hacker break-in? It's an event where someone alters or destroys computer records, or, steals confidential information.

How hard is it for a Hacker to break-in to your bank? If the Hacker is an employee (and 70% of all break-ins are by employees), it's not hard at all.

For example, an employee could install a "capture program" on the Cashier's PC. A capture program records keystrokes. A few hours after it's installed, the employee will know the Cashier's user-ID and password. This will enable him to post every transaction the Cashier is authorized to do, and, make it appear that the Cashier did so. (Note: capture programs are readily available, for free, via the Internet.)

Likewise, an employee can attach his PC at work to another PC located anywhere in the country. All it takes to accomplish this is a $9 modem (or a $90 modem if your bank has a digital phone system). The person on the receiving end will be able to browse your system, and possibly download confidential customer information. (Note: these type of connections bypass your firewall.)

Can you completely stop Hacker break-ins? Yes, you can. However, the cost-estimated at $150,000 a year for a small bank-exceeds the benefit.

So, how do you protect your bank against Hackers? For my EDP audit clients, I recommend three cost-effective controls:
  1. Do not house a web server in your bank. Let a professional IT services company manage and protect your web server. It may cost you $5,000 (or more) a year to do this, but it greatly decreases the risk of a Hacker break-in.
  2. Do criminal background checks on all new employees. (Note: the Internet makes this task quick and inexpensive)
  3. Monitor for external Hacker break-ins by implementing Constant Penetration Monitoring (CPM).
What is CPM? It is a security strategy that utilizes two (2) firewalls: a hardware firewall at the Internet's point of entry, and, a software firewall on 6-8 PCs.

The logic behind CPM is that two firewalls from different vendors, utilizing different detection strategies, are unlikely to be penetrated by a single Hacking procedure. Accordingly, if the first firewall is penetrated, the second one will capture the attack and immediately issue a warning message.

The reason for installing the software firewall on 6-8 PCs is that it enables multiple people to monitor for a "break-in message". You could install the software on all PCs, but that's probably over-kill. Of course, the greater number of PCs that have the software, the greater your chance to quickly detect the Hacker.

Hopefully, your hardware firewall works perfectly and your software firewall never gets used. But if it does, you will quickly know there's a problem and can take immediate action to correct it.

What's the cost to implement CPM? It's around $500 in the first year ($150 for the hardware firewall, and $40 each for eight software firewalls), and $350 in subsequent years (for license renewal).

Is CPM a viable alternative for third-party penetration tests? In my opinion, yes. Please allow me to explain.

There are dozens of firms offering "affordable penetration tests" via the Internet. Many of them advertise that they use "commonly available hacker tools"-and therein lies the problem.

In some instances these tools are 3-5 years old and that diminishes their effectiveness. Also, professional Hackers don't use "commonly available tools". They use self-developed tools that target specific weaknesses. If a testing firm isn't constantly updating its software to address these vulnerabilities (and many aren't), they're not providing a reliable service.

I believe CPM is far superior to penetration tests, and it's much cheaper. Most of the Regulators I've spoken with agree-as long as the bank isn't housing a web server. (Special rules apply to Banks operating in-house web servers. Ask your auditor about this.)

How confident am I in CPM? Very. It's what I use to protect my assets!

Wayne Barnett owns a CPA firm that specializes in providing EDP auditing and consulting services to banks. He is also President and Chief Systems Architect of Wayne Barnett Software, Inc.(www.barnettsoftware.com). He can be reached at 800-680-8692, or via e-mail at wbarnett@barnettcpa.com.

First published on BankersOnline.com 4/22/02



Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.