Is your site secure?
by Michele Petry
BIO AND CONTACT INFO
Recent headlines relating to cyber-intrusions, newly released viruses and vulnerabilities in some of the most commonly used software have brought security front and center for 2002. The CERT? Coordination Center, operated by Carnegie Mellon University, recently released its 2001 statistics on the number of computer security incidents reported to the center. The number of computer-related security incidents climbed significantly in 2001, with more than 52,000 reported incidents, representing more than a doubling of the number of incidents reported in the previous year.
It is not surprising then, that banks would become a high-profile target for computer hackers and other malicious intruders. According to recent press reports, both Citibank and Mellon recently fell victim to "white-hat" hackers looking to expose potential vulnerabilities on their Web sites. In the case of Citibank, its online cash-payment site, C2IT.com, exhibited a security flaw that would enable an attacker to see credit-card numbers, bank-account numbers, security codes, and other customer information. The vulnerability that was exposed, however, was not new. The CERT Coorodination Center had issued an advisory on the cross-scripting vulnerability in a February 2000 alert.
While other high profile sites, such as the New York Times, Microsoft, PayPal, NBC, Morgan Stanley, also exhibited the vulnerability, few received the attention of the press and the criticism resulting from failing to act quickly to resolve the flaw (see, Security Researcher Says Citibank Took A While to "C2' Security Flaw).
Other types of security flaws have been discovered in delivering customer information contained in databases over the Web. For example, a recent poll released by Evans Data found that banks experienced the highest rate of security breaches of any of the industries surveyed. According to the poll, roughly 27% of the developers surveyed in the financial industry reported that they had experienced a security breach within the last year, compared with roughly 10% reporting from other industries. In December 2001, a flaw in the Fleet Credit Card Services online site, (see Bank Closes Web Security Hole) could have potentially exposed customer transactions to other Fleet cardholders, thereby violating a consumer's financial privacy and potentially allowing the information to fall into malicious hands. Even though Fleet acted quickly to close the security hole, they were still criticized for their lack of concern over the problem.
The lessons for financial institutions should be clear - maintaining a strong focus and vigilance on computer security is critical to ensuring consumer trust and minimizing reputational risk to your institution. Ensuring that your IT staff members vigilantly perform intrusion testing, apply software patches and remain acutely aware of recent threats and vulnerabilities, including virus and other potential threats, is crucial to maintaining your institution's credibility as a trusted provider of online financial services. Remember: computer security cannot be delegated to the role of the IT professional, but rather remains the responsibility of top-level management.
Cross-Site Scripting (CSS) detection program is available for free at http://www.devitry.com/screamingCSS.html - This program automatically spiders a page and detects Cross Site Scripting problems.
CERT Advisories, and Vulnerabilities Database.
NIST Contingency Planning Guide for Information Technology Systems
Information Security Checklist from Interpol
First published on BankersOnline.com 1/28/02
First published on 01/28/2002