Marshall Jones – Systems Engineer
“You’ve been hacked.” Three words that strike fear into every Teller, Network Administrator, and Bank President. Three words that you can prevent from ever hearing, as long as you are proactive about your network security. Last year, it was estimated that close to 80 million personal records were stolen. Compare that number to what now seems to be a meager 20 million in 2006 and you will quickly see that the number of data breaches per year is headed down a path of exponential growth. Customers have put their trust in the bank to store and protect all of their personal and financial information. So, what can you do with a limited IT budget to protect their information from prying eyes and ears? The first and most important step is training.
Your users should know what social engineering is, how to detect it, and how to handle it. Social engineering is a method used by an attacker to gather information for a hack, usually by simply fooling the user into divulging something the attacker needs, most often by phone or email. Once the attacker gets the seemingly innocuous piece of information, such as the Network Administrator’s name, they can use this to get what they are truly after. For example, the attacker would call the bank and explain to the user that they had been asked by the Administrator to obtain the user’s password because they will be doing maintenance on the user’s email account. Once the attacker has the password, they can easily launch an authenticated email attack to customers requesting their account information. The customer, seeing that the email is from the bank, will be more likely to respond with the requested information. With training, users can be made aware of these types of threats and how to handle situations when they arise.
Probably the most publicized way of data leakage is through lost or stolen laptops, flash drives, and backup media. With the proper software and training of employees, you can greatly reduce this risk. With the latest version of Backup Exec you can, and should be, encrypting your offline backups. This is a quick, easy, and critical step to protect yourself in the event of a theft or loss of your backup media.
Are the bank’s laptops encrypted yet? Here is a common, yet easily avoidable scenario; a thief looks through a car window and sees a laptop that will give him a quick turn around, but after taking a look at the hard drive, he realizes he has something much more valuable on his hands. A laptop can be easily replaced, although the bank may never recover from the public relations fallout following a situation like this. It is imperative that the bank ensures that all laptops have encrypted hard drives so they will be protected after their theft or loss.
With flash drives getting cheaper and larger by the day, it has become extremely important for Network Administrators to realize that they must protect the bank’s customer data from being stolen, not only by outsiders but insiders as well. With the use of endpoint security software, you can protect the furthest reaches of your network, preventing a user from walking out of the bank with a flash drive full of confidential information. There are several products available to protect the endpoints within your bank, including the newest release of Symantec’s antivirus solution. However, the first step every bank should take is to have, and enforce, a network usage policy. This policy should describe and limit proper use of flash drives and other removable media.
The FDIC does require that banks go through independent penetration and vulnerability audits to ensure that the network meets certain criteria, but these should be considered minimum requirements. It is up to you to not only do what is the minimum, but stay ahead of the curve by keeping track of the trends in the IT industry. Keeping yourself and your end users up-to-date on the latest methods hackers are using is extremely important. The more you know, the better prepared you are.