If you thought your bank was as safe as houses, think again. The latest report from security testing specialist NTA Monitor suggests that banking and financial services organisations have among the worst security record of any sector. It reports that nine out of ten financial organisations tested showed basic flaws that "could put the availability of online banking systems in jeopardy".
The report, Vertical Market Security Report 2003, warns that the use of online banking and other financial services may suffer if IT security in key areas such as firewalls and router configuration is not improved quickly. It spotlights the financial sector as having the worst record for router security compared to other sectors, with 94 per cent of financial organisations tested showing basic flaws that could cause major disruption to online banking services.
There's more: NTA Monitor reports that firewall performance in financial organisations is worsening, with 46 percent of those tested showing flaws in this area. Nearly a third of financial organisations (31 per cent) tested were found to have at least ten flaws, opening themselves to considerable risk of malicious attack. Thirty-eight percent of sites have between two and five medium-level risks, which "could directly result in disruption of service by external attackers or provide unauthorised access if incorrectly configured."
Roy Hills, Technical Director, NTA Monitor, said: "Although the financial sector performed among the best overall, on closer analysis we found that excellent performance in some areas masked worrying gaps in others. This is surprising given the fierce competition in the financial sector: slow access or loss of service could turn the fickle Internet consumer towards another brand. Tighter security across all areas needs to be made a priority today and the holes plugged quickly -- or this could become a turkey shoot for hackers."
Hills continued: "Having worked with these sectors for many years, the analysis produced surprising results, in the case of the financial sector totally contradicting what we'd assumed. We expected the financial sector to have the tightest security but it proved to have the worst record for router vulnerabilities -- 94 percent of companies surveyed had basic router flaws. This could enable a hacker to prevent any Internet traffic entering or leaving a gateway. Imagine the disruption caused to online banking customers, and financial services sales lost. Another worry is that firewall risks are worsening in the finance sector. Any risk discovered in a security system that a corporate relies upon to protect its network is of serious concern," Hills said.
"Both these trends suggest either complacency or lack of awareness -- and I'm not sure which worries me most. Many of the problems highlighted can be fixed in under 20 minutes, with the right knowledge and the right mindset. So cost of new software or infrastructure is not the major constraint."
Among the specific router configuration risks identified were denial of service (DoS) attacks, unauthorised access to network resources, revealing details about users logged in to the router, including user names. Much of this, according to Hills, was down to ISPs being unwilling to make changes from their standard configurations for individual clients, rather than being the fault of financial organisations themselves.
Hills suggested that routers should have access to "unnecessary services" filtered or blocked. More specifically, this could avoid high risk vulnerabilities such as the Microsoft RPC DCOM vulnerability accessed over TCP port 135. He added that, "the same advice would also prevent Cisco routers from advertising their location, thereby reducing the likelihood of DoS attacks based on the recent Cisco IPv4 flaw."
Among the remedies identified by Hills was "the need for ongoing security testing across all areas: network, operating system and application level." The Vertical Market Security Report 2003 is based on analysis of more than 600 network perimeter security tests for blue chip clients. The research analysed test results across the financial, government, legal, IT and telecommunications, manufacturing and services sectors. The report includes a ranking of Top 20 most common risks identified in each sector.