Q: What are the greatest security threats to banks, and what new threats do you see on the horizon?
Speare: The greatest attack vector from both the technology and information security standpoints are e-mail scams and phishing attacks. But most threats can be categorized as one type or another of malware. Whether it's viruses, Trojan horses or adware, it's making computers act in a way you don't want them to.
The viruses that present the highest threats are the ones that begin as distributed denial of service attacks; they're trying to transmit infected code to other machines. We're probably going to see less of those down the road -- instead, we'll see super-variants that are going to attack multiple vulnerabilities. Not only will they do distributed denial of service, but they're going to get into registries and look for passwords and credit card numbers. The danger of these super-variants is the highest area of concern. Someone is going to figure out how to couple four or five attack vectors and, in the process, grab credit card and Social Security numbers.
Q: How is M&T Bank dealing with security threats?
Speare: We've adopted a multifaceted defense. First, we've done a lot of work internally to make sure we can monitor for security. We've implemented technical solutions to monitor for attacks so you can start an incident response process as well as alert consumers. You want to be proactive in dealing with customers so they don't fall victim. Second, we proactively monitor and protect consumer information that we own and share with third parties.
We caught the Zotob virus because of intrusion detection systems. We're also proactive in patching, and we look for external warnings of an attack, such as spikes in Internet utilization and firewall drops of unauthorized packets.
Q: Has M&T been the target of any phishing attacks?
Speare: We have seen over the last year some not-very-good replicas of M&T Web sites. Originally, it was the very largest institutions that were getting hit -- Citibank, BofA, Wells Fargo -- but you could see it coming down the tier. We've had two phishing attacks in the last six months. One was after I signed a contract with Symantec [Cupertino, Calif.] for its Online Fraud Management Solution. Four days after I signed the contract, 15 million fake e-mails went out. The Fraud Management Solution blocked the vast majority of the fake e-mails, so a lot of people never got them. There's never been a successful attack against M&T.
Q: Why is phishing so prevalent?
Speare: The response to phishing attacks used to be that as soon as the e-mails went out, you would start the incident response process by taking down the fraudulent Web site. But the speed with which fraudsters can move operations from one Web site to another makes them harder to shut down.
Q: What are the details of your deal with Symantec?
Speare: We have partnered with Symantec to provide customer awareness training and free tools that examine whether customers' virus protection software is operating. We've also provided our customers with an online store where they can purchase Symantec's Internet Security 2005 product at a 20 percent discount.
Q: How do you block scams directed at employees?
Speare: Internally, we have a spam filter device within our e-mail gateway that's looking for spam and e-mail types that should never make it into the environment. We see a lot of these attacks emanating from Asia and Eastern Europe, so we block traffic from some of those areas. Even if you receive an e-mail, the link won't work.
Q: What are the core elements of your information security program?
Speare: First, for all software, whether it's acquired or built in-house, we have a security assessment program in place by which the software is inspected by either an external party or an internal security quality-assurance process. We've also implemented a Web application firewall from Teros [Sunnyvale, Calif.]. Over a short period of time, it learns what types of queries are acceptable for normal use and will break the connection for nonallowed queries.
Furthermore, we run host- and network-based intrusion prevention and detection systems. Should something become infected, there's a method of blocking it from infecting the internal network. We have a proactive patch management program. We're also strict about controlling and monitoring user access. We centrally provision, transfer and terminate access from one spot. When employees leave the organization, their access is terminated. Our data centers have ultra-high security. They have no visible markings, and getting into them requires going through physical security and access control measures.
Q: How can banks influence vendors to write more-secure code?
Speare: Most of the financial institutions that make large software purchases are in BITS [the Washington, D.C.-based technology research arm of the Financial Services Roundtable]. Collectively, we have to make a stand and say to vendors, "The onus is on you as a software provider to supply secure code." When we talk with our wallets collectively, then it will have an impact.
Q: What role does Microsoft (Redmond, Wash.) play in information security?
Speare: Microsoft will continue to run 98 percent of all desktop operating systems and, therefore, will continue to be the most exploited by malware. Many of us in the financial services industry have pushed Microsoft, through its chief security officer roundtables, to change the way it develops software, and it's been pretty responsive. The 2003 platform is much more secure than the NT Server platform, and the Windows XP Service Pack 2 is light years ahead of the NT Workstation.
Q: How large is your information security staff?
Speare: My group has 50 people. We spend 15 hours a week meeting with the corporate security and compliance groups to ensure we're all in lockstep. We're also involved with every technology project; you can't get access to a system unless you come through us. You need to be out there with application developers and with project management offices to make sure [information security] is plugged into the appropriate areas of the life cycle.
Q: Do you report to the CIO?
Speare: Yes, but our CIO, Michele Trolli, is different in that she runs technology plus back-office operations. I'm fortunate in that I report to a CIO who's also one of 12 executive VPs - she has the ability to influence all lines of business, and she reports to the COO. The ability to have your voice heard is more important than who you report to.
For specifics on how M&T is employing monitoring technology to mitigate security risks, see case study, page 56.