Financial-services companies are ramping up efforts to protect themselves from hacking incidents, especially ensuring that software developers and business units take responsibility for building security into their applications.
The focus of application security is "evolving from the perimeter," said Wendy Walasek, VP at Morgan Stanley & Co., at the Cyber Security Executive Summit in New York Thursday. The company has taken a multifaceted approach to information security, including developing security "blueprints," providing developers with tools and services for information security, and training.
Information-security experts can help developers by pointing out potential vulnerabilities, such as exposure to an "SQL injection attack," said Walasek, referring to a form of attack that bypasses firewalls to steal information from a database or gain access to an organization's host systems.
The consciousness level of business users has been raised by the barrage of incidents involving lost and stolen data this year, as well as regulations such as Sarbanes-Oxley that stress the need for security access controls.
"Users are more accepting of the need to build security into applications," said Jennifer Bayuk, chief information security officer at Bear, Stearns & Co. Business users are consulting with information-security staff prior to launching IT projects, she said.
At Investors Bank and Trust Co., which administers $1.4 trillion in assets, all high-risk applications are subjected to tests called "ethical hacking attempts," said Kevin O'Neil, director of application security architecture. In addition, all source code is scanned for security flaws prior to being put into production.
Given the right tools and education, developers can easily build secure software that eliminates many vulnerabilities. The idea is to "engage developers by teaching them defensive security techniques," O'Neil said.
Web-facing applications make a particularly tempting target for hackers. Rather than penetrate perimeter defenses, attackers can, in effect, walk through the front door by taking advantage of weaknesses in the code used to authenticate users. On Monday, Symantec Corp. released its Internet Security Threat Report, covering the six-month period from Jan. 1 to June 30, 2005, which said that hackers are devising new methods of using malicious code to target desktops rather than enterprise perimeters. During the first half of 2005, malicious code that exposed confidential information represented 74% of the top 50 malicious code samples reported to Symantec, up from 54% in the previous six months.
Action also is being taken to stop phishing and pharming attacks, with which thieves trick consumers into disclosing access credentials such as user names and passwords. M&T Bank, a $52-billion asset institution, uses regular mail instead of E-mail to communicate with its online banking customers, said John Walp, VP of network security solutions. It's also experimenting with different techniques around spam filtering, he said.