Promising, enlightening and filled with opportunity, the Internet has also become the source of new dangers – spam, viruses, spyware and risky employee habits such as instant messenger and file sharing.
Today’s efforts to minimize Internet risk involve new tools and bank policies plus an awareness of the dangers lurking on the World Wide Web. The following describes several recent Internet threats and how your bank can protect itself:
Spyware is perhaps the most intrusive risk on the Internet today. These programs can actually transmit your computer’s browser history and other personal information to a remote server. Spyware slips into your computer via Web sites, pop-up ads and downloaded pictures and programs.
While Microsoft has released many patches to guard against vulnerabilities in its dominant browser, Internet Explorer, new spyware that exploits different vulnerabilities seems to appear each week. Current spyware is detected by anti-virus vendors, but there are other tools available to detect it. Here are a few ideas to stem the spyware tide:
• Web Filtering Policy – A Web-filtering policy can limit access to risky Internet resources. Consider blocking access to non-business Web sites such as shopping and news sites. Web filtering can also block access to dangerous file types, such as .cab and .exe files, which allow spyware to damage your institution’s computers. In the early days of the Web, we encouraged our employees to use the Internet during lunch and breaks. In today’s Internet environment, that might open the institution to too much risk.
Web filtering takes the approach that you can only go to pre-approved sites.
Also consider a default-deny policy for Web browsing. The underlying principle: it’s better to block first and ask questions later when the motive of a particular Web site is doubtful.
• Patch – New vulnerabilities emerge all the time. Even after a patch is available, spyware and virus authors can make you a victim. Malicious code released during the year following a patch announcement has infected millions of computers due to software patches that users fail to install.
To ensure your machines are up to date on patches, consider an automated patch-management solution that enables your institution to test and deploy software updates in far less time than hand installation. These products also simplify rollbacks if something goes wrong and produce reports to prove patching activities to auditors. Among the top solutions are Patchlink, Symantec’s ON iPatch product and Marimba.
• Spyware Removers – Run legitimate spyware removers such as Ad-aware or Spybot regularly. Better yet, run more than one, as each program has its strengths. Treat these programs like your virus scanner by keeping them current. Also beware of low-quality programs that claim to remove spyware – often they install their own spyware instead!
America Online’s Instant Messenger isn’t just a teenage pastime anymore. It’s enough of today’s office culture that the Federal Deposit Insurance Corp. has issued warnings about its use.
Instant messenger (IM) applications closely resemble conversation, enabling employees to maintain contact with multiple co-workers while performing other tasks. To accomplish this, IM applications connect users to a separate IM network. There the user’s IM interactions are boundless and unprotected, regardless of your institution’s restrictions on Internet usage.
Bank audit concerns include:
• Limited authentication since IM users can’t be sure who is responding to their messages.
• No centralized “buddy list” for the bank to authorize senders and receivers of instant messages.
• Marginal message encryption so that anyone can potentially read anyone’s instant messages.
• Insecure file transfers that bypass all firewall or Web-filtering restrictions on content and open an unmonitored “back door” for viruses to infect your network.
• Insecure IM applications that can allow remote attackers to take over a personal computer behind a firewall.
Because IM networks are owned by third parties, your institution has no control over their structure or use. Their design emphasizes ease of use over security, leaving IM applications open to security issues, just like Web browsers.
In fairness, alternatives to the popular IM networks do exist. Unfortunately, the alternatives can cost more than $10,000 and may require expert implementation. The popular IM applications are free.
Your institution can help protect itself by implementing the following recommended practices:
Require employees to acknowledge receipt of a policy restricting public IM usage. Clearly stated policies effectively deter most employees who contemplate IM usage. Of course, bureaucratic solutions don’t deter everyone. Reliable technical measures (see below) further limit your institution’s exposure should employees ignore your policies.
Consider implementing an intrusion detection system to identify IM traffic, and assess the need for other IM security products. Managed network security providers such as COCC have implemented comprehensive intrusion detection systems to watch all traffic across the network and send real-time alerts to the network and to security staff, who can immediately notify the bank of policy violations. Intrusion detection software is available from Cisco Systems and Juniper Networks. A free “open source” product entitled Snort is worth consideration. Visit www.snort.org for more information.
Create rules to block IM delivery. Your firewall administrator or service provider should implement firewall rules to block access to known IM applications. Web-filtering techniques should also be used to block access to common IM Web sites to prevent users from downloading banned applications.
Blocking known firewall access points or “ports” isn’t enough. For example, if AOL’s IM detects that its standard communications port has been blocked, it will automatically seek alternate ports until it finds one that works. Here’s how this “tunneling” behavior can be stopped:
1. Configure your firewall to block all Internet access other than known services.
2. Block access to Internet servers associated with IM traffic.
3. Use a Web-filtering server to create a “tunneling” block list. While this solution is not perfect, it reduces the chance of connection to the outside.
Ensure a strong virus-protection program. Install a full virus-scanning solution for all incoming and outgoing e-mails on your network. Your institution should also run virus-protection software on every desktop and update it daily. Software patching, as recommended in the spyware section, is enormously helpful as well.
Peer-to-Peer File Sharing
Like IM applications, peer-to-peer file-sharing (P2P) networks have been available for some time, starting with the now-defunct Napster and continuing today with Kazaa, Gnutella and many more. These networks are decentralized file-sharing systems (hence the “peer-to-peer” moniker) that enable users to download from a vast pool of music, DVDs and programs. Users can also share their collections with others on the network.
Your bank should bar the use of these networks for the following reasons:
• Serious legal questions surround the sharing of copyrighted material on P2P networks. Employee downloads to and from a P2P network can open your institution to charges of copyright infringement. For example, the minimum fine for sharing a copyrighted movie is $30,000 per instance.
• Viruses often spread via P2P file shares. An innocent pop song download can easily hold something nasty.
• Many P2P applications automatically open the user’s entire hard drive for sharing on the network. This creates a huge risk that sensitive information on the user’s computer could be downloaded by anyone on the Internet.
• An employee might deliberately use P2P networks to circumvent your institution’s Web, e-mail and other access policies, again making sensitive information available for downloading.
• P2P applications generate large amounts of network traffic as they connect to other “peers” and perform file searches. This traffic can dramatically reduce your institution’s effective bandwidth, slowing more important functions such as teller transactions and report access.
• The “chat” functionality built into many of these P2P networks is susceptible to all of the IM risks listed above.
Setting aside the legal risks of file sharing, the technical and security consequences of allowing these programs should prevent your bank from using P2P. Many of the solutions to P2P risks are the same as the measures for IM, since they, too, employ many of the same techniques. However, one factor cannot be underestimated: employee education.
Education Is Your Friend
The days of innocently trying every new Internet feature are long gone. Yet our user population persists in behaviors that place too many banks at risk. When acquainted with the consequences of spyware, IM and P2P, staff members typically modify their Internet habits. That’s the beauty of education.
Technical barriers to viruses and other Internet risks are far less effective than educated users who pay attention to their actions. An integral part of your bank’s Internet usage policies and technical infrastructure upgrades should be ongoing education on best practices. Smart users reduce Internet worries.
For additional information on these and other topics, please consult the following Web sites:
While it’s not possible to completely eliminate your institution’s exposure to spyware, IM and P2P, these and other preventive measures can effectively protect you and your staff. Among the other measures available to banks are personal firewalls, desktop security and additional Web-filtering techniques.
Joe Lockwood is chief technology officer of COCC Inc.