By Jeff Multz, Vice President, Dell SecureWorks
The following article
originally ran as a feature in the July/August
edition of The
Texas Independent Banker Magazine.
Cybercriminals are out to get you.
It sounds amazing, but hackers can easily
sneak into a bank's website and network through Web pages that contain an open
field, or boxes into which computer users type a username or password.
Using Web application attacks, cyber
criminals can steal funds, private information and entire databases from
Computer programmers create Web pages using
creating an application that works and getting it to the client as quickly as
possible. So, if a bank wants a
programmer to create an application that allows its clients to transfer money
or write a check, programmers create the application as quickly as possible. And when the application works and online
users find it easy to navigate, the bank and customers are happy. At least for a while.
Often, programmers either don't know
how to write code securely or don't take the extra time to do so. Unless banks check the code with a security
expert, they don't realize that the code may contain holes, or
"vulnerabilities," which could allow intruders to hack the website and access
files on its computer network.
While hackers use many methods to
breach websites, one of the most popular methods is called "SQL injection." That is when a hacker injects malicious code
into an open field.
For example, in
the slot where someone should enter a username, a hacker could type in a code,
something like "OR 1=1#>." Once the
hacker enters the malicious code, the hacker could acquire access to the
administrative part of the bank's website, change the way the website looks and
obtain access to any documents on the network. That might include company trade secrets, as
well as clients' usernames, passwords, and bank account information.
Many bank executives think that just
because they are "Web compliant" their system is safe. Basically, compliance rules tell banks to be
sure to lock the doors and windows of their website so no hacker can get in. But the rules don't show where the doors and
windows are or how a business can lock them. And just because the doors are all locked one
day, doesn't mean they remain locked 24x7x365.
While it's great to be "compliant," it
doesn't ensure safety. Numerous
financial institutions that have been compliant have been hacked, losing
hundreds of millions and loss of their good reputations. For their own safety, banks would be better
off approaching security first and compliancy second, because compliancy will
not necessarily keep a company secure. A
good security consultant will automatically review the steps a company should
take in order to be secure and
So what should an organization do to
be secure? Plenty. Unfortunately, safety takes more than any one
single layer of protection. A multi-layered
approach to safety is the best way to keep criminals away so that they look for
The first thing banks should do is
hire a security expert to review the source code for all the pages on its
website. Each time the source code is
changed to add a new feature to the website, a security expert should review
If a business does not have access to its
source code, it should employ a security expert to try to break into the site
using numerous hacking techniques. This
is called "penetration testing" or "Web application reviews."
If any vulnerabilities are found, the
code should be fixed as soon as possible.
Additionally, a bank should install, maintain and continuously monitor a
Web application firewall to prevent Web applications from being infiltrated
while the code is being fixed or tested. A bank should also perform external Web
application scanning on an ongoing basis, at least quarterly and every time it
deploys new code.
Lastly, a bank should retain security
experts to monitor its server and firewall logs 24x7x365, in real-time. If a bank has security professionals
monitoring logs just a couple of times a day, by the time they see the
malicious activity that has hit the website, the hacker likely has acquired
access to the site's financial information and stolen the bank's crown jewels.
Jeff Multz is vice president of Dell SecureWorks, a market leading
provider of world-class information security services
worldwide, spanning North America, Latin America, Europe, the Middle East and
the Pacific Rim. He is a former computer programmer for