Software // Information Management
04:30 PM

Financial Firms Declare War On Hacking

The focus is on eliminating vulnerabilities by building security into applications rather than relying on perimeter security tools.

Financial-services companies are ramping up efforts to protect themselves from hacking incidents, especially ensuring that software developers and business units take responsibility for building security into their applications.

The focus of application security is "evolving from the perimeter," said Wendy Walasek, VP at Morgan Stanley & Co., at the Cyber Security Executive Summit in New York Thursday. The company has taken a multifaceted approach to information security, including developing security "blueprints," providing developers with tools and services for information security, and training.

Information-security experts can help developers by pointing out potential vulnerabilities, such as exposure to an "SQL injection attack," said Walasek, referring to a form of attack that bypasses firewalls to steal information from a database or gain access to an organization's host systems.

The consciousness level of business users has been raised by the barrage of incidents involving lost and stolen data this year, as well as regulations such as Sarbanes-Oxley that stress the need for security access controls.

"Users are more accepting of the need to build security into applications," said Jennifer Bayuk, chief information security officer at Bear, Stearns & Co. Business users are consulting with information-security staff prior to launching IT projects, she said.

At Investors Bank and Trust Co., which administers $1.4 trillion in assets, all high-risk applications are subjected to tests called "ethical hacking attempts," said Kevin O'Neil, director of application security architecture. In addition, all source code is scanned for security flaws prior to being put into production.

Given the right tools and education, developers can easily build secure software that eliminates many vulnerabilities. The idea is to "engage developers by teaching them defensive security techniques," O'Neil said.

Web-facing applications make a particularly tempting target for hackers. Rather than penetrate perimeter defenses, attackers can, in effect, walk through the front door by taking advantage of weaknesses in the code used to authenticate users. On Monday, Symantec Corp. released its Internet Security Threat Report, covering the six-month period from Jan. 1 to June 30, 2005, which said that hackers are devising new methods of using malicious code to target desktops rather than enterprise perimeters. During the first half of 2005, malicious code that exposed confidential information represented 74% of the top 50 malicious code samples reported to Symantec, up from 54% in the previous six months.

Action also is being taken to stop phishing and pharming attacks, with which thieves trick consumers into disclosing access credentials such as user names and passwords. M&T Bank, a $52-billion asset institution, uses regular mail instead of E-mail to communicate with its online banking customers, said John Walp, VP of network security solutions. It's also experimenting with different techniques around spam filtering, he said.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest August 03, 2015
The networking industry agrees that software-defined networking is the way of the future. So where are all the deployments? We take a look at where SDN is being deployed and what's getting in the way of deployments.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Everyone wants a well-educated, successful workforce but just how do you get one? And what, precisely, do you think you can do with it? To answer those and other questions, George Colombo had a conversation with Elliott Masie, head of The MASIE Center, a Saratoga Springs, NY think tank focused on how organizations can support learning and knowledge within the workforce.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.