• Making them hard to guess,
• Never writing them down,
• Limiting the scope of passwords, and
• Limiting the ability of an attacker to make repeated guesses.

Password Complexity

A recent study on password memorability and security uncovered two surprising results:

• The most important factor in the security of passwords is consistency—implementing technical controls to enforce password quality.
• So-called “passphrase” passwords are equal in quality to completely random passwords, yet are no more difficult to remember than any other user-chosen password.

Good passwords (those that are least vulnerable to password cracking attacks) utilize the full spectrum of allowable characters (Capital and lower case letters, numbers and symbols) and are long enough to force password crackers to use their slowest “brute force” technique.

Memorable Passwords

“Passphrase” passwords meet both of these requirements. To create one, just choose a memorable sentence and make it your password. Windows considers the space character to be a special character, so setting your password to “I love the Buckeyes!” meets the Windows password complexity requirement, gives you a password 20 characters long, and declares your allegiance just as well as “goBUCKS!” without falling to a password cracker in the first two seconds.

If your computer system limits you to relatively short passwords (say, 8 or 10 characters), or if you are a two-finger typist, take a simple sentence, assemble the first letters from each word in the sentence (as with an acronym), including appropriate capitalization and punctuation, then modify the new password slightly using numbers or special characters. For example, the phrase, “Obama declares nuclear war; details at 11” might be entered as “Odnw;d@11” which looks like a random password, yet is easy to remember. Similarly, the phrase, “It’s noon and I am hungry” could be typed in as “It’s12&Iah.” Unlike random passwords, passwords of this style are not any harder to memorize than shorter ones.

Length is Key

The power tools used by the bad guys can make quick work of password hash files these days, but choosing a password at least 15 or 16 characters long can move the advantage back to your side.

Rainbow tables can crack any password hash up to the length limit of the table in a very short time. Since these tables grow exponentially large with the password length, there are probably few or no existing rainbow tables (yet!) for passwords longer than 15 or 16 characters.

Additionally, traditional Windows password crackers such as John the Ripper typically only crack the LAN Manager hash, a relatively insecure password storage method that can only handle passwords 14 characters long or shorter. Choosing a 15-character password forces the hacker to resort to the more esoteric and less computationally efficient NTLM (MD4) password hash algorithm. Knowing this, you can make the bad guy’s job a whole lot harder by not storing the LAN manager hash of your password in the first place.

Password Scope and Availability

Even with an excellent password, however, an attacker can still break in if he has the opportunity (and patience) to make a hundred billion guesses at your password. It is also critically important to:

1. Limit the number of failed password attempts, or at least limit the rate, and
2. Log repeated failures so that action can be taken.

Similarly, choosing excellent passwords has little value if you use the same password for your business VPN and your Facebook or Amazon account. A hacker who manages to gain access to all of Amazon’s account holders is very quickly going to see if the user foxk@lithik.com with the password H@rd2gess has VPN access to lithik.com with username foxk and the same password. This type of attack is easily automated across thousands of stolen passwords.

Whenever I asked my father, he assured me that we were safe, as any good father would. My dad was a doctor, a Lieutenant in the Korean War, surviving a shrapnel hit in the back from a mortar round. He is also very smart and shrewd, having made more money from investing than he ever did as a doctor. So when he told me I was safe, I believed him. Kids need to hear that they are safe. It was not until I was an adult with children of my own, though, that I understood that when he said I was safe, he was able to back it up.

In today’s world, everyone wants to hear that your bank is safe. Directors, officers, shareholders, customers, staff members, and yes, bank examiners all want to know: Are you safe? In his book Good to Great, Jim Collins lists Face the Brutal Facts as one of the keys to business success. But far too often business people put blind faith in reports about their organization’s safety without performing the due diligence necessary to ensure that those making the claims are able to back them up.

The Best Defense is a Good Offense

Soon after the Sarbanes-Oxley act went into effect, I read dozens of articles predicting the demise of many small companies about to be drowned by the costs of compliance. Most companies approached compliance as an expense, spending as little as possible in an effort to just get by. But in the last year or two a new approach has emerged, with many companies going right past mere regulatory compliance, redesigning their management systems and Information Technology (IT) departments to align with best practices. In doing so they achieved not only compliance, but also significant operational efficiency and competitive advantage delivered by the new, streamlined structures and processes.

I’m sure you already know that the best way to deal with an IT auditor is to be prepared. When he walks in the door, you already know what he’s going to ask and how you’ll respond. “Are you secure?” You’ll answer, “Yes.” “How do you know?” You’ll pull out your policies, risk assessment, network diagram and inventory, plus any reports you might have from your penetration tester, independent IT security audit, event log analysis or managed security services provider (MSSP). He’ll thumb through them, slowly nod his head and say, “I concur,” then head off to the nearby diner for some homemade pie.

Wouldn’t that be nice! A year ago, you may have actually gotten that response. But as Bob Dylan sings, “The times, they are a changin’.”

Today your auditor is apt to instead spread out the mass of documentation you’ve given him, say, “Log me on as administrator,” and proceed to spot-check dozens of the data points presented in your reports. But he won’t stop there; he has his own checklist, and if he finds gaps in your reports, you could be in trouble. And if your reports say you’ve got the firewall configured properly but his testing shows no limits on outbound traffic, you can be sure your score will suffer.

Doing Your Due Diligence

Nobody expects a banking decision-maker to understand network security details, yet you’re required by law to protect sensitive information and bound to shareholders to spend your security dollars effectively and wisely. Here are some common sense tools to help you answer the question: Are we safe?

Get an independent IT security audit. IT regulations are all about security, not just IT, so hire a firm with real security credentials and experience, not just accounting and financial auditing credentials or Windows or networking expertise. Many IT folks and nearly all non-technical people operate under the misconception that, since computer and network security is technical, their regular technical people should be able to handle it. This is rarely true. Training for security work heads off in completely different directions than training for IT operations, and the result is a different way of thinking. The goal of IT is to provide usability. The goal of security is to defend against breaches and information loss.

Set up a security monitoring and reporting system. Competent security systems should produce understandable reports on your security stance every month that can be reviewed by executive staff. Make sure that the covered items align with and are prioritized according to your regulatory body’s guidelines. Like nearly all areas of business, you need to keep score.

Streamline your architecture. Simple architectures are the easiest to secure and to keep secure. Complexity and “security by obscurity” hamper not only the hacker, but the security maintainer and IT operations staff as well. Build simplicity and uniformity into your information systems by centralizing management and technical controls. Use automation to eliminate tedious and error prone tasks such as log file reviews, patch management and software installation.

Drive down operational costs. Use your scorecard reporting system and your newly streamlined architecture to focus on priorities and automate operations. Your staff and consultant’s time is too valuable to be spent driving between branches, poring through firewall logs, or dashing from desktop to desktop installing software from CDs, rebooting machines or running Windows Update. Keep them doing the things that make a real impact on your bottom line.

Good security is no longer just about spending money because of legal mandates. It’s also about building a better and more intelligent business.

There it is. Front page. Headline. Someone else has now achieved his or her 15 minutes of fame that will unfortunately become a career-defining moment. And not in a good way. Who has not read about the latest case of identity theft in the papers and wondered what really happened? Every article starts the same way; a bold headline that grabs the reader’s attention, the exaggerated surprise by those charged with safeguarding the identities that were stolen, the claims that security was and continues to be a high priority, and the all important expression of dismay and disbelief at how such an incident could possible have occurred. Of course, investigations are being conducted, and it will take some time before the full extent of the damage is known, not to mention the cause.

This organization is now in a serious public relations quagmire. Their hired PR guns weigh in next, firing phrases like “compromised information” in place of the more condemning “stolen customer identities”. Updates will be issued, still with no real information as to how the breach actually occurred or who was really responsible, since after all, that is confidential information that could disrupt the ongoing investigation. And you’ll never see a follow-up that doesn’t contain the assurance that “every effort is always made to protect customer (or alumni or patient) information.”

Finally, a low level staffer will be selected and offered up as scapegoat, accompanied by assurances that those who remain employed were pure as the driven snow. Then as soon as the wriggling sacrificial victim is out the door, everyone in charge breathes a heavy sigh of relief.

As a security professional connected with other security professionals, I would find the unending march of these articles funny if not for the real pain, suffering and economic hardship it means for the actual human beings who now have their social security numbers and mother’s maiden names up for sale on some black market auction site. My only intent in adding humor to the following categorizations of poorly implemented security strategies is to make them memorable and to hopefully spawn a lively discussion within your organization. Let me also say that I fully understand what a difficult task it is to design a plan that meets investor, board, customer and staff expectations. That said, let’s have a bit of a chuckle at our own expense (for any similarities however oblique) and then discuss a few steps that can actually make a difference for your customers.

The Cuban Missile Crisis Strategy: I’m sorry to say that I am old enough to remember the emergency drills in elementary school where we put our heads between our knees with our hands on our heads, and knelt under our steel and wood desks. This, we were told, would protect us best in the case of nuclear attack. Unfortunately, many published stories of security breaches contain the same kind of naive thinking, most commonly involving the assumption that a simple firewall will protect me from the hacker holocaust that is currently mushrooming just over the horizon. 
Underlying problem: Way too much faith in protection systems that are way too weak.

The Invisible Man Strategy: Because of the highly automated nature of attacks that search out cracks in security perimeters, even the smallest organization located far from the big city are being regularly tested by criminals. According to the March 1, 2006 issue of Personal Computer World, there is a 40% chance of infection with malicious code during the first 10 minutes of connecting a PC to a broadband connection, and a 94% chance of infection within one hour. When you connect your business to the Internet, you are no longer in a small town; you are on the busiest street in the world. You cannot be invisible in today’s interconnected world. 
Underlying problem: The invalid assumption that the networked world mirrors the physical world.

The Wizard of Oz Strategy: This has to do with the show of security without the substance. In the current regulatory environment, this strategy can be unintentionally adopted as an organization tries to look secure without taking the steps that make them actually secure. If you expect your visitors to be impressed by explosions of flame and a huge talking head suspended in space, know that the savvy ones know to look behind the curtain. 
Underlying problem: Hackers don’t care how impressive your security looks. Their automated systems are programmed to locate and exploit a specific weakness, and if you have that weakness, you will be penetrated.

The Sackcloth and Ashes Strategy: As its name implies, this strategy relies on effective rhetorical skills after the building has burned to the ground. Well-crafted apology letters and press releases sometimes do convince the customer, alumni or patient that the organization really is going to work even harder at securing their records. There may even be free identity theft insurance offered as proof of the organization’s deep regret. But the information is still out there running free; the real damage is already done. 
Underlying problem: Ponemon Institute in their 2005 Privacy Trust Survey for Online Banking found that even a single privacy breach would cause 57% of customers to take their business to a competitor despite a high level of trust in their current bank. This is a very expensive strategy.

O Woe is Me! Is There Any Hope? Yes, there is; there is a lot you can do, and it may be easier and less expensive than you might think. The following steps will do wonders for your organization’s security health by driving out the above failed strategies.

• Understand and acknowledge that security design is not something that should be attempted by people who are not trained and experienced in, well, security design. Unless you are a Fortune 1000 company, you are extremely unlikely to have that level of expertise on your payroll, and your whole company is at risk.
• Given the previous issue, everyone needs to agree that “jobs are not on the line” if a security auditor finds a problem. If you don’t articulate this clearly and convincingly, you will have staffers working at keeping their jobs rather than helping to find the truth about your security stance.
• You trust your bookkeeper and yet you hire an auditor to examine your financial systems. Similarly, go ahead and trust your IT staff, but hire a third party to perform a security audit on your policies, network and systems. And don’t waste your time with penetration tests until you’ve first done the hard work of auditing followed by mitigation of any uncovered weaknesses. What you don’t know can indeed kill you.
• Understand that good security is a constantly shifting target. Good management requires facing the brutal facts, and the facts about security in today’s world are as brutal as they come. At the board level, acknowledge that having solid security is a moving target that requires a proactive, ongoing approach. Auditing your systems once a year is a good idea, but it won’t keep you or your board out of the papers. That new e-mail server your security consultant just blessed might have its gates locked tight today, but the patch that Microsoft is going to announce next Tuesday could well fling them wide open.
• Good security absolutely requires constant vigilance. Once you’ve fixed all your security issues, you must constantly watch, measure and report on your security posture; think of it as a continuous security audit. And don’t expect one magic box to do the trick; security is a varied and constantly changing landscape that requires ongoing awareness of several different areas, and box or software solutions usually only address one or two. Instead, deploy a system of countermeasures that provides ongoing awareness of key security metrics and adds new ones as the need arises. Imagine for a moment what would happen to the profitability of the company if there were no daily, weekly or monthly statistics or reports from which to manage between annual audits. The fact that security risks change even more frequently and abruptly than business risks should carry great weight.
• Prepare for the worst. Although this may sound pessimistic, so does your disaster recovery plan. You really do not want to have to decide in the heat of battle what actions to take should the unthinkable occur. Remember that when you speak to the press, they will quote the most memorable thing you say, not the most intelligent. Name a spokesperson and adopt a policy requiring everybody else to defer to her. Do not just voluntarily hand them your head on a platter.

Take these steps, then go back to conducting the business that earns your daily bread with the confidence that you have done all that is reasonably within your power in adopting a strong security posture.

Although the weather was rainy and bleak in Sofia, Bulgaria, Yevgeny had a spring in his step as he quietly slipped up the stairs to an almost empty room above the Onda coffee shop with its valuable wireless Internet connection. He would have to wait to get his morning “Americano” coffee until he checked on the state of his “import/export” business. Sure enough, his e-mail contained an anonymous order for up to 250,000 “dolls” and an additional order for as many “cribs” as he could obtain.

Yevgeny had spent the last several days improving his software to assure a targeted, automated, consistent flow of inventory that would have a much lower percentage of “damage” as he euphemistically called it. He had developed quite a reputation for delivering reliable goods to buyers who had customers waiting to fully exploit what he sold. Yevgeny always chuckled at the use of dolls and cribs as descriptions of compromised user accounts and servers. It made him feel like the 007 that he had seen in American movies. It certainly didn’t hurt with his friends who viewed him as a very worldly, successful man. Why, this month he was on pace to make $600, three times the income of the average Bulgarian. With his new scripts, he would not only double his income, but he would begin to initiate his plan to advertise for some “entrepreneurial software engineers” to enlarge his one-man shop. Within a year his dream of a 1600 square foot, palatial luxury apartment in the Lozenets district would be realized, making him neighbors with American diplomats and foreign business executives. It would be a nice change from his 350 square foot apartment.

With a sudden lunge for his keyboard, Yevgeny jerked himself from such unprofitable dreaming. Now to check inventory. Indeed, it had been a good night’s work as his newly refined little software servant had performed wonders. Just look at all of those bank account numbers and passwords, too! And the best part was that most of them were from smaller companies without the resources to track him, although as a Bulgarian, he could care less. Not only would he fill all of his standing orders, he also had a bit left over to develop new buyers. Tonight he would have to join his friends at Chervilo for their customary night of celebration. As he lit his imported Marlboro, all he could think was, “God bless America, mother of opportunity!”

Does this read like a dime store novel? Perhaps, but this is the state of cybercrime in 2006.

A short “Hacker History”

The very first “port scanner” was called SATAN, released in 1993 by Dan Farmer. A port scanner is a tool used by network administrators and hackers alike for examining a system or network in depth, reporting on the services being provided by each machine and revealing potential weaknesses. SATAN, short for “Security Administrator Tool for Analyzing Networks”, was widely reviled in the press ostensibly because of its purpose, but also because of the implication its name gave to nefarious use. At the time I was a co-founder of Morning Star Technologies, where we were just beginning to experiment with possible applications of our newly invented Dynamic Firewall technology. In response to the buzz about SATAN, we wrote a rule that would detect port scans, tested it internally, and deployed it on our corporate firewall. Finally, after waiting a couple of weeks, one of our support staff came running into my office saying, “Look at the firewall logs!” Sure enough, the rule had detected and shut down access to someone probing our network.

Eight years later in 2001, I was testing my brand new cable modem connection with my brand new laptop and preparing to install my brand new firewall. Within a few seconds of connecting the cable modem to the laptop’s Ethernet port, my personal firewall displayed a pop-up window telling me that someone was trying to get into my computer. Closing the pop-up, I went back to work, but was interrupted again by another pop-up. And another. And another, every ten or fifteen seconds, until I disconnected the network cable and configured the firewall to ignore all inbound connection attempts.

These two stories illustrate basic differences between Internet security in its early days versus what we’ve seen in recent years. Thirteen years ago the Internet was still a friendly place, where probes against your firewall were probably just a system administrator with time on his hands trying out the latest network diagnostic program. His motivation? Curiosity. That, and the love of seeing a cool tool “work.” Was he a criminal? Probably not, although his ethics could certainly be questioned. The nearly continuous attacks back in 2001 were a completely different story; those probes were probably still individuals, but they had different goals. They wanted to break into my machine, to “own” it, to completely control it.

Were they criminals? Absolutely. But they were still loners, hackers working on their own, using the latest automated tools to search through huge numbers of Internet-attached computers, trying to find the ones that exhibited the specific weakness that they were looking for. Then they’d take the list of vulnerable computers their scanner had harvested and, one by one, they’d apply a specially crafted program called an “exploit” that knew exactly how to turn that weakness into total access.

Once they owned the machines, they’d use them for a variety of purposes. One important use was to help them cover their tracks. Rather than attacking a target directly from their own computer, they’d use one of their “owned” systems as a relay. Or two. Or more likely, twenty-five or fifty. Another use was to express their displeasure with whatever organization they currently had a beef with, be it Microsoft, the White House or their least favorite spammer. Sometimes all they’d do is deface the victim’s web site. But a more satisfyingly destructive strategy was to direct dozens or even hundreds of owned machines to send a continual stream of inquiries to the victim’s web server, flooding it so thoroughly that it would be unable to process legitimate requests.

But nearly every purpose was personal in some way—something that helped them hack other systems, something that made them feel better, or something that allowed them to express themselves or gave them bragging rights among their fellow hackers. There were a few professionals, stealing credit card numbers or transferring money from a victim’s account into theirs, but most were amateurs, doing it for the love of the game.

A Critical Turning Point—Viruses and Worms

Independent of this initial community of vandals that acquired the title “hacker,” certain programmers began developing viruses and worms that they would release into “the wild,” again, just for the sport of seeing them run. An incredible amount of damage was done because their experiments were just too successful, replicating at such prodigious rates that it often took whole teams of IT staffers to extinguish the virtual flame fronts roaring through corporate networks. Again, the authors were motivated almost exclusively by personal pride in having done something “big.” The 1999 Melissa virus appeared to have had no purpose other than propagation and fame. The Code Red worm of 2001 defaced Microsoft IIS web servers and then launched denial of service attacks against the White House and other sites. The Slammer worm of 1993 infected most of its 75,000 victims in a single ten-minute period, but performed no actions other than spreading rapidly. It did that exceptionally well, overwhelming hundreds of major backbone connections and essentially performing a denial of service attack on the entire Internet. These were all criminal activities, to be sure, but they were the work of vandals, not thieves.

But the potential of this new technology did not go unnoticed by the rest of the criminal world.

A Change in the Basic Nature of Attacks

Symantec provides an amazingly valuable service to the entire IT and security world by publishing its Symantec Internet Security Threat Report twice a year. This voluminous document draws from an immense volume of security data Symantec collects, providing analysis of past events and predictions of what to expect in the future. Let’s look at some of the trends:

Financial Services Targeted

Prior to 2005, attack victims appeared to be randomly chosen. Attacked and penetrated systems were more or less evenly distributed over all sites, from business to education to personal systems. But in the first half of 2005, Financial Services organizations leaped to third place, and by the second half of the year held first place by a commanding margin. Why? Because “that’s where the money is.”

The core focus of most profit-based attacks is the acquisition of information. Today’s most popular malware programs are those that allow attackers to record keystrokes, steal passwords, and download files from the compromised host. Theft of account names and passwords leads to theft from on-line financial accounts; theft of credit card information leads to fraudulent charges; theft of client account information leads to identity theft. 2005 saw the percentage of threats that targeted confidential information rise from 54% of all attacks to 80%.

Attack Code Exhibits Greater Maturity

Much of today’s malicious code is purposely designed to be small, with limited functionality. Once entrenched, however, the latest versions of these “bots” (short for robots) download additional modules that enhance their abilities in various ways. These include updating to later versions to overcome defenses recently developed by the security industry, or responding to detected local security software by installing weapons designed to overcome the discovered defenses. Many newer bots are employing a technique referred to by the press as a “rootkit” that allows the malicious software to make itself undetectable by virus scanners or other security software running on the same machine. Bots can also download components that refit the compromised machine to accomplish specific roles, as would be required when the machine’s “owner” sells it to another criminal for a specific purpose such as hosting Denial of Service attacks, Spam forwarding, keystroke logging, adware installation, or stealing confidential data. Over the course of 2005, this type of exploit rose from 63% to 88% of all malicious code.

Attack Code Gains Commercial Status

Increasingly, information on discovered vulnerabilities is now being sold, often to the highest bidder on E-Bay-like black market sites. In 2003, only a small handful of vulnerabilities were sold privately instead of being released to the public. In 2005, that number had increased to well over 100. As organized crime increasingly recognizes the economic value of unpublished vulnerabilities, they will exploit those weaknesses and sell the know-how to others who will do the same. Meanwhile software publishers are increasingly left in the dark about security flaws in their products, discovering them only when security companies catch viruses and worms in the act of penetrating customer systems. This time gap between hacker discovery and software vendor (e.g. MicroSoft) discovery creates a huge window of opportunity available for exploitation and makes it increasingly difficult for businesses to defend against newly developed attacks.

In the End It Is About One Simple Thing

Just imagine, in the past 20-25 years the act of hacking has “progressed” from an exercise of the curious, to an act of a maladjusted “geek”, to an exploit of a privateer to a highly organized business run by big crime. The truth is that Yevgeny in the opening story is far outnumbered by the Russian mafia and by crime syndicates in China, Bulgaria, North Korea and other places where western law enforcement cannot protect your ability to safely conduct business. And why would they not operate this way? It is efficient, clean, highly profitable with very little possibility of being caught and prosecuted. And with the “no boundaries” nature of the Internet, it is very possible to rob a small bank in Ohio for far more than the typical armed bank robber carries out the door. And the worst part of it is, you never see the gun or their face or a withdrawal slip when these 21st century criminals transfer money from your bank accounts into theirs.

You’ve read the articles—my favorite is the one about the business owner who was logged on to his corporate online brokerage account when he noticed the balance suddenly change. While he watched, somebody systematically wired all his company’s funds to a number of offshore banks. The brokerage washed their hands of the whole affair, pointing to their standard disclaimer signed by each client, which states that keeping passwords secure is the customer’s responsibility.

Well, they’re right—it is certainly the customer’s responsibility to practice good password hygiene. But just as the owner of an unfenced swimming pool is responsible for injuries sustained by youthful trespassers under “attractive nuisance” laws, surely the brokerage firm bears some responsibility for failing to design adequate security into their systems.

Adequate security? This was one of the top brokerage houses in the nation! Yet total access to client resources was protected by a single user-chosen password and nothing else. Not only that, every newly created client account came by default with the ability to perform wire transfers. Convenient, to be sure—convenient for the account holder and convenient for the brokerage firm, but supremely convenient for the hacker.

We have all heard for years about Internet security, protecting ourselves from hackers with firewalls, intrusion prevention systems and other expensive and complicated systems. But more and more security failures these days occur outside the data center. Today’s most popular attacks are aimed not at the well-defended bank security perimeter, but directly at your customers, breaking into their personal computers or fooling them into willingly handing over their online account passwords.

How Attackers Think

What is a hacker looking for when he breaks into a banking customer account? Well, as Willie Sutton said, “That’s where the money is.” But it’s more than that; otherwise Fort Knox would be the most attacked place around. He wants a target that is likely to yield to his efforts. He wants to get away without getting caught. And he wants to average significantly better than minimum wage.

There are still attackers around who do it for the thrill and for bragging rights with their friends, but the majority of breaches these days are done by organized professionals plying their trade. Like any entrepreneurial thinker out there, they look for large, untapped markets that can be addressed using available tools. When it comes to online systems, that means gaining access credentials to a large number of online accounts from which entire balances can be quickly extracted.

An attacker of online banking systems, therefore, has two main goals: gaining access to the client account, and extracting money from it. Stopping either goal protects the customer’s money.

How Hackers Steal Your Money

Of the two hacker goals, withdrawing funds is both easier to understand and easier to secure, since the design of the banking web site is, theoretically, completely under the bank’s control. Take this simple test: take a tour through your online account, clicking your way through every menu, option and link you can find, and keeping track of actions that could be used to move money out of the account. If the site is well designed, the resulting list will be short. If the site is really well designed, each such action will have special conditions or extra authentication steps standing guard. The attacker is not interested in moving money from savings to checking, or in sending the gas company an extra $100, because these actions do nothing to accomplish his goals. Having a bank check written and waiting at the front desk is risky, because the teller will want to see a picture ID that matches his face as well as the name on the account, and even a forged driver’s license will not help if the teller happens to know the account holder. Note the obvious advantage here to community banks.

As I step through the online site for my own bank account, one vulnerability I see is the ability to create a new bill payee and have a check mailed. An attacker could create a bogus payee name and address; he could use the account holder’s own name along with a P.O. box; or, he could send it to an unsuspecting local resident, following the mailman down the street two days later and snatching the check from the mailbox.

How Hackers Get In

This is where we enter the more traditional realm of security design: the world of passwords, encryption, certificates and protocols. Hackers understand the technology side all too well, and to thwart them, we must, too. Let’s look at some of the methods they use to gain access to client accounts.

Keystroke Loggers

Hackers use e-mail viruses and attacks embedded in web sites to break into Windows computers. One popular program they install is called a keystroke logger, so-called because it secretly records every keystroke typed by the computer owner. The program then sends the recorded keystrokes to the hacker, who extracts the login credentials needed to break into the online account.

Phishing Attacks

Phishing is the process of broadcasting e-mail messages far and wide designed to look like official correspondence from the recipient’s bank or other vendor of online services. The attacker hopes that the customer will be fooled into following a web link in the message that leads to an equally official-looking web site. Although the web site looks like the real thing, all it does is collect the user’s login and password.

Pharming Attacks

Pharming is the process of illegitimately taking control of someone else’s Internet domain name. This means that when any of your customers tries to visit your online banking site by typing in the site name or clicking on their bookmark for it, the browser will display the hacker’s web site instead of yours. Just as with phishing attacks, the pharming hacker can make his web site look just like the real thing, but now he can harvest passwords and clean out client accounts in even greater bulk. Even worse, he could mount a man-in-the-middle attack, setting up his server as a sort of secret go-between, passing messages back and forth from the user to the bank and vice-versa. Everything would appear normal to the user, yet the hacker would be watching and recording every bit of data that passes through its hands.

Applying Principle-Based Security

You, as a banker, have the power to minimize the impact of even these kinds of attacks by employing principles of good security design. The right approach starts by looking top-down—by starting with general principles and then developing specific tactical approaches.

I use the following four basic principles as a basis for approaching every information security issue.

Be Prepared

My Boy Scout training taught me this well—if you think ahead and prepare for any situation, or at least the most likely ones, your level of performance when under attack will soar. Thoroughness is key here; risk analysis tools go a long way toward making sure you have met “due care” requirements. A risk or threat matrix can help you enumerate the various kinds of threats facing your information systems, understand the business impact of those threats, and plan how to respond. If the brokerage company had been well prepared, they would have researched best practices in protecting online accounts rather than just doing what other large companies do.

Minimum Exposure

Everyone else calls this “Least Privilege,” but I believe Minimum Exposure is a clearer expression of the concept of removing seldom needed capabilities, especially risky activities. If the brokerage firm had applied the principle of Minimum Exposure, they would have turned on wire capability only on an as-needed basis rather than enabling it on every new account. At the very minimum, such a request should elicit a verifying phone call from the broker to the account holder.

Constant Vigilance

It’s no good building the perfect fortress if nobody takes notice when the Barbarians start tunneling under your beautiful stone walls. Safes and vaults are not given ratings such as “impenetrable,” “super-tough” or “not that great,” but by the number of hours you can expect them to stand up to attack by a well equipped professional. Just as physical security requires alarms and video monitoring to back up physical barriers, information defenses must be monitored and alarmed for failures and persistent attacks if you want them to actually prevent intrusions rather than merely slowing them down.

Defense in Depth

NASA does it. The military does it. Football teams do it. Layers of defense, backups on your backups, are immensely more reliable than a single seemingly impenetrable Maginot Line. Layers are also a great place to inject variety, which means added complexity as well as effort and time to the hacker’s job. Layers tend to come in nice budget-friendly sizes, allowing you to gradually improve your systems by adding more depth.

My broker (yes, the same one referred to above) is now practicing Defense in Depth by requiring a signed document or an in-person visit before allowing wire transfers to international destinations. That makes me wonder about their claim in the story that they were not at fault. But they still have a ways to go—it looks like their lawyers are making as many security decisions as their security designers are. Their answer to securing domestic wire transfers is a new three-step click-through agreement whereby the account holder agrees that the checkboxes are the legal equivalent of my signature. I feel certain that absolutely any hacker would gladly accept such an agreement on my behalf.

These general principles are the foundation of security design. As we seek to apply them to our online banking scenario, more specific goals start to become clear. What is the purpose of an online account? Is it to completely replace all interaction with the financial services company? Or would most customers be satisfied as long as they could perform their everyday tasks online? Whatever we do, we need to do something to make it much, much harder for hackers to steal money. The easiest way is to add required steps that can’t be performed via the Internet. This leads us to our first application-specific principle.

Reduce or remove the ability to defeat the system using only Internet-based attacks

Think of all those techniques your bank uses to secure transactions with your customers. You don’t honor a check without a signature. A teller doesn’t hand cash across the counter without seeing a picture ID that authenticates the person to the account. Those are good principles; don’t ignore them when designing your online systems just because technology is involved. Moving the riskiest actions (which are often also the least used) out of the reach of long-distance attackers applies the principle of Minimum Exposure such that security is dramatically improved.

At first glance, it would seem that removing a customer’s ability to add a new online bill-pay destination would be a crippling inconvenience. So come up with ways to make it less inconvenient. Start an aggressive campaign to sign up local companies to populate your site’s list of pre-approved vendors. Go ahead and give your customers the same new company online form they have now, but add an approval process that involves having a human give it a sanity check.

“That’s great,” you say, “but it makes my skin crawl to think that hackers can still easily get into my customers’ accounts. What if I missed something?” Let’s apply our principles to the problem of protecting the account authentication process. The first thing we notice is that we’re usually dealing with security on a PC in a customer’s home. Advantage: hacker. Let’s take the advantage back.

Prefer methods that do not require secure customer computer systems

If you think it’s hard to secure your bank’s internal systems, imagine the impossibility of ensuring the security of your customers’ systems. And if you’ve had a hard time training your internal staff to understand and implement good security practices, think what it would take to do the same with your clients. “Idiot-proof” solutions aren’t solutions for idiots—they’re well designed systems that can operate in uncontrolled environments.

Minimum Exposure would tell us to find tools that are, again, out of the reach of hackers. Examine the ways their most popular attacks work, then add layers of defense specifically targeting those attacks.

Defending Yourself

Pharming has earned a lot of doom and gloom comments in the press recently because of its ability to redirect every single one of your online customers to a hacker site rather than only those who are gullible enough to click through a phishing attack message. However, the news is really not all that bad. The fact that a site has been pharmed is instantly detectable by monitoring equipment, allowing you to employ the principle of Constant Vigilance by taking immediate corrective action.

Passwords are a relatively weak authentication technique, in our context, mostly because there are so many ways to intercept or otherwise obtain them from afar. A technique known as two-factor authentication uses something you have and something you know, the something you know part being a password or PIN, and the something you have being something that is either difficult or impossible for the hacker to obtain. Online banks in northern Europe have used two-factor authentication for over a decade, without a single published breach. Two very effective such technologies are client-side SSL certificates and security tokens. These technologies are not 100% foolproof, but they are both far more effective defenses against pharming, phishing and keystroke logger attacks than passwords alone.

Another remarkably effective countermeasure against phishing attacks is to simply assure your clients that your bank will never, ever, use e-mail to inform them of security problems, and that all such messages should be interpreted as attacks, no matter how real they might appear to be. Repeat this warning each time the user logs in to the real online banking site.

There are a number of other defenses that are commercially available or that could be developed, but the ones mentioned here are the most commonly known or the most appropriate for online banking.

Take Action

Research by The Gartner Group shows that 58 percent of people who shop, bank or pay bills online say they are very concerned about the security of their online information. They have good reason for concern; the U. S. Department of the Treasury recently reported that, in 2004, “proceeds from cybercrime were greater than proceeds from the sale of illegal drugs.” They added that, “Cybercrime is moving at such a high speed that law enforcement cannot catch up with it.” The public recognizes this, and is reluctant to trust their hard-earned cash to an industry that can’t seem to keep out of the news. Gartner says that only 22 percent of consumers believe that their banks are extremely competent in protecting their information.

That doesn’t have to be the case. Technologies are available that can dramatically improve the security of typical online banking sites. Fear mongering by journalists and security writers and a lack of action by online providers have done a lot of damage that needs to be undone.

Examine your own web site, or hire a competent analyst to do a vulnerability analysis. Apply the principle of Minimum Exposure to move the riskiest activities back into the physical realm where they can be more easily controlled. Employ the principle of Constant Vigilance to ensure that your organization will respond quickly and appropriately when attacks occur. Then add Defense in Depth by improving client authentication security beyond a simple password. Be Prepared for the coming onslaught.

Studies consistently show that people would switch banks to obtain better online security. Take these simple steps to lock down your online systems. Then talk up your new security in your advertising. Your new customers will love you for it.