Pirate's cove
Are you afraid of cockroaches crawling into your pants as you sleep?What about creepy creatures invading cyber heaven? Sean Hallahan thinksyou probably should be
A number of stories appeared in the national press earlier this year claiming that major banks had been held to ransom and forced to pay out millions of pounds to IT hackers. According to security experts, many of those stories were grossly exaggerated.
Nevertheless, there is growing concern among some IT security experts that the rise of PC networks, the Internet and intranet, may make financial institutions vulnerable to outside interference.
Some of the dangers were outlined to representatives of the financial community by a series of speakers at a conference organised by ICL. One of the speakers, Keith Osborne, principal IT security consultant at ICL, says: 'Security will become the single dominant IT issue in the financial services sector and threats to IT will continue to grow.'
By and large, the well-established financial mainframe systems have a high level of security control. Financial institutions were among the earliest users of mainframes. Companies such as ICL and IBM have had 30 years to build on security procedures.
IBM's resource access control facility (RACF) offers a high level of security control to mainframe users. RACF runs under the MVS and VM operating system and authorises access to mini disks, data sets and other features.
It also logs unauthorised access and any attempt to access protected data sets.
RACF is rated a B1 classified product by the US Department of Defense.
B1 is the highest commercial classification attainable and anything with a higher rating is considered a weapons-grade system.
IBM has another product, Net SP, for its AIX, Dos and OS/2 operating systems which allow access to RACF. According to the Handbook of IBM Terminology, produced by UK consultancy firm Xephon, IBM is touting the Net SP Secured Network Gateway on an RS/6000 as enabling corporate users to set up a firewall between the corporate systems and the cyberpirates who infest the Internet - allegedly.
The majority of other mainframe players active in the financial sector, such as ICL, Unisys and Tandem, have similar security products designed to protect their customers. But, while mainframe users have a measure of security, new services such as online banking via the Internet and the vulnerable PC networks face the greatest risk from intrusive outsiders.
One of the major problems faced by IT security advisers is that all major companies try to hush up any breach in their security. They reason, and not without justification, that to admit that an outsider has managed to penetrate their fortress would invite copycats to attempt the same.
According to Tom Parker, an ICL fellow specialising in security, the UK government is currently engaged in a process of encouraging industries to report security breaches to provide better statistical analysis of the problem.
Parker outlined at the conference a number of examples of how the banking world could be at risk from Internet intruders. Software bugs could be sent via email and determined hackers could also eavesdrop on internal email systems. Other hackers could use a password sniffer, which is software designed to capture the password of a legitimate user and so break into closed files.
Other speakers at the conference cited examples from outside the financial services division of supposedly secure institutions that are vulnerable to attack from external sources. David Lacey, security adviser at Shell International Petroleum, told the conference that, according to figures from the US Department of Defense, their computers were attacked 250,000 times in 1995 and that 65 per cent of those attacks were successful.
More alarmingly, Lacey said that only one in every 150 of the attacks were detected and reported. With respect to his own industrial sector, Lacey said there was a growing concern about security. 'Many years ago we thought it would be impossible to take out the Shell Centre, but it is possible these days,' he says. 'One of the industry fears is that there will not be enough security professionals to go round in a few years' time.'
There are signs that the Government is aware and concerned about the danger of IT security breaches to industry and that in some cases fears over the security of systems acts as a block to electronic commerce. Lack of security can be an inhibitor to business.
There is a perception that getting on the Internet can cause real problems, says Nigel Hickson, head of commercial IT security at the Department of Trade and Industry.
According to The Information Security Breaches Survey 1996, about 90 per cent of the 660 organisations that responded to the questionnaire recorded at least one security breach. But the report is very broad in its definition of security breaches.
For example, 49 per cent reported that their systems were physically breached because of computer failure and 48 per cent of respondents reported their systems were physically breached over power failure. The report notes that viruses are the main cause of security breaches.
The average cost of security breaches was about u16,000 with the most expensive being a u750,000 theft and a u650,000 fraud. The report also reveals that 59 per cent of financial institutions are likely to have formal incident reporting procedures in place.
A representative for certification body ITSEC confesses it had little knowledge about incidents of security breaches in the financial sector.
'It is difficult to say exactly how many breaches there have been because there is a tendency not to talk about them. We have not really had much take-up from the financial sector, particularly the banks.'
The ITSEC certification process, which is carried out by five of the country's largest software suppliers, is the software equivalent of the sort of stress testing carried out by manufacturers of vehicles and aeroplanes. There are six levels of evaluation and the process can be initiated by the software developer or the customer incorporating new software into its system.
Next year the British Standards Institution will release a code of practice for information security management, the BS7799, which will suggest over 100 different security codes. But, according to Hickson, 10 of them are critical and the most important of all is to establish a security policy from the top down.
It is likely that banks already have security policies in place and that they are rigorously policed. Those financial institutions that are suspicious of the security on the Internet may soon find that their fears are groundless
Earlier this year, the US government agreed to allow Barclays Bank to import encryption tools that enable electronic trading over the Internet in a secure environment. Barclays will be the first European bank to use 128-bit key encryption technology.
According to Parker, even a 75-bit key encryption tool would cost nearly u200 million for an outsider to crack. Of the cases reported in the security report, the average estimated cost of hacking was about u7,000 and the highest was about u50,000.
The subject of security procedures is one that banking and other financial institutions take very seriously. Most will have large IT departments that carry out software testing, networking and hardware before any system is installed and ready to go live. Even so, many can still experience problems with security.
Theft of machines or chips in machines is a major problem for many companies and banks are no exception. Last year Barclays Bank had two of its branches broken into and valuable chips removed from the systems.
At one of the branches in London's East End, u35,000 of chips were removed by the thieves.
One of the greatest threats to security comes not from external unauthorised access to systems, but from employees of an institution. Password protection, while being nominally secure, can be a problem.
At one small Nat West branch in the South East, one manager had 12 different passwords for different parts of the system which were changed monthly.
In most cases, it is impossible to memorise that many passwords and the temptation to write them down where they can be seen by others is great.
Products like Computer Associates' Unicentre system control software have introduced single sign-on solutions where only one password is needed to access different applications.
There is no doubt that the financial institutions take security very seriously, but so do those who wish to break into the systems. While mainframe systems may be fully secure, more and more institutions are turning over to Open Systems and Unix where security is virtually non-existent.
Security experts recommend that IT security be controlled by senior management and not just left in the hands of the IT department. It is a policy worth adopting, particularly with the increasing pace of technology being developed, and as new systems and processes come on the market.