Network Security ResearchPaper

8/7/2019 Network Security ResearchPaper

1/28

Network Security 1

NETWORK SECURITY IN FINANCIAL SERVICES INDUSTRY

Network Security in Financial Services Industry

By

Roger G. Barr

Masters of Information Technology, American Intercontinental University

Bachelor of Visual Communications, American Intercontinental University

Associate of Arts Business Administration, American Intercontinental University


2/28

Network Security 2

Abstract

Security has always been a big problem with all types of organizations large and small. The big

reason for so much concern is that large amounts of data are transmitted on a daily basis, a lot of

this data is critical to the organization that is transmitting it. The types of data that are transmitted

can also be critical to the organizations clients, such data like social security numbers, credit card

information, license numbers and more. This type of data getting into the wrong hands can be

harmful to not only the client, but also to the organization. This paper discusses how

organizations prevent data from getting into the wrong hands. This paper covers these problems,

and also the direction network security in financial services will take in the future.


3/28

Network Security 3

Network Security in Financial Services Industry

Table of Contents

Cover Page...........................1

Abstract....................................................................................................................................................2

Table of Contents ............................................................................................................................4

Chapter 1: Introduction5

Introduction to Network Security in the Financial Services Industry5

Summary of Chapter 16

Chapter 2: Review of Literature

Literature Review7

Network Usage and Attacks7

Data Breach Cases...9

Financial Data Risks12

Regulatory Guidance...13

Network Security Attacks14

OSI Architecture..17

Chapter 3: Methodology

Methodology of Network Security in The financial Industry .....................................................20

Chapter 4: Data Analysis

Summary Future direction of Financial Security in the Financial Services

Industry21

Chapter 5: Summary, Conclusion, Recommendation

Summary of Chapters..22

Conclusion.......21

Recommendation.22

Reference 24


4/28

Network Security 4

Appendix.....25

Narrative..26

List of Tables and Figures27


5/28

Network Security 5

Chapter 1

Introduction

One of the biggest problems that still haunt organizations today is network security. Not

only is the threat of viruses on everyones minds, there is also the question of what would happen

if critical data got into the wrong hands? It is bad enough if this happened on a personal level, on

your home PC. Now look at the bigger picture, what if this happens at a financial firm such as

banks or other lending institutions? Well this has happened and it continues to happen today.

What are financial institutions doing to alleviate this problem, and how will network security

play a role in prevention of this in the future? Networks large and small are being attacked from

the outside and from within, this can happen from Trojans to employees stealing information

from within. According to Ciampa (2005) more than 85,000 computer viruses were active as of

that date, and 956 new viruses were released as of 2004, one out of every three computers linked

to the internet has a Trojan, these type of attacks are not only launched against personal

computers, they are also launched against large networks. There have been numerous researches

done in network security in the results in the form of articles and books. The real question has to

be answered here, and this will be specific to the financial services part of network security

because this research is specific to this part of network security.

Problem Statement: How will network security help financial institutes protect personal

data, both today and in the future from breaches of security into their networks?

Scope: This research paper will target network security in financial systems service, this

is a quantitate approach to network security in financial institutes.


6/28

Network Security 6

Limitation of the Study: This Research is limited to a collection of data from other

sources as well as personal knowledge of network security.

Summary of Chapter 1

This paper covers network security in financial systems and covers research that has been

conducted in this field both present and past and what still has to be done in the future to

alleviate the problems of data loss or destruction from outside sources. This paper presents data

in a quantitative approach, but is specific to the financial networks. This paper also has diagrams

that shop that help to explain and back-up the research done in this paper.


7/28

Network Security 7

Chapter 2

Literature Review

Network Usage and Attacks

In this review we start narrow and then work our way up to the major point of issue at

hand. In an article on (Build4U, 2010) the author states that every minute your computer is

connected to the internet, either through dial-up, cable, DSL or broadband service your computer

is at risk, this is a very true statement and this statement also includes networks. Today there are

over 259.9 million users on the internet as shown in figure 1 below. Chart is taken from (Internet

World Stats, 2010).

Figure 1


8/28

Network Security 8

Network security attacks can happen at any time whether it is day or night, these attacks

can come in different forms. The author also states that ignoring these threats can cost you

thousands. This also holds true to financial organizations because they have the key to peoples

personal data such as social security numbers, license numbers, phone numbers and much more.

In this day and age people can do their banking online, banks have websites that you can start a

bank account on or check your personal funds. It is very easy for a hacker to use tools to track

your network footsteps, meaning track what keys you press on your keyboard and by doing so

they have your bank account. This is bad news for the person whom just had their account stolen,

or all the information in their account, because other information like your social security

number can be used for other malicious purposes. This is also bad news for the financial

institution because they have to go through the financial burden of trying to find out who breach

their system and your account, and find ways to make their system more secure.

Hackers can even use a personal computer that belongs to someone else as what is called

a zombie, with this zombie thy can launch attacks against any computer and high profile

computer systems such as financial institutions, BuildWeb4U (2010). Standard security measures

are not enough, it is not enough just to have virus protection, and it does not protect a network

against direct attacks. Anytime a computer is always on the internet such as in the case of

broadband and cable or DSL connections, you have a greater chance of your network being

breached.


9/28

Network Security 9

Data Breach Cases

In an article by (Freshfields, Bruckhaus & Deringer, 2008), the authors state that data

security is a major priority. This article shows how important financial security is all over the

world; this article is about financial security in the United Kingdom. This article mentions the

abbreviations (FSA) which stands for Financial Services Authority which oversees the financial

services in the United Kingdom. This article is also a measure of how far and how important

financial security is. This article talks about the increasingly complicated methods now are

employed by fraudsters in obtaining, and using customer data to commit financial crimes,

Freshfields, Bruckhaus & Deringer, (2008).

The article talks about financial institutions in the past that have lost customer data and

found themselves in trouble with facing regulatory actions, and monetary loss due to the

commission of identifying frauds, as mentioned earlier in my paper. This also exposes financial

institutions to reputational damage because of their lack of responsiveness to network security.

One of the problems with financial institutions is there is a lack of regulatory action, so financial

institutions do not take the problem as serious as they should. One of the biggest motivations to a

financial organization should be their reputation, because they stand to lose not only customer

accounts, but they also stand to lose commercial accounts which can be very devastating to a

financial institution.

This article by (Freshfields, Bruckhaus & Deringer, 2008) gives real cases of a financial

institute that did not take the proper measures to protect client information. The first case is with

an organization called Capita. Capita is a third party administrator for collective investment

schemes and was responsible for maintaining client records, they were in charge of carrying out

their clients instructions of purchasing and the repurchase of investments.


10/28

Network Security 10

Capita discovered they had problems with actual attempted frauds against clients these

frauds had been carried out by some of its own staff. The FSA in March 2006 found Capita did

not undertake an adequate assessment of its fraud risk, especially when it came to internal fraud,

and they found that Capita did not have adequate steps to that it had effective controls to reduce

the risk of fraud, Freshfields, Bruckhaus & Deringer, (2008).

Another case that FSA reported was in February 2007, when National Building Society

was fined by the FSA for failing to have effective systems and controls for the use of storage of

customer information on portable storage devices. This came to light following a laptop being

stolen from a National employees home in 2006. FSA found that Nationwide did not have

adequate procedures to respond to data security incident once it had occurred. Nationwide was

not aware that the laptop contained confidential customer information; they made the mistake of

not starting an investigation until three weeks later.

In April 2008, the FSAs financial crime and intelligence division came out with a report

describing how financial services firms within the UK are failing to address the risk that their

data may be lost or stolen and may as a result be used to commit financial crimes, Freshfields,

Bruckhaus & Deringer, (2008). The reports sets out the findings of a review of industry practices

and standards in managing risk of data loss or even the theft by employees and third party

suppliers, this is not just happening in the UK, it is also very much alive here in the United

States, the very same thing happens in all major countries that use financial systems networks.


11/28

Network Security 11

Figure 2

Chart by Roger G. Barr, Information from (Jenkins, G., 2009)

This chart is information from (Jenkins, G. 2009) a website called (IveBeenMugged)

the stats show that in 2008, 2.4% of all breaches involved data where encryption or strong

protective measures were in place. 8.5 percent involved password protection, malware attacks,

hacking, and insider theft accounted for nearly 30 percent of breaches that cited a cause, stated

by the ITRC. Insider theft doubled between 2007 and 2008, they accounted for 15.7 percent of

the4 breaches, Jenkins (2009).

To find the statistics by state the ITRC has a website that lists them state by state,

http://www.idtheftcenter.org/ITRC%20Breach%20Report%202010.pdf.

ITRC 2008 Data Breach Statitics

Strong Potective Measures

Password Protection

Malware, Hacking

Insider Attacks


12/28

Network Security 12

Financial Data Risks

In an article by (Corbin, K., 2010) called Database Security Lacking at Financial Services

Firms the author states that sloppy operating practices across financial services sector leave

firms venerable to breaches that could expose sensitive data or put customers and employees

privacy at risk, according to a new study from the Ponemon Institute. This study was

commissioned by enterprise software and consulting firm called Compuware (NASDAQ,

CPWR), they identified several key areas where financial services companies could take hits or

damage to the company from loose data policies that were demonstrated in their study. Larry

Ponemon, the head of the Ponemon Institute said that While there is a great deal of progress

being made, there is still a long way to go. A survey at 80 large financial firms of their top

security officials found that 83 percent use real data, which is credit card or account numbers,

when developing and testing applications, Corbin, K., 2010. The conclusion of this survey was

that Ponemon found that a majority of the firms that were surveyed do not take sufficient steps to

safeguard these types of information.

The author states that one of the most important things a company can do is to assure their

future success is to plug their security leaks that were identified in this study. Every day you can

measure the risks that take place with the financial industry as far as network security is

concerned, you read about it and hear about it almost on a daily basis. The latest warnings comes

amid a growing wave of data breaches that have targeted not only financial institutes but

universities and insurance firms and others, Corbin, K., 2010.


13/28

Network Security 13

In this study only 47 percent of the companies said that they have deployed intrusion

detection systems, while 56 percent stated that they have implemented identity compliance

procedures. Similarly 41 percent of financial houses said they have deployed data loss prevention

technologies. Not protecting customer or client data becomes a public relations nightmare that

invariably follows high profile data breaches, Corbin, K., 2010. Financial institutes also face

falling out of compliance with government regulations; financial institutes should have their

customers best interest in mind by safeguarding customer data.

The survey canvassed financial firms with at least 500 employees that are based in North

America, but operate globally, this included banking, investment, insurance, credit card and

mortgage firms, Corbin, K., 2010.

Regulatory Guidance

In this article by (LeDuc, S., 2005) She states that the Federal banking regulatory agencies

issued an Interagency Guidance Program for Unauthorized Access to Customers Information

and Customers Notice. This guidance interprets 501(b) of the Gramm-Leach-Bliley Act

(GLBA) as well as the security guidelines 1 issued by the Federal banking regulatory agencies,

LeDuc (2005). This guidance addresses procedures that need to be used by financial institutions

in order to respond to unauthorized access to or use of customer information by third parties.

The regulatory agencies expect banks to implement these guidance steps right away

whether they are a small or large banking institution. The guidance states that if sensitive bank

customer information is stolen or illegally accessed, the bank is required to first notify its


14/28

Network Security 14

primary regulator then if certain conditions exist the bank needs to notify affected customers,

LeDuc, S (2005)

Network Security Attacks

Banks and all other financial institutions work off of networks whether it is wired or

wireless, in banks computers are often left on so that they are ready for use the next day, this

goes back to what I said earlier in this paper about computers and networks that are online all the

time become very vulnerable. In a Book called Security+ Guide to Network Security

Fundamentals (2

nd

Ed) by (Ciampa, M., 2005) Ciampa states that An attacker who can access

the internal network directly through the cable plant has effectively bypassed the network

security perimeter and can launch his attacks at will. This statement is actually frightening,

because hackers can to this to get into financial systems data unless their network is secure.

Attackers can connect their laptop computer to internal cable plant and launch what is called a

Man-In-The-Middle attack this is a replay or Transmission Control Protocol/Internet Protocol

(TCP/IP) hijacking attack, Ciampa (2005).

The attackers can also use a technique called sniffing, which is capturing data packets

that are traveling through the network. Hardware or software that performs these functions is

called sniffers. To protect the data plant the first line of defense would have to be is there has to

be adequate physical security, what physical security does is protect the infrastructure and has

one primary goal; that is to prevent unauthorized users from reaching the equipment or cable

plant and to prevent them using, stealing or vandalizing it, , Ciampa (2005).


15/28

Network Security 15

Figure 3

Diagram created by Roger Barr, Data taken from Ciampa (2005)

The base design of a secure network is shown in figure 3; a security perimeter surrounds the

network and computers, with a single entry point for external traffic, such as traffic from the

internet. Securing cabling outside of the protected network, this is not the primary security issue

for most organizations. The priority is protecting access to the cable plant within the internal

network, Ciampa (2005).


16/28

Network Security 16

Attackers frequently position sniffers near targets where they can gather the most sensitive

information; this could be a server that supplies financial data to a bank. Physical security can be

compromised if the proper equipment is not installed to prevent outsiders form accessing the

cable plant. The security measures could include changing door locks, alarm systems, proper

lighting, plus having good security procedures in place for all employees or even guests into the

financial institution.

More intruders gain access to the power plan through social engineering, this can be done

by several means pretending to be there to repair something, this is done more than any other

means of gathering sensitive data. There are several ways to secure data that is stored on a file

server and this would be accomplished by using strong passwords, network security devices,

antivirus software, physical security, education and management evolvement. There are things

that organizations have to be aware of internally too, that could be employees coping information

on CDs and bring that information home.

What employee theft of data does is compromise the system more by the employee losing

the disk and the information getting into more hands, or the employee selling the disk. Another

thing is a worm or virus can be introduced to the media, if the employee brings back the disk and

uses it for a malicious intent. A workstation like you would have in the bank refers to personal

computers attached to a network. Also called a client workstations are generally connected to a

LAN and share resources with other work stations that are in the same network. A server is a

computer on a network that is dedicated to managing and also controlling that network. The

server is responsible for holding the files and managing the processes that provide the resources

to the network users, Ciampa (2005).


17/28

Network Security 17

Both workstations and servers can be victims of all the different types of attacks. To harden

these systems there are there are several things that have to be done:

Disable nonessential service. Do not allow users to grant permissions to other users over objects. Install antivirus software and keep it updated (very important). Regularly update operating systems and applications. Require strong passwords with a minimum length of eight characters, which expires

after 30 days and cannot be reused.

Review audit logs regularly.

Set access control lists (ACLs) for all network users. Use CHAP, Kerberos, and certifications when possible. Use Security Templates. When using biometric devices, require addition authentication such as tokens.

Data taken from Ciampa (2005)

OSI Architecture

Encryption is another form of protecting data; it is a very important form that is often

over looked. The author of Cryptography and Network Security Principles and Practices (4th

Ed)

by William Stallings, states to assess effectively security needs of an organization and to

evaluate and choose various security products and policies, the manager responsible for security

needs some systematic way of defining the requirements for security and characterizing the

approaches to satisfying those requirements, Stallings (2006).


18/28

Network Security 18

The author states that this is difficult when youre dealing with a centralized data

processing environment, with the use of LANs and WANs this problem becomes compounded.

ITU-T2 Recommendations X.800, Security Architecture for OSI, defines such a system

approach, Stallings (2006). This architecture comes in handy to managers when organizing the

task of handling security. This architecture was developed as an international standard; computer

and communications vendors have developed security features for their products from this

architecture. The OSI security architecture focuses on security attacks, mechanisms as well as

services; these can be defined by the following:

Security attack: Any action that compromises the security of information owned by

an organization.

Security Mechanism: A process (or a device incorporating such a process) that isdesigned to detect, prevent, or recover from a security attack.

Security Services: A processing of communication service that enhances thesecurity of data processing systems and the information transfers of an organization.

The services are intended to counter security attacks, and they make use of one or

more security mechanisms to provide the service.

Data taken from Stallings (2006)

A means of classifying security attacks, used by both X.800 and RFC 2828, is the terms

both passive and active attacks. A passive attack attempts to learn or make use of the information

from the system but at the same time it does not affect the system resources. An active attack

attempts to alter the resources or affect its operation, Stallings (2006).


19/28

Network Security 19

In all the articles and information taken from books on this research paper all point out the

importance of financial institutions responsibilities of securing their networks and what the

implications would be for not doing so. There are several different measures pointed out by the

authors of these articles and books for securing a network both internally and externally, by

keeping data from being compromised. This is very important to a financial institution

especially, because customer data can be lost or stolen and have a big effect on the financial

organization which could hurt their status, and be the cause for fines by the government

regulatory commissions.

Regulatory guidelines are set to help both the financial industry and to especially help the

customer so that their critical information is not stolen and used for malicious intents. All the

information from these sources clearly state the importance of protecting personal data, and

shows the need for better security measures by the financial institutes like banks, credit card

companies, mortgage companies and any institute that collects personal data from its customers

and clients that could even be large companies.

Though our main focus here are financial institutions data security goes a long way and this

paper also serves as a reminder to these companies that there is a greater need for more secure

systems and better security planning and training. Education of employees is where it should

start and continue to encompass the wider picture of securing every access point within an

organization.


20/28

Network Security 20

Chapter 3

Methodology

This research took a quantitative approach by using different resources of information

such as books by popular authors with scholarly information and Scholarly articles. Diagrams

were created by me using data from articles and books that were written on the subject that was

presented. Books on Cryptology, Network Security along with several papers written by

researchers were used along with several cases presented that have to do with breaches of data by

hackers on financial institutions. Each case that was presented was an actual case that happened

to a real organization. I chose these sources because they were the best representation of data by

scholarly sources on this subject. I analyzed the data in sequence, in accordance to how network

security should be measured when doing research on such a topic, from narrow to wide.

All the information is broad based, meaning it covers security for many different types of

institutes, but my scope was limited to financial institutes such as banks and any institute that has

to do with our financial system, here in the United States and globally because network security

is a global problem, it does not begin and end on one shore. The materials used from the books I

chose are books that have been used in college courses to teach network security and encryption

which is a part of network security, which is a whole other subject that can get very deep. All

the information resources chosen over the internet were from information sites, articles and

publications that were written by scholarly sources.


21/28

Network Security 21

Chapter 4

Data Analysis

How will network security help financial institutes protect personal data, both today and in the

future from breaches of security into their networks?

This is an important question, because it is very important for financial institutions like

banks to protect personal data so that it does not get into the wrong hands, through this research

paper we have come up with some of the answers to this question. The first thing is more

education given to employees and management alike that work and run these financial

institutions. It is also very important to have a network security plan that is going to work and

that is not real complicated to implement.

In order for security to work at these institutions there has to be cooperation from both

staff and management, and there has to be a plan to cover security from internal threat and

external threat. As stated earlier in this paper there are physical as well as network security that

has to be dealt with physical would be securing cable plants from intruders walking in setting up

a laptop and stealing data. Network security evolves measures like the ones listed on (p 16) of

this paper. The answer to this question is that securing a financial network or any other network

has to be a total package of cooperation, education, and dedication to wanting to do what is right

and to do what is necessary to protect other people information.

Security is a combined effort and more security measures by financial security regulatory

commissions will also help both financial institutions as well as customers. This will help by

setting regulations that financial institutions must follow to protect personal data on their

systems.


22/28

Network Security 22

Chapter 5

Summary, Conclusion, Recommendation

In this paper we have discussed a lot of material on Network Security and Financial

Institutions, this paper covered a lot of material about companys lack of security measures. This

paper also covered the different types of threats there are that threaten a network on a daily basis,

this paper also covered X.800 and hackers and their techniques as well as what physical security

and what network security is. This paper displayed several real life cases of actual breaches to

three different organizations networks, all being financial institutes. This paper gave a problem

statement and latter throughout the paper showed what can be done to address this problem, this

paper also displayed different diagrams, two of which were created by me using data from the

sources I used and the other came directly from the web source giving full credit to the source.

My observations in all the research that I did was that there has been a lack of network and

physical security in financial institutions for as long as computers have existed, and it continues

to be a wide based problem extending globally. There are attacks on networks every day and still

the same security problems exist. Another observation I get from this research is that there is a

lack of education on the part of financial institutions on network security, yet most of their

transactions are network based, it seems the concerns while training their personnel is for the

most part paper work that has to do with the bank, but not on how to secure this data when

entered in their system.

My recommendation is that financial institutions do a more thorough job training personnel

during their initial training and also concentrate that training in the direction of securing personal

data in their system. I also recommend that management get more involved in network security

within their organization, this is very important so that there is cooperation between


23/28

Network Security 23

management, training and their employees. If security is stressed on regular bases there will be

improvements that can be seen very quickly. There is a great need for more research on this

subject to answer the unanswered questions of why doesnt organizations take security more

serious with so much on the line for them? What measures will help organizations to realize how

important security is to their networks?


24/28

Network Security 24

References

BuildWebSite4U (2010) Computer Internet Security, Retrieved May 1, 2010, from http://www.

Buildwebsite4u.com/articles/internet-security.shtml

Ciampa, M (2005) Security+ Guide To Network Security Fundamentals (2nd

Ed), ThomsonLearning Inc., 25 Thomson Place, Boston MA, 02210

Corbin, K (2010) Database Security Lacking at Financial Services Firms, Retrieved April 28,

2010 from http://www.esecurityplanet.com/trends/article.php/3868381/Database-Security-Lacking-at-Financial-Services-Firms.htm

Freshfields, Bruckhaus & Deringer (2008) Data Security in Financial Services, Retrieved April30, 2010, from http://www.freshfields.com/publication/pdfs/2008/sept08/23489.pdf

InternetWorldStats (2010) Internet Usage Statistics the Big Picture, Retrieved May 1, 2010, fromhttp://www.internetworldstats.com/stats.htm

ITRC (2010) Identity Theft Resource Center, Retrieved April 28, 2010 from

http://www.idtheftcenter.org/ITRC%20Breach%20Report%202010.pdf

Jenkins, G (2009) ITRC 2008 Data Breach Statistics; Insider Theft Doubled, Retrieved April 28,2010 from http://ivebeenmugged.typepad.com/my_weblog/2009/01/20090121.html

LeDuc, S (2005) New Data Security Guidance for Banks Not Suggested, These Elements Are

Required, Retrieved April 7, 2010, fromhttp://www.gcglaw.com/resources/financial/data_security.html

Stallings, W. (2006) Cryptography and Network Security (4th

Ed), PEARSON, Prentice Hall,Upper Saddle River, NJ 07458


25/28

Network Security 25

Appendix

Where to Go for More Information on This Subject, there are several books and articles on this

subject, Books that I recommend are;

Stallings, W. (2006) Cryptography and Network Security (4th Ed), PEARSON, Prentice Hall,Upper Saddle River, NJ 07458

Cryptography and Network Security by Williams Stallings, this book covers the importance of

Cryptography and Network Security and the role that cryptography takes on in securing data

through data encryption.

Ciampa, M (2005) Security+ Guide To Network Security Fundamentals (2nd Ed), ThomsonLearning Inc., 25 Thomson Place, Boston MA, 02210

Another book that I recommend is Security+ Guide To Network Security Fundamentals by Mark

Ciampa, this book is very detailed covering everything from different types of network attacks to

how to secure a network from intruders.

There are also very good websites on this subject which I have listed in the reference section of

this paper.


26/28

Network Security 26

Narrative

I had a lot of challenges when conducting this study one was trying to pick the right

materials to present for the subject matter, because network security is such a wide topic because

it covers everything from personal attacks to attacks over large networks, cryptography, physical

security, management and a lot more. This information that is obtained from books and articles

deals with network security more in general than it does on specific topics so it is very time

consuming to find the right information on this topic, when you look for scholarly sites most of

them you have to pay for to obtain information on the subject matter. There are sites also listed

that you cannot get into because they are other college sites. So it is hard to gather information

on this subject, you have to look at 40 different sites just to obtain one paper that really has to do

with your research.

The results are what I expected to find except for the difficulty in finding the information

like I stated. Another challenge was trying to get this paper done in six weeks with an overload

work schedule that I have, this research was very time consuming and even though you have six

weeks to do it, the amount of time after work to get this amount of information still turns out to

be very little. So those were the biggest challenges. I like a challenge but I believe doing a 25

page paper with the amount of other paper work for this course, was a big challenge.


27/28

Network Security 27

Tables and Figures

Figure 1. Internet users in the world by geographic regions 2009

Figure 2. ITRC 2008 Data Breach Statistics

Figure 3. Network Perimeter


28/28

Network Security ResearchPaper

Documents

Transcript of Network Security ResearchPaper