UK financials complacent about IT security: NTA Monitor

IT security complacency in the UK finance sector could lead to online banking facilities being taken offline, says NTA Monitor. According to NTA’s Vertical Market Security Report 2003, more than nine out of ten financial organisations tested showed basic flaws that could put the availability of online banking systems in jeopardy.

NTA Monitor is a full-service Internet security testing specialist. It warns that the use of online banking and other financial services may suffer if IT security in certain key areas is not improved quickly. The report spotlights the financial sector as having the worst record for router security compared to other sectors, with 94 percent of financial organisations tested showing basic flaws that could cause major disruption to online banking services.

The report also found that firewall performance in financial organisations is worsening, with 46 percent of those tested showing flaws in this area. Nearly a third of financial organisations (31 percent) tested by NTA Monitor were found to have at least ten flaws, opening themselves to considerable risk of malicious attack. 38 percent of sites have between 2 and 5 medium level risks, which could directly result in disruption of service by external attackers or provide unauthorised access if incorrectly configured.

The Vertical Market Security Report 2003 is based on analysis of more than 600 Regular Monitor network perimeter security tests undertaken by NTA Monitor for a broad range of blue chip clients. The research analysed test results across the financial, government, legal, IT & telecommunications, manufacturing and services sectors.

Roy Hills, Technical Director, NTA Monitor, said: “Although the financial sector performed amongst the best overall, on closer analysis we found that excellent performance in some areas masked worrying gaps in others. This is surprising given the fierce competition in the financial sector: slow access or loss of service could turn the fickle Internet consumer towards another brand. Tighter security across all areas needs to be made a priority today and the holes plugged quickly – or this could become a turkey shoot for hackers.”

“Having worked with these sectors for many years, the analysis produced surprising results, in the case of the financial sector totally contradicting what we’d assumed. We expected the financial sector to have the tightest security but it proved to have the worst record for router vulnerabilities – 94 percent of companies surveyed had basic router flaws. This could enable a hacker to prevent any Internet traffic entering or leaving a gateway – imagine the disruption caused to online banking customers, and financial services sales lost.”

“Another worry is that firewall risks are worsening in the finance sector. Any risk discovered in a security system that a corporate relies upon to protect its network is of serious concern,” Hills said.

“Both these trends suggest either complacency or lack of awareness – and I’m not sure which worries me most. Many of the problems highlighted can be fixed in under 20 minutes, with the right knowledge and the right mindset. So cost of new software or infrastructure is not the major constraint.”

Overall vertical market trends
Overall, the report highlights marked security gaps between vertical markets, widening to a chasm in certain areas. The government, legal, manufacturing and services sectors lag the finance and IT & telecommunications sectors in terms of security vulnerabilities in their IT systems. The situation has only shown marginal improvement over the last four years despite the continued increase in focus on IT security during that time.

No sector outperformed all others across all risk areas: the extent to which different vertical market sectors were exposed varied markedly depending on the security area examined. The most striking variance between sectors was in firewall and visible hosts vulnerabilities. For example, firewall flaws were found in 82 per cent of legal organisations in 2002, compared to 25 per cent of IT and telco companies in the same year.

Hills said, “This highlights the need for ongoing security testing across all areas: network, operating system and application level. Although some sectors are performing better than others, in absolute terms all sectors still have a very long way to go to achieve best practice network security.”

“The survey results also highlight a focus on reducing the impact of risks (i.e. minimising high risks issues) rather than addressing the areas of risk (i.e. minimising all risks in the router, firewall etc). So in addition to addressing risks in order of severity, we’d recommend taking a holistic view, targeting distinct risk areas.

A copy of the NTA Monitor Vertical Market Security Report 2003 including these recommendations can be downloaded from www.nta-monitor.com/auditreport/finance

•Date: 28th August 2003 • Region: UK •Type: Article •Topic: ISM
Rate this article or make a comment - click here