NTA Monitor's 2007 Annual Security Report has revealed that tests performed on financial organisations found nearly 20 per cent more vulnerabilities than in the previous year's report. Whilst improvements in overall security have been achieved by most industry sectors, finance results have been disappointing.

This is sure to be a worry for those organisations aiming to become PCI complaint, because they must demonstrate that they are protecting client information. A company who is found to have any high, critical or urgent security risks will fail in this process, and could risk being blacklisted by the five major credit card companies. In addition, they are also at risk of action being taken against them by the FSA, which has started to levy strong fines on those financial organisations which are failing to have effective systems and controls to manage its information security risks.

Roy Hills, Technical Director at NTA Monitor, says: "The increase in vulnerabilities could be down to many factors, but one factor to consider is the growth in online business in general. Financial organisations are one of the frontrunners in terms of online activity. They are being pushed more and more to open themselves up to the public by offering more online services or by allowing customers to access their personal financial data. Whilst this extra accessibility is of benefit to many customers, at the same time it can increase the exposure to external attacks."

The report analyses data gathered from vulnerability tests conducted by NTA on UK companies in a wide range of industry sectors, including charities, education, government, IT, law and retail.

NTA Monitor recommends that companies apply the following recommendations to raise awareness and minimise their exposure to IT security risks:

• ensure that SSL certificates are always renewed when they expire
  
• if using Apache web servers, change the default settings to guard against Denial of Service attacks
  
• stay up to date on the latest vulnerabilities and apply patches and updates as soon as they become available
  
• allocate sufficient management time, focus and control to ensure that preventative actions are carried out on an ongoing basis
  
• involve and educate staff on Internet security issues
  
• have a clear and up to date security policy. Publicise and update it regularly

[To the first point above could be added: be sure that the certificates actually point to the relevant organisation. Even companies who should know better sin against this simple rule. Let me quote one stark example I saw about an hour ago: as one consequence of an editor's dire lot I sit and edit this column today in a luxury hotel in the wonderful emerald country of Ireland while slowly sipping a cold Guinness - what you have to go through in this line of work!

In order to do that I have logged on to an Eircom wireless hotspot. The certificate for their log-in server expired in 2005! :-). Truly a way to inspire confidence in their services...

It's again the maintenance part of the infosec policies that hasn't been implemented correctly (see the SABSA method) --Ed].

Related links: (Open in a new window.)
www.nta-monitor.com

View printable version (opens in new window)
Back