Web Security Checklist and Warning about Mobile Banking

  Sept. 7, 2009

 

With good reason, Americans are increasingly concerned about their Internet security, according to a Harris Interactive study sponsored by Microsoft and National Cyber Security Alliance (NCSA). As recently as 2004, many Americans were not concerned about online security.

Fortunately, in surveying attitudes from 2007 to 2009, the Harris study’s findings included the following:

62 percent of U.S. adults are now leery of cybercrime

• 48 percent are more hesitant to put their personal information on the Web
• 37 percent are more reluctant to shop online
• 64 percent have received or are acquainted with someone who has received requests for personal information from untrustworthy sources

Internet security has been a headache for years and I once wrote that technology companies were doing too little to safeguard businesses and consumers. Security was a concern in my Biz Coach column dated Oct. 26, 2004 when we mostly just feared viruses.

Now, we increasingly fear a whole lot more, including:

• Malware – a term for malicious software that infiltrates computers without the owners’ authorization.
• Phishing – the criminal act of trying to obtain personal information including passwords and credit card information, surreptitiously, by masquerading as a trustworthy source usually via e-mail.

In 2004, I wrote there was evidence of increased security ramifications for business. We learned computer users ignored basic online security measures – even in tech-savvy Seattle. A nationwide study by NCSA and America Online revealed that 77 percent of computer-users believed they were not vulnerable to Internet dangers.

But after dispatching experts to the homes of the responding 329 broadband and dialup users in Seattle and 21 other cities, NCSA study learned some startling facts:

• 49 percent of broadband users didn’t utilize firewalls
• 60 percent of the participants felt secure from hackers 
• 88 percent were unaware their computers were infected with spyware
• 67 percent failed to regularly update their computers with anti-malware software
• 19 percent of the group was afflicted with viruses

Not only were they risks to themselves, it was unnerving to note that those computer-users were unknowing risks as online customers and as employees in both the public sector and business.

Customer data was also lost as a result of ineffective online security. Citing a 55 percent increase in attacks on government agencies, telecommunication companies and utilities in August of 2006, IBM launched its Global Business Security Index. The company reported its customers were attacked 100 million times a month and most attacks generally occurred on Saturdays and Sundays.

A widely known pioneer in security and the prevention of identity theft – a premier consultant, Dr. Stan Stahl – warned security was a big issue in 2004. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.

His philosophy for a successful online security program includes:

• Protect information assets from attack.
• Detect illicit attacks on information assets.
• Quickly recover from attacks, accidents or natural disasters.
• Comply with applicable security and privacy laws, regulations, and policies.

To protect the assets of both your customers and your company, here is his basic self-assessment management checklist:

1. Does your organization’s computer network contain sensitive or critical information?

2. Do you have an executive responsible for managing the protection of critical information assets, is this person explicitly trained in information security, and have you allocated budget and resources for protection?

3. Does the board or executive management review the organization’s information security posture at least semi-annually?

4. Has your organization documented information security policies consistent with its business needs, organizational structure, legal obligations, insurance policies, and risk management processes?

5. Is all critical and sensitive information explicitly identified as such and restricted to those having a “need to know?”

6. Are all employees and contractors provided regular ongoing information security training, including training in the safe handling of email and in password selection and protection, and are they held accountable for violations of security policy?

7. Have you coordinated your information security posture with customers, suppliers, and other trading partners whose computer systems you access or who access your computer systems?

8. Does your organization have documented recovery procedures to follow should a break-in, malware infestation or other security event occur?

9. Does your organization back up all workstations and servers at least weekly, are multiple back-ups stored offsite, and are back-ups periodically tested to ensure the ability to restore data if necessary?

10. Has your organization’s system architecture been explicitly designed in accordance with network security principles and practices, including the use of firewalls?

11. Is malware protection software on all servers and workstations and is someone explicitly responsible for monitoring malware alerts and ensuring that malware protection is up-to-date?

12. Is someone explicitly responsible for monitoring security patches and alerts, and ensuring hardware and software systems are up-to-date and properly protected?

13. Is access to servers, routers, and other network technology physically restricted to those whose job responsibilities require access?

14. Would you know if someone was illegitimately accessing critical information assets?

15. Has your organization had an independent third-party information security vulnerability assessment or penetration test within the last 12 months?

So, if security is a possible concern, I would follow Dr. Stahl’s advice.

Dr. Stahl’s Web site:  www.citadel-information.com.

From the Coach’s Corner, phishing attacks are also possible in mobile services, according to the Credit Union Times Web site. With the growing popularity of mobile services, not surprisingly, mobile phones are vulnerable, too. 

The site warns about another security threat – bluejacking on mobile phones. Predators are capable of penetrating Bluetooth connections to access data on phones. The publication suggests implementing multi-layer authentication and quick-session timeouts in this blue jacking article.

However, please note Dr. Stahl raises a giant red flag on mobile services:

“Once again, the opportunity to make money trumps security, he says. “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”

He further explains:

“It is not just phishing attacks to which they are vulnerable. We can take over cells running Bluetooth. Cell phones (like my iPhone) are often automatically configured to connect to the web using a wireless network over which neither the user nor the bank maintain any control. (I’ve changed this default setting on mine.) And because there have been few cell phone attacks to date, the community has little experience in how buggy the software products are and how responsive the vendors will be in fixing vulnerabilities when they show up.”

For the bottom-line, he advises:

“All in all, cell phone on-line banking is a big NO!!!”