Asset protection

Banks come in all shapes and sizes, from global financial services firms down to the smallest credit unions. But finding better ways to ensure security is a common concern. Large banks face another challenge - the need to deploy data-management tools as data volumes grow.

Finding ways to identify the holes in applications and patch them is a top priority because of the many computer worms and hacker assaults that are aimed at exploiting specific software vulnerabilities. "We have to apply patches nearly every day," says Bill Arnold, IT manager at Purdue Employees Federal Credit Union in West Lafayette, Ind.

The credit union uses a mix of Unix, Linux and Windows servers and desktops. While the patching job had been manual until recently, the bank now uses a tool from SecurityProfiling to automate the patch process for some of its computers. SecurityProfiling's software agents sit on servers and receive and install software patch updates.

However, Arnold says it's hard to feel the battle can be completely won. For example, Microsoft doesn't provide patches for some of the older software the credit union still uses. The organization eventually will upgrade to newer desktop software, but the patch management problem remains a tough one to solve.

A Deloitte & Touche survey shows IT security managers from 175 firms have big concerns about network attacks. According to the consultancy's 2003 Security Survey, only 13% of the industry's IT security professionals felt "extremely confident" that their organizations are shielded from Internet-based attacks. Moreover, 18% said they were "not very confident" their systems are safe from insider attacks. And 39% acknowledged that their systems had been compromised in some way last year.

"We're a pure Microsoft shop; our core concern is that we be up and running, and we want to patch in production as much as possible," says John Shields, senior vice president of e-business at Patelco Credit Union in San Francisco.

Patelco uses nCircle's IP360 appliance to scan Patelco's internal network for vulnerabilities. "We use the reports to generate the patches we need," Shields says.

Shields and Arnold want to see tighter integration between the patching tools, scanners and intrusion-detection systems they use so that security alerts from the IDSs are more relevant to their network traffic. Today, IDSs have little knowledge of the systems they are intended to protect.

Kirk Drake, CIO at National Institutes of Health Federal Credit Union in Bethesda, Md., says IDSs must improve to give reliable alerts about attacks. "They give you an insane amount of data, notifying you of about 200 to 300 alerts each day, but most of them are false positives," Drake says about the Sourcefire IDS that the credit union uses. "They trigger an alert, but if they knew what was really in your network and what was patched, it wouldn't be giving you that alert."

In recognition of that problem, Sourcefire is developing a network-discovery tool that will be able to share such information with the IDS to improve the quality of alerts. NCircle, Internet Security Systems and SecurityProfiling are other vendors actively pursuing tighter integration between IDSs and scanning tools.