Sept. 11 Remembered: Convergence is One Key to Avoid Catastrophe

Sept. 11 Remembered: Convergence is One Key to Avoid Catastrophe

The sixth anniversary of September 11th draws near, and the question floating among those in the financial services industry remains, “Is my institution ready in the event another 9-11 happens?”

See Also: Attack Surface Management for Dummies

For information security expert William Crowell, his thinking is that by having a completely integrated and converged security program at your institution will help prepare your staff to handle what may be termed a catastrophic event. “September 11th was the wakeup call for the security industry as a whole,” said Crowell.

“Remember, the bad guys go for the seams, just as the 9-11 hijackers did,” he noted. Asked why should financial institutions need to be concerned about physical and logical security convergence, Crowell replied, “The majority of financial institutions and the industry as a whole is very concerned with security, and their systems are secured and that they minimize risk wherever possible.”

That being said, he added, over the years all of the different services within a bank have grown up and gone into separate “stovepipes,” banking in one, credit cards in another, retail is separate from corporate banking, and so on. “Along with that, risk assessment, risk management and security have all been separate as well. So the convergence of physical and logical security is part of a set of actions that need to be taken to manage risk more robustly.”

One thing troublesome to Crowell is the fact that most of industries are global in nature. “Much of their business or parts of their business are supported globally, over vehicles like the internet. This makes them much more susceptible to attacks that can be very costly.”

Crowell pointed to the growth of back office processing, help desk, and administrative tasks being pushed to third party vendors in overseas locations. One example he gave was last year Crowell was speaking to his accountant in California. He asked him when they would be getting back a return for his taxes, (he was turning them in at 4:45 p.m. on the West Coast). “My accountant said, ‘Oh, we’ll have them ready for you tomorrow by 8 a.m.’”

“What do you mean tomorrow? I asked. So he replied, ‘I send it out to Asia for processing.’” An accountant with no staff, and all his work was outsourced overseas, Crowell said.

There are some companies that have initiated physical and logical security convergence, and are approaching it in the right way. “One very large convergence project has started at BT or British Telecom,” Crowell noted.

“In this country, I think we’re beginning to see several convergence projects in the banking industry. Bank of America and Wachovia are in the early stages and working hard on it,” he said.

There may be inherent weaknesses in financial institutions’ approach to security/infrastructure that could cause problems in the future, Crowell noted, “I see the growing dependence on electronic transactions over the public internet and potential risk that this poses as the attacks become more sophisticated. Attackers are becoming very sophisticated in terms of their ability to penetrate a network’s defenses.”

What’s most troubling to him is the combined insider outsider threat, where an attacker gets entry into the systems or gains help covering up the intrusion via a change in logs or a firewall setting.

What about institutions that have the “wait-and-see approach to convergence? What do financial institutions need to do not to get left behind? “Institutions that will get left behind are the ones who do not recognize the enormous changes in skill levels and organizational structures that will be needed to gain the advancements that convergence offers,” Crowell noted.

He explained that typically the physical security office is run by an ex-marine or ex-law officer, adding: “That’s who knew the most about physical security.”

“Now, physical security is much different, authorization and access equipment is running on the network, and has to interact with all the other systems to get the most value out of it. This is where anyone starting out needs to begin. Ask these questions: What kind of people do I need? And where do I get them from? Do I need to hire them, or buy consultants?”

Once an institution has made the commitment, then they need to design enterprise security architecture that will facilitate the change. “Then incrementally build it. Frankly the technologies are still immature and there is still much to come before they are completely robust. So an incremental approach is best,” Crowell explained. Earlier this year Crowell co-authored the first book to focus on this subject, “Physical and Logical Security Convergence” published by Elsevier.

William Crowell is an independent consultant specializing in information technology, security and intelligence systems. He has worked with multiple information security companies since retiring as Deputy Director from the National Security Agency in 1997. Since 9/11 he has served on the Markle Foundation Task Force on National Security in the Information Age, which published three landmark studies on Homeland Security and information sharing and has also served on numerous panels to investigate and improve military command and control, intelligence and security systems. In August 2007 he was named Chairman of the Director of National Intelligence (DNI) Senior Advisory Group.

 


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.