Infrastructure Is Us
The increasing demand for secure, user-friendly Web-based financial services has forced banks, S&Ls, brokerage houses and other financial institutions onto the bleeding edge of e-commerce technology. As the early adopters of many of todays "killer" e-commerce apps, however, these organizations are also the first to encounter new software bugs, new strains of malicious code and new types of attacks.
To keep one step ahead of the growing list of threats, the American Bankers Association (ABA) in March launched the Information Security Infrastructure (ABA-ISI) Working Group, an information exchange initiative aimed at protecting the financial industry from both new and traditional threats.
"We are helping to develop an active immune system that can detect and respond to security threats to the financial infrastructure," says Kawika Daguio, federal representative for the ABA. "There are a couple of components: One part allows people to anonymously share reports about intrusions, vulnerability indications and warnings. The second part involves sending the information out to participating bankers. In addition, bankers need appropriate tools to secure their parameters and to determine the information they ought to share."
Initially, the ABA-ISI Working Group will establish a closed community of select financial services companies to participate in the initiative. The ABA will help these financial institutions evaluate infosecurity risks and exposures, facilitate distribution of security incident information, evaluate anonymous reporting of security threats and manage information sharing. Security firms such as Internet Security Systems (ISS) and Axent Technologies are providing technical tools and consultation to get the ball rolling.
"Were not telling people what to use, but are facilitating deployment of the technology," Daguio says. "That means were working with ISS and Axent for people to deploy their products, and tune them over time. Ive got a bunch of bankers who love their stuff, but that doesnt mean people cant use other tools. We have a variety of tools, including custom ones that our guys created themselves. Its good, however, to have technology that everybody can point to that has been optimized. The more optimized these tools are to meet their requirements, the better off for everyone."
For example, using ISSs RealSecure automated network and host-based intrusion detection and response capabilities, the ABA-ISI group will be able to quantify the effects of intrusions reported by any of the participating institutions. Axents policy assessment security solution, Enterprise Security Manager (ESM), will help member organizations locate system vulnerabilities and ensure that systems are properly configured and protected against external attacks.
"Well fine-tune the program over time as people get more experienced sharing information around security-related issues," Daguio says. "The way we look at it is that we have the smartest people we know of working on these issues in the banks and at the vendors. The only way to leverage each others experience is to actually share information back and forth. You get some of that from user groups, but real-life deployment is the trick."
Margot Suydam is managing editor of Information Security.
DAGUIO: "Active immune system" will help collaborating banks detect and respond to security threats.
© 1999 Information Security Magazine. Used with permission.
Information Security, the official publication of the ICSA, is dedicated to the needs of all security-conscious IT professionals. Free to qualified readers, Information Security features in-depth articles, product announcements and more analysis of information security issues than any other trade magazine. Subscribe today!