Bank security reveals worrying gaps, warns NTA Monitor

NTA Monitor assessed a wide range of blue chip companies over the financial, government, legal, IT and telecoms, manufacturing and services sectors. Over 600 network perimeter security tests were carried out on each one, and the results have now been published in NTA Monitor's Vertical Market Security Report 2003.

The report shows that the financial sector has the worst results for router security, with 94% of those financial companies tested containing flaws that could disrupt their on-line banking systems. These router flaws included a susceptibility to denial of service attacks – where servers are so overrun with requests that they simply shut down – unauthorised access, and giving out information about other users on the router.

According to NTA Monitor, router systems are often dealt with by ISPs rather than site operators and therefore companies do not consider routers a security issue for them. The advice is however, to try to block routers, or filter access as much as possible.

The report also highlights a poor firewall security, with 46% of financial institutions tested having flaws in these systems. Thirty one percent had ten errors or more.

NTA Monitor found that 38% of financial sector web sites were at risk of hackers disrupting their service, or obtaining unauthorised access to the site.

Roy Hills, the Technical Director of NTA Monitor, said:

"Although the financial sector performed amongst the best overall, on closer analysis we found that excellent performance in some areas masked worrying gaps in others. This is surprising given the fierce competition in the financial sector: slow access or loss of service could turn the fickle internet consumer towards another brand. Tighter security across all areas needs to be made a priority today and the holes plugged quickly - or this could become a turkey shoot for hackers."

He pointed to the router and firewall flaws and commented:

"Both these trends suggest either complacency or lack of awareness - and I'm not sure which worries me most. Many of the problems highlighted can be fixed in under 20 minutes, with the right knowledge and the right mindset. So cost of new software or infrastructure is not the major constraint."

The financial sector was not the only one up for criticism. In fact, the financial sector did rather better than most other sectors overall.

But Hills warned:

"Although some sectors are performing better than others, in absolute terms all sectors still have a very long way to go to achieve best practice network security.

"The survey results also highlight a focus on reducing the impact of risks (i.e. minimising high risks issues) rather than addressing the areas of risk (i.e. minimising all risks in the router, firewall etc). So in addition to addressing risks in order of severity, we'd recommend taking a holistic view, targeting distinct risk areas."