When the Financial Industry Regulatory Authority announced last month that it was fining Montana-based broker-dealer D.A. Davidson $375,000 for failing to protect customer information, the source of the problem was clear.
"The adversary is now a professional criminal," says Jack Daniel, community development manager of Wilmington, Mass.-based Astaro, a provider of internet security technology.
If the Davidson case demonstrates anything to financial firms, it's that protecting servers and educating employees about server design are the best first lines of defense. Davidson did not employ technical safeguards to protect customer records stored in a database housed on a Web server with a constant open Internet connection, according to FINRA.
The unprotected information included customer account numbers, Social Security numbers, names, addresses, dates of birth and other confidential data. The database was not encrypted, and the firm never activated a password, thereby leaving the default blank password in place.
As a result, confidential records of 192,000 customers were accessed by hackers that were part of an international crime group under investigation by the U.S. Secret Service.
After receiving a blackmail threat, Davidson assisted the Secret Service in identifying the suspects, three of whom were extradited from Eastern Europe and are now facing federal charges in Montana.
To breach Davidson's system, the hackers employed a mechanism called "SQL injection," an attack in which computer code is repeatedly inserted into a Web page for the purpose of extracting information from a database. The hacker injected the code into customer records pages on Davidson's site and was able to access and download the affected customers' confidential information.
While these attacks were visible on the logs kept by its Web server, the firm failed to review its logs.
The breach was discovered through an email sent by a hacker in January 2008, attempting to blackmail the firm, according to FINRA.
While the hacking attack may have surprised Davidson, experts in network security say this type of attack has become all too common.
"There have been a lot of cases similar to Davidson," says Derek Manky, project manager for cyber-security and threat research at Sunnyvale, Calif.-based information security technology provider Fortinet. "SQL has been prevalent for years," he says. "It is [caused by] implementation weakness in the Web server, an inherent flaw in the design."
Viruses and computer attacks typically used to originate from a teenager's basement, adds Astaro's Daniel. But that is no longer the case, he says: "[Hacking into computers] has become a business, and the rules have changed."
Manky, who specializes in spotting trends in cybercrime, explains that there are more attacks because there are more opportunities, and also because today's attackers don't have to be technically adept. They have crime work kits to assist them, courtesy of professional software developers who work on tools to attack computers, he says.
Crime work kits automate a lot of the hard work of attacking a system by putting a series of tools together so the user does not have to understand the underlying technology.
In the method used by Davidson's attackers, injection flaws such as SQL, OS and LDAP injection occur when untrusted data is sent to a program known as an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter, which translates an instruction into machine language, into getting a computer to respond to unintended commands or accessing unauthorized data.
According to the Open Web Application Security Project (OWASP), a nonprofit group focused on improving the security of application software, injection flaws such as SQL currently constitute the top application security risk for businesses.
The good news is that this type of attack is easy to thwart, and the brokerage firm could have done plenty to prevent it from occurring. "Part of the issue is awareness. It looks like Davidson had very little awareness," Daniel says.
Finding and fixing points in networks that can be exploited is the starting point, he says. "You need some sort of code security, or use of a security scanner to scan the Web site to look for obvious problems. This would have told them they had an exposure."
A typical vulnerability scanner can spot weaknesses across multiple computer networks, even if they are physically separate.
When you do the scan, it will look through the software and report on possible problems. The user needs to investigate each potential problem and determine which are real, then fix the code.
Code security involves writing code with an understanding that it will be misused or attacked and taking steps to prevent that.
Despite the surge in cybercrime, Daniel says that companies are still slow to realize that hackers are going to try to break into the database, and that protection against putting malicious code into a form on the Web site is essential. Without it, "Sometimes you can jump right in [to the site] and tell it to dump out the contents of the database," he says.
Web Application Firewalls
In addition to employing code security and a scanner, Daniel says that firms can employ tools to stand in front of the site. "You need a Web application firewall that looks at traffic to and from the server to check for things like SQL attacks," he says.
This kind of firewall can be an appliance or software that applies a set of rules to an HTTP conversation box. The WAF inspects traffic and blocks what it deems malicious.
The best way would have been for Davidson to do "all of the above," Daniel says.
Astaro's Security Gateway watches for threats on the perimeter of a customer's network or networks. The gateway can be deployed as hardware, software or a virtual appliance. Besides filtering incoming queries and content from the Web and protecting against spam and viruses, the gateway analyzes traffic for potential intrusions. "If it looks malicious, we will drop the traffic," Daniel says.
The product is targeted at small to midsize firms in financial services and other industries.
Dozens of companies are in the Unified Threat Management space, as it is called, Daniel says. According to an April 2010 report from Frost & Sullivan titled "World Unified Threat Management Products Market," the market worldwide has witnessed high growth rates, generating revenues of $1.97 billion in 2009, 32 percent above 2008 levels.
Growth rates are expected to increase in 2010-2011 before leveling off, according to the report.
Vendors in this space are seeking to grow by serving more regions of the country and more industries, Frost & Sullivan said.
According to Manky, cyber attacks consist of two types: server-based, as in the Davidson breach, and client based, as in a phishing scheme, where false Web pages are used to try to dupe visitors into voluntarily giving up personal information.
When it comes to server-side threats, he says, "You want to look at ... security technology that will be inspecting server traffic. It is about deploying the proper security solution to protect against the type of attack."
Fortinet's product for the server side is FortiWeb-1000B, a security appliance that provides Web application and XML firewalls to protect, balance and accelerate Web applications, databases and the information exchanged between them.
FortiWeb-1000B is designed for medium-size and large enterprises. It is a hardware module that is inserted into the data center. This reduces deployment time and makes it easier to get the benefit of centrally produced improvements. FortiWeb also provides protection from denial of service and other attacks on Web services, application acceleration and server load balancing.
When it comes to leading-edge developments, Daniel says he is seeing more products that focus on analysis of the specific traffic: Firewalls, for instance, "are going to try to figure out what the virus might be trying to do," he says. "It changes so often, we have to make assumptions about what the goal might be."
Still, Manky says that layers of security for Web servers and education of Web staffs remain the front lines of defense. "Think about coding implementation-the way the Web server is coded," he says. "My recommendation is to layer up your security, using as many mitigation techniques as possible."
This article can also be found at SecuritiesIndustry.com.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access