IN-DEPTH: Banks turn to ethical hackers to enhance security

As reported in FierceFinanceIT, 2011 has seen major financial and commercial companies victimized by online breaches. In an effort to beef up security, many of these companies are now turning to certified professional hackers to test and enhance security systems.

Banks are facing increasing online and cyber security threats.

Often referred to as "ethical hacking," it's a phenomenon that Jay Bavisi, co-founder of the International Council of Electronic Commerce Consultants (EC-Council), says has entered into the mainstream over the last 10 years.

"In five years it will almost become mandatory. You probably need to have an [ethical hacker] that's on your job," Bavisi told FierceFinanceIT. Formed in 2001, the EC-Council has trained over 80,000 individuals, certified more than 30,000 IT professionals and represents 87 countries, according to the organization's website.

The growing cybersecurity threat

To understand the growth of ethical hacking professionals requires reflecting on the increasingly volatile cybersecurity environment, where technology breaches of increased scale and frequency are the trend.

In April, RSA, the security division of data recovery and cloud-computing company EMC, was hacked and the data were used to launch a cyber attack on Lockheed Martin, a leading U.S. defense contractor. In May, cyber attackers stole information and up to $2.7 million from 360,000 customer accounts at Citigroup, with 3,400 of these customers reported to have lost money through subsequent schemes, according to the Wall Street Journal.

In addition to data leaks, malicious code is on the rise. A July report from PC Magazine approximated that 42 new malware strains were created every minute during the second quarter of 2011.

Given the high stakes, complacency is not an option for financial institutions.

"Breaches happen, and so the financial services community is not immune," said Doug Johnson, VP of risk management policy at the American Bankers Association (ABA), an organization representing the $13 trillion U.S. banking industry and its 2 million employees. In an interview with FierceFinanceIT, Johnson said he has seen an uptick in security breaches in a variety of environments, including the financial services industry.  

"No matter where that customer data is compromised, it's most likely the bank that ends up carrying the loss," he said.

Compliance vs. Security: A key distinction

Even with heavy new compliance regulations coming from Congress, Bavisi says that simply getting tick marks on an audit form is no guarantee of data security.

"One of the biggest challenges in the financial industry is that there has been an overemphasis in the area of compliance without focusing on the actual need for security," Bavisi said. "When you get audited and when you past the audit you have the false perception that you are secure."

He added that it's a dangerous mentality to adopt, especially because few hacks are publicized.

"Some of the best hacks in the world are the ones you never see," he said. "If you don't know that you are hacked, you don't have motivation to fix yourself."

Johnson countered with his view that focusing on compliance is no barrier to banks' pursuing strong security measures.

It's a bit ironic, then, that vulnerable banks are turning to certified ethical hackers and penetration testers to secure systems and data, something that Johnson says is becoming prevalent within most banks' security routines.

Johnson thinks the advent of certified hackers is a positive step for banks looking to use these professionals to improve security.

"It just speaks to the fact that the threat environment is what it is," He said. "There is a need to insure that those individuals have the capability to prove to [banks] that they have got the education and experience and credentials needed to conduct tests."

Implementing hacking technology to boost security

Bavisi explained that there are two main methods of testing bank security systems through hacking and penetration testing. The "white box" method involves giving hackers specific information and "rules of engagement" directing their focus. Another method, which Bavisi called the "black box" method, involves giving the hackers no prior instruction. Rather, the goal is simply to allow the testers free rein over a period of time in order to see what information or securities holes they can turn up.

Several companies, including TraceSecurity and Trustwave, offer these types of services. In a recent Reuters report, Trustwave SVP Nicholas Percoco described an example of an ethical hacking job: "We'll call the CIO and tell them, ‘we are standing in the middle of your data center. Do you want to come get us?'"

And the demand for ethical hacking has not gone unnoticed in the professional development arena. A recent announcement by securitycourses.com, which provides training courses in ethical hacking, notes that class enrollment has seen a major spike the past six months.

But despite its rising popularity, banks remain cagey about sharing specifics about any penetration testing or ethical hacking on their systems.  

Laura Hunter, a spokeswoman for Bank of America, declined to talk in detail about the bank's processes. But she shared in an email with FierceFinanceIT that Bank of America "constantly evaluates the security of our systems, including all potential threats, and takes appropriate steps to keep information secure and services available to customers and clients."  She added that "Bank of America has people, processes and technology dedicated to securing our information and systems."

As critical as system testing is to bank security, some banks, including small community banks, lack the resources to hire a professional penetration testing firm.  In order to alleviate the cost, Bavisi recommends sending IT professionals to become certified as ethical hackers in lieu of hiring a professional firm. Employees with at least two years of IT experience are eligible to enroll in the program. Furthermore, Johnson said the ABA is working to leverage its membership to negotiate price decreases on hacking services for banks that cannot otherwise afford it.

"We did due diligence on a number of security companies on behalf of our community banks," he said.

No matter what route banks take to procure penetration and hacking testing, Johnson said it's evident that the issue of IT security is not going away and banks need to remain focused on security and frequent dynamic risk assessments.

"I think we just need to recognize that those threats are always going to change," Johnson said. "[Banks] can't be one-and-done. They need to look for the new threats, understand the new threats, know how to mitigate the new threats and [how to] put that mitigation into place."