[ISN] Internal hackers pose the greatest threat

[InfoSec News]

http://www.vnunet.com/2138597

Robert Jaques
vnunet.com 
23 Jun 2005 

Internal hackers pose the greatest threat to the IT systems of the
world's largest financial institutions, according to the 2005 Global
Security Survey released today by the financial services industry
practices of Deloitte Touche Tohmatsu.

Over a third of respondents admitted to having fallen victim to
internal hack attacks during the past 12 months (up from 14 per cent
in 2004) compared to 26 per cent from external sources (up from 23 per
cent in 2004).

Instances of phishing and pharming, in which hackers lure people into
disclosing sensitive information using bogus emails and websites,
rocketed during the past year, underscoring the human factor as "a new
and growing weakness in the security chain".

The study noted that the shift in tactics to exploit humans, rather
than technological loopholes, is explained by the improved use of IT
security systems.

This includes the increased deployment of antivirus systems (98 per
cent compared with 87 per cent in 2004), virtual private networks (79
per cent compared with 75 per cent) and content filtering and
monitoring (76 per cent compared with 60 per cent).

"Financial institutions have made great progress in deploying
technological solutions to protect themselves from direct external
threats," said Adel Melek, a partner in the Canadian member firm of
Deloitte Touche Tohmatsu.

"But the rise and increased sophistication of attacks that target
customers, and internal attacks, indicate that there are new threats
that have to be addressed.

"Strong customer authentication, training and increased awareness can
play a significant role in narrowing this gap."

However, the survey results show that security training and awareness
have yet to top the agenda of chief information security officers, as
less than half of respondents have training and awareness initiatives
scheduled for the next 12 months.

Training and awareness was at the bottom of the security initiatives
list, far behind regulatory compliance (74 per cent) and reporting and
measurement (61 per cent).

The findings aligned with financial institutions' future investment
plans in security, with 64 per cent of money set aside for security
tools, compared with only 15 per cent for employee awareness and
training.

Ted DeZabala, a principal in the security services group at Deloitte &
Touche LLP, said: "With threats such as identity theft, phishing and
pharming on the rise, organisations should be implementing identity
management solutions encompassing access, vulnerability, patch and
security event management.

"These solutions should be augmented by security training and
awareness if organisations are to minimise the number of human
behavioural threats.

"Clearly, continued vigilance is needed to meet and exceed the
requirements and truly protect corporate data from security threats."