A directive for disaster

What if your boss told you to make a change in your IT security that you knew was wrong, and in fact might even increase the risk of a successful hack attack? And what if this boss was the head of a federal agency that oversees and rates your organization? That's the dilemma that financial institutions across the country are facing.

On May 29, the FDIC released a document that may actually aid hackers in breaking into banks. "FIL 43-2003 Computer Software Patch Management" was issued to "assist financial institutions in developing an effective computer software patch management program in order to mitigate risks associated with commercial software vulnerabilities."

Unfortunately, the guidance also contains a directive that might actually aid a hacker in infecting a bank. After a virus attack or suspected compromise, IT officers may choose to reinstall the operating system. To simplify the process, FDIC says banks should "[reinstall] previous system version backups of all software...in lieu of installing the software from the original installation media."

Several officers listed on the FDIC Web site were contacted by e-mail for comment, but failed to respond. One bank IT officer (who asked to remain anonymous) stated, "It would be silly to follow the guidance, [since] the risk of reloading a possibly infected operating system far outweighs the small savings in time." However, many bankers might disagree, and be more inclined to blindly follow

    Requires Free Membership to View

the letter of the law.

In the event it's necessary to reload an operating system (e.g. as in the case of a virus infection or penetration of the firewall), a prudent IT officer has to assume that backups were also infected. But by following the FDIC guidance, IT departments might inadvertently load a Trojan horse back on the system. Image if this scenario occurred at every bank in the United States and all backups were, in time, infected. The affect on the economy would be catastrophic.

On July 18, the Department of Homeland Security sent a bulletin to banks warning them "that Al-Qaeda leaders have operatives in the United States researching hacking into the mainframes of U.S. banks." Imagine if Al-Qaeda managed to infect all U.S. banks with a Trojan horse that captured Internet banking passwords (as recently occurred at the Absa Bank in South Africa) and emptied the bank accounts, or simply corrupted the customer database.

If a bank had backed up and reloaded corrupted programs and data, as advised by FDIC, then recovery would be a long and costly process.

James R. Hickman, CPA, is an IT auditor with 20 years experience. He is the author of "Practical IT Auditing," published by Warren Gorham & Lamont. He is a frequent lecturer at national computer conferences and has served on a number of committees with the American Institute of CPAs and state societies. http://www.itauditing.com

This was first published in November 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.