What if your boss told you to make a change in your IT security that you knew was wrong, and in fact might even increase the risk of a successful hack attack? And what if this boss was the head of a federal agency that oversees and rates your organization? That's the dilemma that financial institutions across the country are facing.
On May 29, the FDIC released a document that may actually aid hackers in breaking into banks. "FIL 43-2003 Computer Software Patch Management" was issued to "assist financial institutions in developing an effective computer software patch management program in order to mitigate risks associated with commercial software vulnerabilities."
Unfortunately, the guidance also contains a directive that might actually aid a hacker in infecting a bank. After a virus attack or suspected compromise, IT officers may choose to reinstall the operating system. To simplify the process, FDIC says banks should "[reinstall] previous system version backups of all software...in lieu of installing the software from the original installation media."
Several officers listed on the FDIC Web site were contacted by e-mail for comment, but failed to respond. One bank IT officer (who asked to remain anonymous) stated, "It would be silly to follow the guidance, [since] the risk of reloading a possibly infected operating system far outweighs the small savings in time." However, many bankers might disagree, and be more inclined to blindly follow
In the event it's necessary to reload an operating system (e.g. as in the case of a virus infection or penetration of the firewall), a prudent IT officer has to assume that backups were also infected. But by following the FDIC guidance, IT departments might inadvertently load a Trojan horse back on the system. Image if this scenario occurred at every bank in the United States and all backups were, in time, infected. The affect on the economy would be catastrophic.
On July 18, the Department of Homeland Security sent a bulletin to banks warning them "that Al-Qaeda leaders have operatives in the United States researching hacking into the mainframes of U.S. banks." Imagine if Al-Qaeda managed to infect all U.S. banks with a Trojan horse that captured Internet banking passwords (as recently occurred at the Absa Bank in South Africa) and emptied the bank accounts, or simply corrupted the customer database.
If a bank had backed up and reloaded corrupted programs and data, as advised by FDIC, then recovery would be a long and costly process.
James R. Hickman, CPA, is an IT auditor with 20 years experience. He is the author of "Practical IT Auditing," published by Warren Gorham & Lamont. He is a frequent lecturer at national computer conferences and has served on a number of committees with the American Institute of CPAs and state societies. http://www.itauditing.com
This was first published in November 2003