Comments on Slashdot - Re Ameritrade Fiasco...

I recently responded to a comment made on Slashdot about one of their articles. The article covered an audit made of Ameritrade's system and the fact that it had a 'back-door' in it. One of the readers made a comment that seems reasonable at first, but belies the difficulty of security a computer or a network.

Below is the text of my reply and here is a link to the original comment by mkraft and a link to the original Slashdot article.

mkraft: In reference to your statement "How does unauthorized code even get into a financial institution's systems? The banking systems should never be accessible via public networks, only private ones, so this should never have happened."

It, unfortunately, is not that easy. As soon as one computer is connected to another computer (via wireless, wired networks or 'sneaker-net'), problems with security start to cascade. If a computer has a USB port, a CD drive, DVD drive, or a network connection, it is nearly impossible to lock down - malware will find it's way onto the machine.

The U.S. and foreign governments spend a fortune trying to lock down some of their most sophisticated computers and networks and still they leak like a sieve.

Although we may wish that it were otherwise, we can hardly expect for a company whose bottom line is the profit margin, to spend all that it takes to secure even one computer...

Consider the magnitude of the problem:
- Keep the network holes plugged as much as possible
- Keep the operating system patched
- Keep all of the applications (including the off-the-shelf and home-grown applications) patched - Keep all security software patched and updated
- Most importantly, keep all employees from doing anything remotely silly or risky

Many of the items above, are nearly impossible to do well - for example...if a typical patch for a piece of software arrives ~5 days after the vulnerability is announced, what is the financial institution supposed to do for those 5 days? NOTE: the 5 days is a fictitious number - no one achieves that high a speed in issuing and applying patches...but it illustrates the point...

There is no way for an underpaid, overworked security staff to plug EVERY hole - especially in the world of zero day exploits. The hackers, on the other hand, have automated tools that can plug at the problem 24/7 until they find even one, overlooked hole...

No comments: