|C-Level Security: Bank Security and the Egg Timer 

How Good Management Trumps Technology

The development of technology for securing information has been advancing at a pace that is truly astounding. In 20 years the security industry has evolved from Sun Micro Systems' Sunscreen and the Cisco PIX (yes, I know there were a few others) to over a thousand security products, of which nearly 700 are currently VC funded. All are trying to generate business from within this ever advancing market currently called cybersecurity. There are few tech markets growing at the rate of cybersecurity, and as a result we are seeing investors in a near desperate attempt to gather slivers of this market, throwing money at companies with Rube-Goldberg-inspired technology. We now have a flood of technology solutions that no one person can understand, and the customers that consume this technology struggle daily with supporting and operating these systems. Many of the C-Level executives reading this may want to consider a management solution for the next expensive problem your engineering team presents to you.

In the early days, prior to there being a developed security market, banks when implementing technology were (and still are) governed by "compliance guidance". During this period, the securing of network information was new, novel and many interesting security implementations come to mind. To focus their guidance, the FFIEC* came out with their first network security booklet containing a basic requirement which inferred all connections to public networks (internet) must be monitored 24x7. This requirement started the managed security services industry, since monitoring networks 24x7, was not something that most financial institutions could perform. Though a few institutions were pretty clever at bending these rules, one bank in California had an approach that worked great and was unforgettable.

Around the year 2000, my firm was conducting a review of security practices and procedures for a mid-sized institution in the Los Angeles area. After a few hours of general discussion, the conversation moved to the latest FFIEC directives. When we hit upon the 24x7 monitoring requirement, they responded by saying that they did not run the network 24x7, they only had their internal network connected to the Internet during business hours. This was not typical, since many applications (email for one) did not play well if connections were broken for long periods of time, so this answer led us to an interesting conversation. When asked how they are certain that the connection is connected/disconnected each day, the banker in charge replied; with an 'egg timer'.

The FFIEC does not specify HOW you do anything. They are in the business of assessing IF you are compliant with their action statements. We were in the business of preparing and assessing these compliance directives for our customers, and are now in a quandary; the bank is connected to the internet, but claims only during business hours while they can 'monitor' their network. When questioned, the bank produced logs verifying that the network was disconnected daily at 5 pm and was inspected by a member of staff who signed the log. To bolster their position, they had a compensating control (think of this as a backup in case of failure of the primary control) in the form of an egg timer, which was actually a light timer into which they plugged their internet router. Around 8 am, the timer would turn on the power and boot the router. At 5 pm, the timer would turn the power to the router off and someone would come into their data closet (yes, it was really a closet) and sign a log stating that the timer had worked.

The timer was the type you might use to cycle lights in your home while on vacation, and it had a 7-day range which allowed the bank to keep the internet disconnected over the weekend when they were closed. The logs were complete for a period of 9 months, since the day the system was implemented. Prior to this implementation, the bank used dial-up connections for a few of their computers. Their implementation met and at the time exceeded the compliance directive. An inexpensive and well-managed solution.

We debriefed our assessment with the banks management and the compliance manager stated something that stayed with me to this day. "Good management trumps technology - every time." Rather than setting up an elaborate installation of new complicated technology to handle the current compliance directives, they employed an inexpensive home-brewed solution to meet the compliance standard set by the FFIEC. I believe they used this system for a few years without complaints from the examiners prior to transitioning to a 24x7 solution.

I would be very interested to hear your experience with good management trumping technology. Do you have a favorite situation that you would like to share?

*FFIEC - Federal Financial Institutions Examinations Council, they set the standards which are used to measure and assess financial organizations ability to securely deliver financial services. http://ithandbook.ffiec.gov/it-booklets/information-security.aspx

Related Articles

 Articles 

C-Level Security: When your team uses military analogies, are they using the wrong narrative?

 Articles 

What to Say to the C-Level, get your security project funded today! 

 Articles 

Setup Point-to-Site VPN with Ubiquiti EdgeRouter

Comments

To add a comment, please login or register.

Related
What to Say to the C-Level, get your security project funded today!
In near every business adding costs to Information Systems will be seen, by the people running the business, as a cost first, benefit second. Remarkably this still holds true despite a constant pulse of security events hitting the C-Level desks. So let's, as security professionals, develop an understanding of the C-Suite and the C-Levels as to their priorities.
Jun 11, 2018  •  5 min read
C-Level: Is your business secure enough to survive open firewalls?
The most expensive firewall is pretty dumb. It can keep external probes from seeing what your Security Team wants to hide. In some cases, they are also configured to protect people within your company from wasting time or violating your network policies. There are no guarantees that these devices will protect your network, quite the opposite, near every network hack of note, was conducted through a firewall. The information assets that Firewalls protect are also secured in a variety of dissimilar ways so in a perfect world the Firewall is your front line of defense, information access policies are a secondary line of defense. In a very simple sense, firewalls are about noise reduction, blocking out a nearly infinite number of probes from an ever increasing number of probers. So, ponder for a minute, if you opened this electronic front door to the world what would happen? Would the damage be limited to only an increase in network noise?
Nov 13, 2018  •  4 min read
C-Level Security: When your team uses military analogies, are they using the wrong narrative?
For years, I have bristled when people would use medieval military descriptions in an attempt to convey concepts within the Network Security business. Bastions, Firewalls, Moats, Drawbridges, Countermeasures; all of these descriptions give way to a more accurate and detailed explanation of what was really taking place.
Sep 22, 2017  •  3 min read
C-Level: Fan Boy, XEB
In 1999 I was extremely busy. I had just started a company, my second, in the Network Security field which was new and unknown. Sales were slow, hacking was deep, deep inside campuses like Stanford and MIT and was considered sport. I was getting traction with banks and was in SF for a meeting. I remember walking down Mission past a guitar shop and hearing this song, guitar was hitting the tonic breaking into cool background riffs, a little vocal falsetto opening then breaking into verse…..broken and then back…..WTF. Reminiscent of a Cello piece I know……..inspired….. I stopped dead in my tracks - stunned. Who are these guys!?!
Nov 13, 2018  •  3 min read