|C-Level Security: Bank Security and the Egg Timer 

How Good Management Trumps Technology

The development of technology for securing information has been advancing at a pace that is truly astounding. In 20 years the security industry has evolved from Sun Micro Systems' Sunscreen and the Cisco PIX (yes, I know there were a few others) to over a thousand security products, of which nearly 700 are currently VC funded. All are trying to generate business from within this ever advancing market currently called cybersecurity. There are few tech markets growing at the rate of cybersecurity, and as a result we are seeing investors in a near desperate attempt to gather slivers of this market, throwing money at companies with Rube-Goldberg-inspired technology. We now have a flood of technology solutions that no one person can understand, and the customers that consume this technology struggle daily with supporting and operating these systems. Many of the C-Level executives reading this may want to consider a management solution for the next expensive problem your engineering team presents to you.

In the early days, prior to there being a developed security market, banks when implementing technology were (and still are) governed by "compliance guidance". During this period, the securing of network information was new, novel and many interesting security implementations come to mind. To focus their guidance, the FFIEC* came out with their first network security booklet containing a basic requirement which inferred all connections to public networks (internet) must be monitored 24x7. This requirement started the managed security services industry, since monitoring networks 24x7, was not something that most financial institutions could perform. Though a few institutions were pretty clever at bending these rules, one bank in California had an approach that worked great and was unforgettable.

Around the year 2000, my firm was conducting a review of security practices and procedures for a mid-sized institution in the Los Angeles area. After a few hours of general discussion, the conversation moved to the latest FFIEC directives. When we hit upon the 24x7 monitoring requirement, they responded by saying that they did not run the network 24x7, they only had their internal network connected to the Internet during business hours. This was not typical, since many applications (email for one) did not play well if connections were broken for long periods of time, so this answer led us to an interesting conversation. When asked how they are certain that the connection is connected/disconnected each day, the banker in charge replied; with an 'egg timer'.

The FFIEC does not specify HOW you do anything. They are in the business of assessing IF you are compliant with their action statements. We were in the business of preparing and assessing these compliance directives for our customers, and are now in a quandary; the bank is connected to the internet, but claims only during business hours while they can 'monitor' their network. When questioned, the bank produced logs verifying that the network was disconnected daily at 5 pm and was inspected by a member of staff who signed the log. To bolster their position, they had a compensating control (think of this as a backup in case of failure of the primary control) in the form of an egg timer, which was actually a light timer into which they plugged their internet router. Around 8 am, the timer would turn on the power and boot the router. At 5 pm, the timer would turn the power to the router off and someone would come into their data closet (yes, it was really a closet) and sign a log stating that the timer had worked.

The timer was the type you might use to cycle lights in your home while on vacation, and it had a 7-day range which allowed the bank to keep the internet disconnected over the weekend when they were closed. The logs were complete for a period of 9 months, since the day the system was implemented. Prior to this implementation, the bank used dial-up connections for a few of their computers. Their implementation met and at the time exceeded the compliance directive. An inexpensive and well-managed solution.

We debriefed our assessment with the banks management and the compliance manager stated something that stayed with me to this day. "Good management trumps technology - every time." Rather than setting up an elaborate installation of new complicated technology to handle the current compliance directives, they employed an inexpensive home-brewed solution to meet the compliance standard set by the FFIEC. I believe they used this system for a few years without complaints from the examiners prior to transitioning to a 24x7 solution.

I would be very interested to hear your experience with good management trumping technology. Do you have a favorite situation that you would like to share?

*FFIEC - Federal Financial Institutions Examinations Council, they set the standards which are used to measure and assess financial organizations ability to securely deliver financial services. http://ithandbook.ffiec.gov/it-booklets/information-security.aspx


To add a comment, please login or register.


C-Level Security: When your team uses military analogies, are they using the wrong narrative?
For years, I have bristled when people would use medieval military descriptions in an attempt to convey concepts within the Network Security business. Bastions, Firewalls, Moats, Drawbridges, Countermeasures; all of these descriptions give way to a more accurate and detailed explanation of what was really taking place.
Turning Atlassian JIRA into a CRM
Here at Member.buzz, we use Atlassian JIRA to track our features, bugs, and incoming requests from users through our Support Site. So when it came to choosing a CRM, we wanted to find one that integrated nicely with the rest of our infrastructure.Our first thought was to try out some of the existing JIRA CRM plugins. Here are the ones we tried out:CRM for JIRAAtlas CRMKanoah CRMAlthough there were definitely some interesting features among these options, there was nothing substantial enough to make us want to choose a specific one. We wanted something simple, yet well-integrated into what we already had
Setup Point-to-Site VPN with Ubiquiti EdgeRouter
Learn how to setup a VPN with your Ubiquiti EdgeRouter.
Using a Lenovo P51 Laptop with an Airplane Power Supply
The Lenovo P51 Laptop comes with a huge 170 watt Power Supply. However, airplane power supplies provide a maximum of somewhere between 75-100 watts. If you plugin a power supply requiring more watts, the circuit breaker will short out and the power will stop flowing.