    Network Security 1


    Network Security in Financial Services Industry


    Roger G. Barr

    Masters of Information Technology, American Intercontinental University

    Bachelor of Visual Communications, American Intercontinental University

    Associate of Arts Business Administration, American Intercontinental University

    Network Security 2


    Security has always been a big problem with all types of organizations large and small. The big

    reason for so much concern is that large amounts of data are transmitted on a daily basis, a lot of

    this data is critical to the organization that is transmitting it. The types of data that are transmitted

    can also be critical to the organizations clients, such data like social security numbers, credit card

    information, license numbers and more. This type of data getting into the wrong hands can be

    harmful to not only the client, but also to the organization. This paper discusses how

    organizations prevent data from getting into the wrong hands. This paper covers these problems,

    and also the direction network security in financial services will take in the future.

    Network Security 3

    Network Security in Financial Services Industry

    Table of Contents

    Cover Page...........................1


    Table of Contents ............................................................................................................................4

    Chapter 1: Introduction5

    Introduction to Network Security in the Financial Services Industry5

    Summary of Chapter 16

    Chapter 2: Review of Literature

    Literature Review7

    Network Usage and Attacks7

    Data Breach Cases...9

    Financial Data Risks12

    Regulatory Guidance...13

    Network Security Attacks14

    OSI Architecture..17

    Chapter 3: Methodology

    Methodology of Network Security in The financial Industry .....................................................20

    Chapter 4: Data Analysis

    Summary Future direction of Financial Security in the Financial Services


    Chapter 5: Summary, Conclusion, Recommendation

    Summary of Chapters..22



    Reference 24

    Network Security 4



    List of Tables and Figures27

    Network Security 5

    Chapter 1


    One of the biggest problems that still haunt organizations today is network security. Not

    only is the threat of viruses on everyones minds, there is also the question of what would happen

    if critical data got into the wrong hands? It is bad enough if this happened on a personal level, on

    your home PC. Now look at the bigger picture, what if this happens at a financial firm such as

    banks or other lending institutions? Well this has happened and it continues to happen today.

    What are financial institutions doing to alleviate this problem, and how will network security

    play a role in prevention of this in the future? Networks large and small are being attacked from

    the outside and from within, this can happen from Trojans to employees stealing information

    from within. According to Ciampa (2005) more than 85,000 computer viruses were active as of

    that date, and 956 new viruses were released as of 2004, one out of every three computers linked

    to the internet has a Trojan, these type of attacks are not only launched against personal

    computers, they are also launched against large networks. There have been numerous researches

    done in network security in the results in the form of articles and books. The real question has to

    be answered here, and this will be specific to the financial services part of network security

    because this research is specific to this part of network security.

    Problem Statement: How will network security help financial institutes protect personal

    data, both today and in the future from breaches of security into their networks?

    Scope: This research paper will target network security in financial systems service, this

    is a quantitate approach to network security in financial institutes.

    Network Security 6

    Limitation of the Study: This Research is limited to a collection of data from other

    sources as well as personal knowledge of network security.

    Summary of Chapter 1

    This paper covers network security in financial systems and covers research that has been

    conducted in this field both present and past and what still has to be done in the future to

    alleviate the problems of data loss or destruction from outside sources. This paper presents data

    in a quantitative approach, but is specific to the financial networks. This paper also has diagrams

    that shop that help to explain and back-up the research done in this paper.

    Network Security 7

    Chapter 2

    Literature Review

    Network Usage and Attacks

    In this review we start narrow and then work our way up to the major point of issue at

    hand. In an article on (Build4U, 2010) the author states that every minute your computer is

    connected to the internet, either through dial-up, cable, DSL or broadband service your computer

    is at risk, this is a very true statement and this statement also includes networks. Today there are

    over 259.9 million users on the internet as shown in figure 1 below. Chart is taken from (Internet

    World Stats, 2010).

    Figure 1

    Network Security 8

    Network security attacks can happen at any time whether it is day or night, these attacks

    can come in different forms. The author also states that ignoring these threats can cost you

    thousands. This also holds true to financial organizations because they have the key to peoples

    personal data such as social security numbers, license numbers, phone numbers and much more.

    In this day and age people can do their banking online, banks have websites that you can start a

    bank account on or check your personal funds. It is very easy for a hacker to use tools to track

    your network footsteps, meaning track what keys you press on your keyboard and by doing so

    they have your bank account. This is bad news for the person whom just had their account stolen,

    or all the information in their account, because other information like your social security

    number can be used for other malicious purposes. This is also bad news for the financial

    institution because they have to go through the financial burden of trying to find out who breach

    their system and your account, and find ways to make their system more secure.

    Hackers can even use a personal computer that belongs to someone else as what is called

    a zombie, with this zombie thy can launch attacks against any computer and high profile

    computer systems such as financial institutions, BuildWeb4U (2010). Standard security measures

    are not enough, it is not enough just to have virus protection, and it does not protect a network

    against direct attacks. Anytime a computer is always on the internet such as in the case of

    broadband and cable or DSL connections, you have a greater chance of your network being


    Network Security 9

    Data Breach Cases

    In an article by (Freshfields, Bruckhaus & Deringer, 2008), the authors state that data

    security is a major priority. This article shows how important financial security is all over the

    world; this article is about financial security in the United Kingdom. This article mentions the

    abbreviations (FSA) which stands for Financial Services Authority which oversees the financial

    services in the United Kingdom. This article is also a measure of how far and how important

    financial security is. This article talks about the increasingly complicated methods now are

    employed by fraudsters in obtaining, and using customer data to commit financial crimes,

    Freshfields, Bruckhaus & Deringer, (2008).

    The article talks about financial institutions in the past that have lost customer data and

    found themselves in trouble with facing regulatory actions, and monetary loss due to the

    commission of identifying frauds, as mentioned earlier in my paper. This also exposes financial

    institutions to reputational damage because of their lack of responsiveness to network security.

    One of the problems with financial institutions is there is a lack of regulatory action, so financial

    institutions do not take the problem as serious as they should. One of the biggest motivations to a

    financial organization should be their reputation, because they stand to lose not only customer

    accounts, but they also stand to lose commercial accounts which can be very devastating to a

    financial institution.

    This article by (Freshfields, Bruckhaus & Deringer, 2008) gives real cases of a financial

    institute that did not take the proper measures to protect client information. The first case is with

    an organization called Capita. Capita is a third party administrator for collective investment

    schemes and was responsible for maintaining client records, they were in charge of carrying out

    their clients instructions of purchasing and the repurchase of investments.

    Network Security 10

    Capita discovered they had problems with actual attempted frauds against clients these

    frauds had been carried out by some of its own staff. The FSA in March 2006 found Capita did

    not undertake an adequate assessment of its fraud risk, especially when it came to internal fraud,

    and they found that Capita did not have adequate steps to that it had effective controls to reduce

    the risk of fraud, Freshfields, Bruckhaus & Deringer, (2008).

    Another case that FSA reported was in February 2007, when National Building Society

    was fined by the FSA for failing to have effective systems and controls for the use of storage of

    customer information on portable storage devices. This came to light following a laptop being

    stolen from a National employees home in 2006. FSA found that Nationwide did not have

    adequate procedures to respond to data security incident once it had occurred. Nationwide was

    not aware that the laptop contained confidential customer information; they made the mistake of

    not starting an investigation until three weeks later.

    In April 2008, the FSAs financial crime and intelligence division came out with a report

    describing how financial services firms within the UK are failing to address the risk that their

    data may be lost or stolen and may as a result be used to commit financial crimes, Freshfields,

    Bruckhaus & Deringer, (2008). The reports sets out the findings of a review of industry practices

    and standards in managing risk of data loss or even the theft by employees and third party

    suppliers, this is not just happening in the UK, it is also very much alive here in the United

    States, the very same thing happens in all major countries that use financial systems networks.

    Network Security 11

    Figure 2

    Chart by Roger G. Barr, Information from (Jenkins, G., 2009)

    This chart is information from (Jenkins, G. 2009) a website called (IveBeenMugged)

    the stats show that in 2008, 2.4% of all breaches involved data where encryption or strong

    protective measures were in place. 8.5 percent involved password protection, malware attacks,

    hacking, and insider theft accounted for nearly 30 percent of breaches that cited a cause, stated

    by the ITRC. Insider theft doubled between 2007 and 2008, they accounted for 15.7 percent of

    the4 breaches, Jenkins (2009).

    To find the statistics by state the ITRC has a website that lists them state by state,

    ITRC 2008 Data Breach Statitics

    Strong Potective Measures

    Password Protection

    Malware, Hacking

    Insider Attacks

    Network Security 12

    Financial Data Risks

    In an article by (Corbin, K., 2010) called Database Security Lacking at Financial Services

    Firms the author states that sloppy operating practices across financial services sector leave

    firms venerable to breaches that could expose sensitive data or put customers and employees

    privacy at risk, according to a new study from the Ponemon Institute. This study was

    commissioned by enterprise software and consulting firm called Compuware (NASDAQ,

    CPWR), they identified several key areas where financial services companies could take hits or

    damage to the company from loose data policies that were demonstrated in their study. Larry

    Ponemon, the head of the Ponemon Institute said that While there is a great deal of progress

    being made, there is still a long way to go. A survey at 80 large financial firms of their top

    security officials found that 83 percent use real data, which is credit card or account numbers,

    when developing and testing applications, Corbin, K., 2010. The conclusion of this survey was

    that Ponemon found that a majority of the firms that were surveyed do not take sufficient steps to

    safeguard these types of information.

    The author states that one of the most important things a company can do is to assure their

    future success is to plug their security leaks that were identified in this study. Every day you can

    measure the risks that take place with the financial industry as far as network security is

    concerned, you read about it and hear about it almost on a daily basis. The latest warnings comes

    amid a growing wave of data breaches that have targeted not only financial institutes but

    universities and insurance firms and others, Corbin, K., 2010.

    Network Security 13

    In this study only 47 percent of the companies said that they have deployed intrusion

    detection systems, while 56 percent stated that they have implemented identity compliance

    procedures. Similarly 41 percent of financial houses said they have deployed data loss prevention

    technologies. Not protecting customer or client data becomes a public relations nightmare that

    invariably follows high profile data breaches, Corbin, K., 2010. Financial institutes also face

    falling out of compliance with government regulations; financial institutes should have their

    customers best interest in mind by safeguarding customer data.

    The survey canvassed financial firms with at least 500 employees that are based in North

    America, but operate globally, this included banking, investment, insurance, credit card and

    mortgage firms, Corbin, K., 2010.

    Regulatory Guidance

    In this article by (LeDuc, S., 2005) She states that the Federal banking regulatory agencies

    issued an Interagency Guidance Program for Unauthorized Access to Customers Information

    and Customers Notice. This guidance interprets 501(b) of the Gramm-Leach-Bliley Act

    (GLBA) as well as the security guidelines 1 issued by the Federal banking regulatory agencies,

    LeDuc (2005). This guidance addresses procedures that need to be used by financial institutions

    in order to respond to unauthorized access to or use of customer information by third parties.

    The regulatory agencies expect banks to implement these guidance steps right away

    whether they are a small or large banking institution. The guidance states that if sensitive bank

    customer information is stolen or illegally accessed, the bank is required to first notify its

    Network Security 14

    primary regulator then if certain conditions exist the bank needs to notify affected customers,

    LeDuc, S (2005)

    Network Security Attacks

    Banks and all other financial institutions work off of networks whether it is wired or

    wireless, in banks computers are often left on so that they are ready for use the next day, this

    goes back to what I said earlier in this paper about computers and networks that are online all the

    time become very vulnerable. In a Book called Security+ Guide to Network Security

    Fundamentals (2


    Ed) by (Ciampa, M., 2005) Ciampa states that An attacker who can access

    the internal network directly through the cable plant has effectively bypassed the network

    security perimeter and can launch his attacks at will. This statement is actually frightening,

    because hackers can to this to get into financial systems data unless their network is secure.

    Attackers can connect their laptop computer to internal cable plant and launch what is called a

    Man-In-The-Middle attack this is a replay or Transmission Control Protocol/Internet Protocol

    (TCP/IP) hijacking attack, Ciampa (2005).

    The attackers can also use a technique called sniffing, which is capturing data packets

    that are traveling through the network. Hardware or software that performs these functions is

    called sniffers. To protect the data plant the first line of defense would have to be is there has to

    be adequate physical security, what physical security does is protect the infrastructure and has

    one primary goal; that is to prevent unauthorized users from reaching the equipment or cable

    plant and to prevent them using, stealing or vandalizing it, , Ciampa (2005).

    Network Security 15

    Figure 3

    Diagram created by Roger Barr, Data taken from Ciampa (2005)

    The base design of a secure network is shown in figure 3; a security perimeter surrounds the

    network and computers, with a single entry point for external traffic, such as traffic from the

    internet. Securing cabling outside of the protected network, this is not the primary security issue

    for most organizations. The priority is protecting access to the cable plant within the internal

    network, Ciampa (2005).

    Network Security 16

    Attackers frequently position sniffers near targets where they can gather the most sensitive

    information; this could be a server that supplies financial data to a bank. Physical security can be

    compromised if the proper equipment is not installed to prevent outsiders form accessing the

    cable plant. The security measures could include changing door locks, alarm systems, proper

    lighting, plus having good security procedures in place for all employees or even guests into the

    financial institution.

    More intruders gain access to the power plan through social engineering, this can be done

    by several means pretending to be there to repair something, this is done more than any other

    means of gathering sensitive data. There are several ways to secure data that is stored on a file

    server and this would be accomplished by using strong passwords, network security devices,

    antivirus software, physical security, education and management evolvement. There are things

    that organizations have to be aware of internally too, that could be employees coping information

    on CDs and bring that information home.

    What employee theft of data does is compromise the system more by the employee losing

    the disk and the information getting into more hands, or the employee selling the disk. Another

    thing is a worm or virus can be introduced to the media, if the employee brings back the disk and

    uses it for a malicious intent. A workstation like you would have in the bank refers to personal

    computers attached to a network. Also called a client workstations are generally connected to a

    LAN and share resources with other work stations that are in the same network. A server is a

    computer on a network that is dedicated to managing and also controlling that network. The

    server is responsible for holding the files and managing the processes that provide the resources

    to the network users, Ciampa (2005).

    Network Security 17

    Both workstations and servers can be victims of all the different types of attacks. To harden

    these systems there are there are several things that have to be done:

    Disable nonessential service. Do not allow users to grant permissions to other users over objects. Install antivirus software and keep it updated (very important). Regularly update operating systems and applications. Require strong passwords with a minimum length of eight characters, which expires

    after 30 days and cannot be reused.

    Review audit logs regularly.

    Set access control lists (ACLs) for all network users. Use CHAP, Kerberos, and certifications when possible. Use Security Templates. When using biometric devices, require addition authentication such as tokens.

    Data taken from Ciampa (2005)

    OSI Architecture

    Encryption is another form of protecting data; it is a very important form that is often

    over looked. The author of Cryptography and Network Security Principles and Practices (4th


    by William Stallings, states to assess effectively security needs of an organization and to

    evaluate and choose various security products and policies, the manager responsible for security

    needs some systematic way of defining the requirements for security and characterizing the

    approaches to satisfying those requirements, Stallings (2006).

    Network Security 18

    The author states that this is difficult when youre dealing with a centralized data

    processing environment, with the use of LANs and WANs this problem becomes compounded.

    ITU-T2 Recommendations X.800, Security Architecture for OSI, defines such a system

    approach, Stallings (2006). This architecture comes in handy to managers when organizing the

    task of handling security. This architecture was developed as an international standard; computer

    and communications vendors have developed security features for their products from this

    architecture. The OSI security architecture focuses on security attacks, mechanisms as well as

    services; these can be defined by the following:

    Security attack: Any action that compromises the security of information owned by

    an organization.

    Security Mechanism: A process (or a device incorporating such a process) that isdesigned to detect, prevent, or recover from a security attack.

    Security Services: A processing of communication service that enhances thesecurity of data processing systems and the information transfers of an organization.

    The services are intended to counter security attacks, and they make use of one or

    more security mechanisms to provide the service.

    Data taken from Stallings (2006)

    A means of classifying security attacks, used by both X.800 and RFC 2828, is the terms

    both passive and active attacks. A passive attack attempts to learn or make use of the information

    from the system but at the same time it does not affect the system resources. An active attack

    attempts to alter the resources or affect its operation, Stallings (2006).

    Network Security 19

    In all the articles and information taken from books on this research paper all point out the

    importance of financial institutions responsibilities of securing their networks and what the

    implications would be for not doing so. There are several different measures pointed out by the

    authors of these articles and books for securing a network both internally and externally, by

    keeping data from being compromised. This is very important to a financial institution

    especially, because customer data can be lost or stolen and have a big effect on the financial

    organization which could hurt their status, and be the cause for fines by the government

    regulatory commissions.

    Regulatory guidelines are set to help both the financial industry and to especially help the

    customer so that their critical information is not stolen and used for malicious intents. All the

    information from these sources clearly state the importance of protecting personal data, and

    shows the need for better security measures by the financial institutes like banks, credit card

    companies, mortgage companies and any institute that collects personal data from its customers

    and clients that could even be large companies.

    Though our main focus here are financial institutions data security goes a long way and this

    paper also serves as a reminder to these companies that there is a greater need for more secure

    systems and better security planning and training. Education of employees is where it should

    start and continue to encompass the wider picture of securing every access point within an


    Network Security 20

    Chapter 3


    This research took a quantitative approach by using different resources of information

    such as books by popular authors with scholarly information and Scholarly articles. Diagrams

    were created by me using data from articles and books that were written on the subject that was

    presented. Books on Cryptology, Network Security along with several papers written by

    researchers were used along with several cases presented that have to do with breaches of data by

    hackers on financial institutions. Each case that was presented was an actual case that happened

    to a real organization. I chose these sources because they were the best representation of data by

    scholarly sources on this subject. I analyzed the data in sequence, in accordance to how network

    security should be measured when doing research on such a topic, from narrow to wide.

    All the information is broad based, meaning it covers security for many different types of

    institutes, but my scope was limited to financial institutes such as banks and any institute that has

    to do with our financial system, here in the United States and globally because network security

    is a global problem, it does not begin and end on one shore. The materials used from the books I

    chose are books that have been used in college courses to teach network security and encryption

    which is a part of network security, which is a whole other subject that can get very deep. All

    the information resources chosen over the internet were from information sites, articles and

    publications that were written by scholarly sources.

    Network Security 21

    Chapter 4

    Data Analysis

    How will network security help financial institutes protect personal data, both today and in the

    future from breaches of security into their networks?

    This is an important question, because it is very important for financial institutions like

    banks to protect personal data so that it does not get into the wrong hands, through this research

    paper we have come up with some of the answers to this question. The first thing is more

    education given to employees and management alike that work and run these financial

    institutions. It is also very important to have a network security plan that is going to work and

    that is not real complicated to implement.

    In order for security to work at these institutions there has to be cooperation from both

    staff and management, and there has to be a plan to cover security from internal threat and

    external threat. As stated earlier in this paper there are physical as well as network security that

    has to be dealt with physical would be securing cable plants from intruders walking in setting up

    a laptop and stealing data. Network security evolves measures like the ones listed on (p 16) of

    this paper. The answer to this question is that securing a financial network or any other network

    has to be a total package of cooperation, education, and dedication to wanting to do what is right

    and to do what is necessary to protect other people information.

    Security is a combined effort and more security measures by financial security regulatory

    commissions will also help both financial institutions as well as customers. This will help by

    setting regulations that financial institutions must follow to protect personal data on their


    Network Security 22

    Chapter 5

    Summary, Conclusion, Recommendation

    In this paper we have discussed a lot of material on Network Security and Financial

    Institutions, this paper covered a lot of material about companys lack of security measures. This

    paper also covered the different types of threats there are that threaten a network on a daily basis,

    this paper also covered X.800 and hackers and their techniques as well as what physical security

    and what network security is. This paper displayed several real life cases of actual breaches to

    three different organizations networks, all being financial institutes. This paper gave a problem

    statement and latter throughout the paper showed what can be done to address this problem, this

    paper also displayed different diagrams, two of which were created by me using data from the

    sources I used and the other came directly from the web source giving full credit to the source.

    My observations in all the research that I did was that there has been a lack of network and

    physical security in financial institutions for as long as computers have existed, and it continues

    to be a wide based problem extending globally. There are attacks on networks every day and still

    the same security problems exist. Another observation I get from this research is that there is a

    lack of education on the part of financial institutions on network security, yet most of their

    transactions are network based, it seems the concerns while training their personnel is for the

    most part paper work that has to do with the bank, but not on how to secure this data when

    entered in their system.

    My recommendation is that financial institutions do a more thorough job training personnel

    during their initial training and also concentrate that training in the direction of securing personal

    data in their system. I also recommend that management get more involved in network security

    within their organization, this is very important so that there is cooperation between

    Network Security 23

    management, training and their employees. If security is stressed on regular bases there will be

    improvements that can be seen very quickly. There is a great need for more research on this

    subject to answer the unanswered questions of why doesnt organizations take security more

    serious with so much on the line for them? What measures will help organizations to realize how

    important security is to their networks?

    Network Security 24


    BuildWebSite4U (2010) Computer Internet Security, Retrieved May 1, 2010, from http://www.

    Ciampa, M (2005) Security+ Guide To Network Security Fundamentals (2nd

    Ed), ThomsonLearning Inc., 25 Thomson Place, Boston MA, 02210

    Corbin, K (2010) Database Security Lacking at Financial Services Firms, Retrieved April 28,

    2010 from

    Freshfields, Bruckhaus & Deringer (2008) Data Security in Financial Services, Retrieved April30, 2010, from

    InternetWorldStats (2010) Internet Usage Statistics the Big Picture, Retrieved May 1, 2010, from

    ITRC (2010) Identity Theft Resource Center, Retrieved April 28, 2010 from

    Jenkins, G (2009) ITRC 2008 Data Breach Statistics; Insider Theft Doubled, Retrieved April 28,2010 from

    LeDuc, S (2005) New Data Security Guidance for Banks Not Suggested, These Elements Are

    Required, Retrieved April 7, 2010, from

    Stallings, W. (2006) Cryptography and Network Security (4th

    Ed), PEARSON, Prentice Hall,Upper Saddle River, NJ 07458

    Network Security 25


    Where to Go for More Information on This Subject, there are several books and articles on this

    subject, Books that I recommend are;

    Stallings, W. (2006) Cryptography and Network Security (4th Ed), PEARSON, Prentice Hall,Upper Saddle River, NJ 07458

    Cryptography and Network Security by Williams Stallings, this book covers the importance of

    Cryptography and Network Security and the role that cryptography takes on in securing data

    through data encryption.

    Ciampa, M (2005) Security+ Guide To Network Security Fundamentals (2nd Ed), ThomsonLearning Inc., 25 Thomson Place, Boston MA, 02210

    Another book that I recommend is Security+ Guide To Network Security Fundamentals by Mark

    Ciampa, this book is very detailed covering everything from different types of network attacks to

    how to secure a network from intruders.

    There are also very good websites on this subject which I have listed in the reference section of

    this paper.

    Network Security 26


    I had a lot of challenges when conducting this study one was trying to pick the right

    materials to present for the subject matter, because network security is such a wide topic because

    it covers everything from personal attacks to attacks over large networks, cryptography, physical

    security, management and a lot more. This information that is obtained from books and articles

    deals with network security more in general than it does on specific topics so it is very time

    consuming to find the right information on this topic, when you look for scholarly sites most of

    them you have to pay for to obtain information on the subject matter. There are sites also listed

    that you cannot get into because they are other college sites. So it is hard to gather information

    on this subject, you have to look at 40 different sites just to obtain one paper that really has to do

    with your research.

    The results are what I expected to find except for the difficulty in finding the information

    like I stated. Another challenge was trying to get this paper done in six weeks with an overload

    work schedule that I have, this research was very time consuming and even though you have six

    weeks to do it, the amount of time after work to get this amount of information still turns out to

    be very little. So those were the biggest challenges. I like a challenge but I believe doing a 25

    page paper with the amount of other paper work for this course, was a big challenge.

    Network Security 27

    Tables and Figures

    Figure 1. Internet users in the world by geographic regions 2009

    Figure 2. ITRC 2008 Data Breach Statistics

    Figure 3. Network Perimeter

