Wall Street Firms Look Externally for Web Security

The Code Red worm didn’t do as much harm as expected during its infestation earlier this summer. Although it’s estimated to have cost businesses $1.2 billion in lost productivity, the Internet did not come to a screeching halt and even the White House Web site was able to survive the denial-of-service attack that the worm launched.

On Wall Street, there were no reports of damage due to the worm’s infestation, according to Dan Michaelis, a spokesman for the Securities Industry Association. Part of that was because security is a top priority for the industry, he said, and partly due to the early warning issued by Microsoft and the FBI. “In general, the lead time helped us avoid any potential problems,” said Michael Kidder, the SIA’s IT manager.

Despite the relative success, however, experts are quick to say that Wall Street firms, with their critical security needs, should not grow complacent. Vigilance is the operative word, as viruses such as Code Red are likely to become more pernicious and frequent. Indeed, the next outbreak of the worm is scheduled for Aug. 20, with some 60,000 machines still infected and spreading the virus. One lesson from the Code Red worm is that front-line defenses need to be kept up to date by installing firewalls and security patches-costly but necessary precautions for mission-critical server applications. Another lesson is that no matter how good your locks may be, you still need an alarm system and a police force ready to appear on short notice.

For the most part, securities industry firms don’t like to talk about their security (as opposed to their securities). There’s a good reason for this-they don’t want to give potential hackers anything to sink their teeth into, said Richard Wilkie, VP of IT investment management services at American Century Investments. But security consultants who work with Wall Street firms were quite willing to talk about the Code Red worm and its aftermath.

“Many, many companies-particularly Wall Street firms-don’t have in place a very robust, a very methodical way of getting security patches deployed to all effective machines,” said Karen Worstell, CEO at Atomic Tangerine, a San Francisco-based consultancy that advises Wall Street firms on security issues.

The way that the Code Red worm works is that is sneaks in through a hole in Microsoft Windows NT 4 and Windows 2000 machines. The security hole is the result of a programming error on the part of Microsoft, and the company has issued a patch that companies can install that will fix the hole. Once the virus sneaks in, it checks the date of the month. If it’s before the 20th, the virus sends new copies of itself out across the Internet. If it’s the 20th or later, it launches a denial-of-service attack against the White House.

Later versions of the worm-including Code Red II-may do more damage. One, for example, installs a back door that other hackers could use to break into the system later. A machine has to act as an Internet server to be susceptible-but, Worstell said, many users have their machines set to act as servers without even knowing it because that’s the way they came. “For example, my laptop has Web services installed as a default on the operating system,” she said.

Code Red is easy to eliminate, Worstell added-simply shutting off the machine will do it. But not all machines can get turned off-and some aren’t turned off as a matter of convenience. For example, if a user takes a laptop home and connects it directly to the Internet through their home Internet Service Provider, then the laptop can become infected. Then, if the user closes the cover and puts the laptop into hibernation mode-without shutting it off-and takes it to the office, then a company’s network can get infected no matter how good its firewalls and how up-to-date the patches. “The majority of Fortune 1000 companies have, or have had, heavy internal infections,” said Russ Cooper, a “surgeon general” at TruSecure Corp.

To protect against these kinds of attacks, a company not only has to keep track of all computers on its network, keeping them patched and disinfected, but also on all the computers that they may hook up with at home or abroad. But patches are not enough.

What Code Red has shown is that nobody can patch everything-even Microsoft itself missed some machines, and Code Red infected a few of its Hotmail servers.

“There are too many patches,” said Bruce Schneier, CTO of Counterpane Internet Security, an intrusion-monitoring firm with Wall Street clients. “I get an e-mail once a week of all the security patches that come out that week-there are 20 to 30. Five to 10 apply to your network. That means you’re expected to install a patch a day and, trust me, you can’t do it.”

For mission-critical applications, patches have to be tested first on backup systems to make sure that they don’t cause anything to break. “Patches are often rushed out without sufficient testing, they make things break, they don’t work, they’re flaky,” Schneier said. In addition, the servers may have to be taken down in order to install a patch, which is only feasible on rare occasions, not daily. “I have customers who have banking servers up-they can’t take them down and patch them,” he said. “The patch treadmill is a blame-the-victim mentality.” The answer, he said, is to have a second level of security. In addition to making sure that all the locks are in place-or as in place as possible given financial and time constraints-companies should also install intrusion alarms and have people monitoring the systems 24×7 so that when an attack does start, it can be cut off before it does any damage.

“Prevention only goes so far,” said Frank Prince, a security analyst at Forrester Research Prince, who recommends that Wall Street firms not only monitor their security, but that they seek outside help to do it. “Firms should get professional help more often than they do,” he said. “It’s a very difficult job, and it’s too hard to keep up.”

For the largest firms, however, an element of scale can kick in and some of these functions can be performed by employees, Prince added. But even the largest firms will have subcontractors and support organizations in place. Smaller companies, by comparison, can’t possibly maintain their expertise, he said. “They should almost certainly outsource their monitoring activities.”

Is Code Red a sign that Microsoft Windows may not be ready to handle mission-critical Wall Street applications? Not necessarily, said Worstell. “Even Unix machines are not secure,” she said. “There is no such thing as a secure machine. The real problem is that some of the patches have been available for a long time, but people don’t use them.”

However, Worstell did add that there are more hackers out there writing worms and viruses for Windows machines as opposed to, say, mainframes. “The hacker community does not have access to that kind of hardware,” she said. “They just don’t. And, frankly, it’s not interesting to write viruses and malicious codes for that kind of hardware because it doesn’t spread. Part of that may also be political-people want to make a point about Microsoft so they tend to write viruses for Microsoft.”

But TruSecure’s Cooper disagrees. “Microsoft is no more susceptible than any other platform,” he said. “The only difference is that they get more press. It’s just as easy to secure a Microsoft computer as any other computer.”

There’s no evidence that there are more Microsoft hackers than any other types of hackers, said Jim Desler, a spokesman for Microsoft. “But I wouldn’t dispute that, either,” he added. “We have a special responsibility and we are stepping up through our very aggressive security response process. If we hadn’t been able to develop a patch and get it out there very aggressively, there would have been greater impact by this worm.”