Fending off foes

To keep danger at bay and prevent the daily nightmarish stories, threats and viruses from materializing, companies don’t have any choice but to tighten up their security, says Gord Bradshaw, manager of Technical Services for Dynamic Mutual Funds Ltd.

And in the financial services sector, customers expect no less.

Bradshaw says they haven’t been compromised yet, but rather than take chances, he keeps the Toronto-based wealth management firm current by scheduling regular security audits and penetration testing, having a security policy that is kept up to date and well aware of by the workforce, upgrading security software to maintain a layered defence and keeping himself and his staff up to speed on security issues. Bradshaw and two of his staff members are currently preparing for their Certified IRA Services Professional (CISP) certification through the Institute of Certified Bankers (ICB). He estimates he spends about 20 per cent of his time on security issues, including reading and attending security seminars and trade shows.

Dynamic offers a range of wealth management solutions through registered financial advisors, including mutual funds; fee based programs, limited partnerships, labour-sponsored funds, hedge funds and high net-worth investment counsel. With more than 350,000 investors and over $8 billion in assets under management, this division of Dundee Wealth Management Inc. ranks among the top wealth management companies in Canada.

With the recent purchase and integration of StrategicNova Inc., a Montreal-based mutual fund company, Bradshaw reports they have just over 400 people and branch offices across Canada.

“We have a lot of remote users that connect through our VPN to our network so that was one of the reasons we wanted to have extra security on their desktops at home — to protect us from hackers putting a back door on somebody’s home PC and then logging onto our network and getting into our infrastructure.”

About five months ago, when the licensing was expiring for the personal firewall rolled out to all these remote users, Bradshaw took the opportunity to reassess the security of three of the latest personal firewalls.

Finding the best fit

“That’s what we do with all the products we look at, whether it is routers, switches or firewalls; we try to look at three different companies’ products. “When you look at one product versus another, they’re all quite similar in some ways,” he continues. “You just have to pick a security company or suite of products that fits within your own organization.”

After testing several products, they decided the products that fit best were Symantec’s DeepSight Alert early warning system, Host IDS and Client Security. That latter product, which includes personal firewall, antivirus and intrusion detection, is used for remote users’ PCs. Dynamic was previously using Symantec AntiVirus Enterprise edition and were satisfied with that product.

In analyzing the choice of intrusion detection systems, Bradshaw recalls that they wanted to strengthen their access controls to basically add another layer of security to their infrastructure. “We were already using network-based intrusion detection systems, but by getting host-based intrusion detection systems, especially the Symantec product which we like the best, it monitors all our servers and systems in real time and also from a single management server allows us to respond to any security breach or unauthorized activities. It is great for centralizing logs and audits. It cuts down on a lot of manual processes [such as] my administrators and security people going out and [checking] each server.”

They chose Symantec’s DeepSight Alert because they found it gave fast notification of threats on a 7/24 basis, can be readily customized, and gives detail patch and release information.

“It gives my administrator and security people time to close the port, to harden up the servers, cutting off where the threat is. It is not just the warning, but [it] also provides information on how to combat that threat or vulnerability,” he says.

“We set these products up in a test network so we had the time we needed to test the products. Even within hours of getting the alert system on, we were getting information on threats and viruses.” Bradshaw found it cut down on the time it took to get threats from [surfing] different Web sites which often revealed problems too late, considering how fast malware propagates over the Internet.

“With it, your chances of getting proper defences up are obviously a lot stronger. We didn’t have it prior and we didn’t have any major security breaches, but it seems there are so many worms, Trojans and things coming out now that are getting smarter, every added layer of security or help that you can get is better overall.”

Because it is Web-based, if one of his security analysts gets notification of an alert outside regular office hours, he can access the central management console out of the office through their VPN or over their intranet.

It was also an advantage that the Symantec products are compatible with most operating systems since Dynamic runs Solaris, NT, Windows 2000, Linux and Unix.

“It’s pretty hard to quantify ROI with security, but with the suite of four products I now have, I’ve been able to reduce one security analyst we had on a full-time basis,” he adds. “It also saves a lot of time doing manual things like checking the logs on all the different servers. Now we have everything on one central management console. It cuts down on false positives as well. That saves us a lot of time. Actually, it is saving us money. My boss likes that.”

Upgrading the operating system

Even though he likens upgrading operating systems to ripping out the transmission on a bus while it’s going down the highway and trying to have no one notice, Tony Fernandes, vice-president of IT infrastructure for Vancouver City Savings Credit Union has found that keeping the credit union’s software current increases their ability to recognize threats and minimize vulnerabilities.

VanCity, Canada’s largest credit union, last fall began a six-month upgrade replacing its Windows 95 and NT platforms with Windows XP running on the new Windows 2003 Server officially launched last April. The upgrade enabled VanCity to consolidate the 65 to 70 servers, which included a data server in each of the credit unions’ 40 branches. In addition to reducing the technology cost of opening new branches and a productivity gain realized by “babysitting” five servers rather than about 70, he says they are getting “the higher reliability that members expect from a credit union.”

Now, if one node fails, it will bounce to the next node. Fernandes says it takes only 15 to 60 seconds for another server in the cluster to see a problem and pitch in.

Further, Fernandes contends that having XP on the back end provides extra security.

He praises the Windows Active Directory which he says lets one define people to the network overall rather than to each server. “With Active Directory, being able to take more of an organization or enterprise view, you can define in one location what access and privileges this individual has across all the servers in the organization,” he says. “Not only does that make it easier to manage, it also enhances security because when you’re doing a server at a time and you’ve got 100 or 200 servers, it’s easy to forget that this person also existed over here. Sometimes what happens in organizations is that a request comes down ‘this person needs access to this, that and the other thing’ but there isn’t any discussion usually in the request that ‘oh by the way, they don’t need access to those other things they used to have because they moved departments.’ By having everything in one place, it makes it more secure because you can see everything about this person in one location.”

He adds that Microsoft and many other software vendors are no longer shipping product with everything on and open. “From a security standpoint, you’d go in and start turning things off that you don’t believe people should have access to and you don’t want to have certain kinds of services available in your environment,” he recalls. “Now they’re shipping with everything turned off which provides a more rigorous approach to defining exactly what you want to allow in your organization.”

Fernandes says they are also researching add-on products such as Active Directory Application Mode (ADAM) and Microsoft Identity Integration Server 2003 (MIIS) that build on the concept of Active Directory.

He says these go one step beyond just managing access to the network and basic functionality to providing a single place for developers as they write new systems that they can hook back to this location for validation.

“Today most applications ship with their own security system which makes it difficult on two scores,” he elaborates. “One is there’s a lot of time and energy to managing, adding, changing, deleting people on these different systems. But also it makes it a bit more difficult for us as individuals because if we have access to 10 different systems, we often have 10 different passwords we have to manage. As humans, we start to find ways to write our passwords down somewhere which creates a security issue.”

He sees .NET and its related security concepts as contributing to building an enterprise’s single security database where one can administer security not only for the network and the security you get on the network but also to all the applications from a single point. This single database would define an individual and what things he/she is allowed to have. He sees this in turn leading to a single sign-on. “It won’t happen over night but it is a start in the right direction,” he muses.

VanCity uses the two-factor authentication of CRYPTOCard password technology for remote access. “As an industry standard, basically most organizations rely on a user ID and a password as an internal verification of who you say you are. When you are outside our perimeter, outside our network and you try to connect to the network as an outsider, we need a higher level of confidence that you are who you say you are.”

Customer expectations

He admits that security is more and more of a challenge just because there seems to be more vandals out there, yet customers expect them to be secure. “A big part of being in the financial securities industry is a trust relationship for their customers, so they have to trust that we are secure internally, that we keep their information secure.”

He finds that there is more awareness with consumers that you do need to take precautions in response to a dangerous world.

For something that is new and isn’t quite understood, there is a lack of trust but over time they get a sense of confidence, he says. “A lot of it has to do with individual institutions that we explain to our customers when they go to use our home banking products for example that there is adequate security built in and that we do take security seriously.”

He recalls that about eight years ago they were one of the first companies to launch PC home banking through a telephone line. Initially there were a lot of questions from customers, he says. Similarly, when they went from the telephone based PC banking to the Internet, there was quite an interest because it was new and there were a lot of horror stories about the insecurity of the Internet. He speculates that people are more used to it so the questions aren’t as fast and furious as they used to be.

“Customers expect their information to be treated with respect and that companies will put in systems to support that,” he adds.

He says that awareness is key to doing so and that one has to understand the environment one lives in. He adds that from the time employees join the company, it is instilled in them to improve the security environment to make sure support staff keeps customer information safeguarded.

“Now protection is a normal part of life,” he concludes. “Having the right processes in place is basic. As the Internet becomes more and more relied on for x number of businesses, the level of security measures taken is keeping things in check. It’s not perfect, but banks still get robbed but people aren’t afraid to go in and leave money in banks because the appropriate security systems are in place.”