Banks find a fifth more security flaws than last year
New report into financial organisations' IT security reveals more vulnerabilities than last year.
Banks, building societies and other financial institutions have uncovered a fifth more vulnerabilities in their infrastructures than last year, according to new research.
The 2007 Annual Security Report from IT security testing consultants NTA Monitor found that financial organisations reported 20 per cent more vulnerabilities in systems, applications and networks than the previous year.
The volume and distribution of vulnerabilities found in tests performed on financial organisations varied only slightly to the results of tests featured in the previous year's report, but, an average of three more vulnerabilities were found in tests conducted during the past year, which accounted for the marked increase in exploits.
Among the most common vulnerabilities found were buffer overflows on some versions of Bind running on DNS servers which could allow a hacker to return a malicious DNS response to a lookup request the ability to execute arbitrary code on your server or to crash the system.
Also some web servers used expired SSL certificates, which cause browsers to display a "certificate is expired" warning to users visiting the site. Users have to confirm that they are aware that the certificate for the site that they are visiting is invalid before being able to continue. The report said that the presence of this vulnerability in financial organisations can be particularly important, as the use of an SSL certificate may discourage customers or prospective customers from using that organisation's website.
Roy Hills, technical director at NTA Monitor said that these findings would be a worry for organisations aiming to become PCI compliant.
"The increase in vulnerabilities could be down to many factors, but one factor to consider is the growth in online business in general," he said. "Financial organisations are one of the frontrunners in terms of online activity. They are being pushed more and more to open themselves up to the public by offering more online services or by allowing customers to access their personal financial data."
Hills said that while this extra accessibility is of benefit to many customers, at the same time it can "increase the exposure to external attacks."
He recommended that SSL certificates are always renewed when they expire and for companies to stay up to date on the latest vulnerabilities and apply patches and updates as soon as they become available.
Unlocking collaboration: Making software work better together
How to improve collaboration and agility with the right techDownload now
Four steps to field service excellence
How to thrive in the experience economyDownload now
Six things a developer should know about Postgres
Why enterprises are choosing PostgreSQLDownload now
The path to CX excellence for B2B services
The four stages to thrive in the experience economyDownload now