At first glance, it sounds like a pitch for a television action drama.
A team of dedicated, technology savvy hotshots band together to thwart computer hackers and rid the landscape of computer viruses and other nefarious cyber beasts.
It's a reality show, all right, but not of the TV variety. Instead, it's a new trend in bank technology circles where Computer Emergency Response Teams are being formed by financial organizations frustrated over what to about the growing number of virus attacks on their computer platforms.
"We're seeing more CERT teams in financial organizations," says Mark Zajicek, operational team leader of the CERT Center at the Software Engineering Institute at Carnegie Mellon. The Pittsburgh-based organization was established in 1989 as a virus-fighting group on behalf of the US government. "Banks are making a much higher priority of protecting their key data and are beginning to build their own computer response teams."
Banks certainly can't afford to ignore the virus problem-a 2002 survey by the Computer Security Institute and the FBI found that such crime has cost American businesses nearly $1.5 billion since 1997. Plus, the rate of virus impact on systems is growing faster. In 2003, the announcement of a patch for an operating system vulnerability preceded an attack by an average of 30 days. By May 2004, the average vulnerability announcement-to-attack code propagation was less than 18 days-a 60 percent rise from the year before.
Even so, just because you need to take action to prevent cyberattacks doesn't mean you can.
That's where CERT teams come in. "It's absolutely a good idea for banks to set up their own emergency response teams," says Mark Eich, a computer consultant based in Minneapolis. "The number of viruses are growing and banks, like many businesses, are only beginning to realize just how vulnerable they are. And they're seeing viruses hitting their software before they can prevent it."
What's the makeup of a good CERT squad? "Ideally, bank CERT teams should be part forensic specialists, part risk assessment engineers," says Richard Albee, president of the computer security firm DataChasers in Riverside, CA. "But it's difficult to train systems professionals in forensics and risk evaluation. That's no knock against bank IT people-it's tough to find the time and resources to train them."
Consequently, the primary question isn't whether a financial organization should have a CERT team-they should, says Albee-but whether that team should be created in-house or brought aboard as part of an outsourcing effort.
"I think you need a pro to come in and handle hacker and virus issues, but I understand why a bank would want to keep it in-house," says Alan Stockes, president of AD Stokes, a computer-virus consultant in Gainesville, FL. "You get more control by building your own team. That's especially true for larger banks, who have more data and are more vulnerable to risk."
Big bank or small, if you do go in-house to build a CERT team, Stokes advises having someone full time an in-house to lead the operation on staff.
"Find someone who is qualified to lead the team and definitely pay a dedicated salary to that person," he says. "Then bring in two or three IT staffers to fill out the rest of the team. You don't need an army to create a CERT team-you can actually monitor everything from one workstation."
Stokes says that banks should construct a separate budget for the team, keeping in mind that you'll need extra personnel when a virus does strike. "You'll want the extra hands on deck to shut down machines and work on patching the security breach," he points out.
He says the banks he works with exhibit a penny-pinching tendency when budgeting for dedicated virus teams-and that's a big mistake. "The cost of keeping viruses from happening is a lot cheaper than dealing with them on the other end, after they occur," Stokes says. "People may not want to spend a lot of money on a CERT team, but with millions of hackers and crackers pinging around open ports these days, you'd be crazy not to. It only takes one hacker to break in and destroy millions of dollars 'worth of financial records."
Carnegie Mellon's Zajicek says a recent bank CERT team implementation that he was involved in was a grassroots effort. "It was a large, global bank," he says. "But things weren't cohesive." A newly hired information security manager saw that security incidents were occurring, and although they were being addressed, they were being handled inconsistently across the AFI organization.
He recognized that a consistent incident-response system needed to be implemented. According to Zajicek, the information security manager, with management backing, began building support with key functional areas and other stakeholders, such as the information-security, audit, public- relations and risk-assessment groups. "There was a lot of hands-on training involved, too," he adds.
In addition to building support across different functional units, a core group of technical and managerial personnel attended CERT/CC courses at the Software Engineering Institute on creating and managing emergency-response teams, as well as an introductory course on incident handling.
Team members also held face-to-face brainstorming sessions, which were used to discuss differences in operating procedures and to walk through incident scenarios. Zajicek says that experience helps teams members prioritize problems that need resolving first,
In addition to the brainstorming sessions, team members held teleconferences monthly to review processes and results and evaluate problems the team had yet to wrestle to the mat successfully.
The keys to the bank's success, Zajicek says, was the foresight to query other organizations about how they had built successful CERT teams and they developed clear and concise communications among management, staff and peripheral departments. Many teams created a department-wide checklist based on Carnegie Mellon's "Handbook for Computer Security Incident Response Teams" and on SANS's "Computer Security Incident Handling: Step-by-Step" guide.
"Good emergency response teams aren't built in a vacuum," he says. "You have to cover everything-getting the right stakeholders involved, evaluating the pros and cons of doing things in-house, and getting the message out. But if you do it right, you can save a lot of headaches down the road."
