A fifth more security flaws found in bank software
Banks and other financial institutions have detected a fifth more vulnerabilities in their infrastructures than last year, according to new research.
The 2007 Annual Security Report from IT security testing consultants NTA Monitor found that financial organisations reported 20 per cent more vulnerabilities in systems, applications and networks than the previous year.
An average of three more vulnerabilities were found in tests conducted during the past year, which accounted for a marked increase in potential exploits.
Among the most common vulnerabilities found were buffer overflows on some versions of Bind running on DNS servers. This could allow a hacker to return a malicious DNS response to a lookup request or give the ability to execute arbitrary code on your server.
Also some web servers used expired SSL certificates, which cause browsers to display a ‘certificate is expired’ warning to users visiting the site. Users have to confirm that they are aware that the certificate for the site that they are visiting is invalid before being able to continue. The report said that the presence of this vulnerability in financial organisations can be particularly important, as the use of an expired SSL certificate may discourage customers or prospective customers from using that organisation’s website.
Roy Hills, technical director at NTA Monitor said that these findings would be a worry for organisations aiming to become PCI compliant.
‘The increase in vulnerabilities could be down to many factors, but one factor to consider is the growth in online business in general,’ he said. ‘Financial organisations are one of the front runners in terms of online activity. They are being pushed more and more to open themselves up to the public by offering more online services or by allowing customers to access their personal financial data.’
Hills said that while this extra accessibility is of benefit to many customers, at the same time it can ‘increase the exposure to external attacks’.
He recommended that SSL certificates are always renewed when they expire and for companies to stay up to date on the latest vulnerabilities and apply patches and updates as soon as they become available.