As many of you already know, I’ve been speaking to bankers across the country about the web, especially the new technologies coming out of the Web 2.0 movement and how those technologies can help financial institutions connect better, via the Web, with their customers. It has been a lot of fun discussing the possibilities and some our clients are beginning to try out and even implement some of these technologies. But one topic that keeps coming back as a question are the security issues related to things like blogs, podcasts, and wiki’s. Lots of people show interest in trying these technologies but lose their desire when fears of security and privacy start being discussed.

I definitely believe in the power of these technologies to engage your customers in new ways and also to collaborate more productively with your internal staff but security definitely needs to be addressed when implementing them. Let me try to briefly breakdown some of the things you need to consider:

Strong Authentication is still key.

For most of these technologies, strong authentication has to be a staple. As always, we recommend to use complex passwords and should probably change the passwords at least every 45-60 days but let the exposure of accessing that data be your guide on how frequent.

For sensitive information, SSL is essential.

We utilize a project management system for all our communication with our clients and we paid more to ensure all pages were properly encrypted and secured from outside access. If it’s just a blog that only has standard public information on it, I wouldn’t worry about it but if it is something like an externally accessible wiki for your FIs employees, secure it!

Test these web services for vulnerabilities.

Companies are now doing web-site audits and can test for site to see if its susceptible to different types of attacks (website defacement, SQL injections, phishing, cross-site scripting, etc.) Also, Web 2.0 uses quite a bit of AJAX for there services and these have been proven to be a vector of attack.

You still gotta patch!

If you are utilizing any web services that are downloaded from the Web make sure to stay on top of the latest revisions for any possible improvements to the security of the application. And I would recommended if going open source (which we’re a big fan of) to use software that is being used by the masses, not just a project that is managed by one developer.

Again, you don’t necessarily need all of these depending on your use case but in the event of sensitive data being transferred, it becomes more necessary. Do a risk assessment to find out!

powered by ODEO
I am very happy to announce our very first podcast! The guys have been tossing this idea around for a while and kudos to Court and Eric for finally sitting down and recording one of their great conversations. (Also props to Eric for the intro music and editing!)

In this episode, Court introduces the blog and Eric fills us in on a recent Network Security scare. We then get into an interesting discussion on Incident Response Plans and avoiding the appearance of headless chickens.

You can listen right now using the player above or follow the “poweredbyODEO” link right under the player to download it. We have also submited the podcast to iTunes and will let you know when you can find us there.

We’d love to hear your comments and ideas for improvement, so don’t hesitate to drop us a comment!

Update: You can find us on iTunes by clicking here!

Richard Bejtlich has a blog that I read ever so often. His focus is primarily on security, but the topic in question here reaches into the financial sector.  Mr. Betlich illustrates a valid point concerning the complexity and uncertainty of Infosec in general. In a nutshell, a CIO (or IT deparment) is at a disadvantage in quantifying the financial performance of his/her department.

I agree with him.  Financial professionals can rely on various models to make assumptions/predictions with varying degrees of accuracy.  However, Information Security professionals are inherently at a disadvantage.  Its our job/nature not to make assumptions as we attempt to protect assets against a largely unquantifiable threat.

Are the Questions sound?

Well for those that couldn’t make the 1st annual paintball event you definitely missed a good time. We had close to 20 people out to the event which most of those hadn’t even played before. We were all comparing battle scars this week at the office.

I’d like to thank everyone for coming out and hopefully we’ll have another event soon. (maybe a little more mellow this time? Like skydiving perhaps ) Here are the pictures from the event. Unfortunately, our group shot didn’t happen until after a few people left but we got it in with as many as we could!