THE DMZ AS A LIABILITY FOR BANKS
By Ronen Kenig/Safe-T
Customers are demanding the convenience of direct access to their data using their mobile devices, and banks are revamping their IT infrastructure in order to launch self-service applications for opening new accounts, applying for loan, mortgages and other retail banking functions.
However, sharing information through the corporate banking network also introduces security risks. As more and more sensitive data from the internal network is duplicated in the DMZ (demilitarized zone), this perimeter network designed to be a buffer zone has become a prime target for hackers.
Recent data breaches, including the famous Target incident where data from 40 million debit and credit cards was exposed has raised public awareness of the possible risks. One bank executive feared that thieves who managed to steal encrypted personal identification numbers (PINs) would make fraudulent withdrawals from consumer bank accounts.
Whenever there is a breach that could result in compromising consumers’ bank accounts this news winds up on the front page of The New York Times, and banks want to take whatever precautions are necessary to avoid the resulting financial losses and brand erosion.
With the increase in online banking the DMZ, initially intended for housing non-confidential, static information for external access has become crowded with servers containing highly sensitive enterprise data. Bank statements are stored in the DMZ before being sent to customers exposing customer personal data and financial information. In addition synchronization of account information between bank branches also requires duplication of data in the DMZ increasing the risk of identity theft and the loss of sensitive financial data.
A streamlined DMZ, designed for security
The fundamental security vulnerability in most DMZ implementations is caused by the fact that the DMZ’s network ports remain open to the Internet. As a result, they expose the entire network to external attacks. Hackers relentlessly scan networks for open ports to exploit in order to gain access to the internal network from which they can steal data.
Although firewalls and proxy servers monitor and filter all incoming communications, the fact that the ports remain open makes the entire network susceptible to external attacks. Malicious code, which continuously evolves and becomes ever more sophisticated, can be embedded in legitimate communications in order to exploit design, implementation and configuration weaknesses and circumvent these monitoring and filtering mechanisms. Even if all security mechanisms are kept current and validated vigilantly, the reactive nature of identification of threats and creation of counter-measures creates windows of opportunity for external threats to defeat the network.
In addition to security vulnerabilities, the DMZ network configuration also imposes a costly operations burden on the enterprise. To use the DMZ network to protect against external threats, data and services in the internal network must be duplicated in the DMZ. This duplication requires additional hardware and software, as well as perpetual replication processes to ensure that data is synchronized between the internal network and the DMZ. This additional hosting and synchronization requires a complex layer of data and network operations which can be complicated and costly to manage.
A streamlined DMZ can eliminate these weaknesses. By utilizing two nodes, one on each side of the firewall, requests can be received and data can be streamed rather than the traditional method of storing sensitive data in the DMZ. Using this method there is no need to open inbound ports on the internal firewall. As a result, there is a complete blocking of any network or Layer 4 based attacks such as port scanning, ICMP scanning, and TCP based attacks.
The external node does not need to run an application in order to handle incoming sessions, but utilizes instead listener technology making it impossible to hack into and take control of the external node to initiate attacks.
Before making any significant changes to the way enterprises store and transfer sensitive information, the role and architecture of the traditional DMZ has to be evaluated by each organizations’ IT and security teams. When appropriate, by deploying a streamlined DMZ, IT managers can provide improved security, while reducing the DMZ’s hardware and software footprint simplifying network management and business operations.
About Safe-T: Safe-T is a fast growing information security start-up with a vision to protect data in transit and at rest by securing business workflows in the most simple and seamless way. Focused on providing security solutions for enterprises with a focus on financial institutions, Safe-T enables organizations to benefit from enhanced productivity and efficiency, heightened security, and improved regulatory compliance. With offices in North America, Europe and Asia, Safe-T provides solutions to insurance companies, financial organizations, healthcare, universities, public safety organizations, manufacturers and technology transfer companies, enabling them to protect intellectual property, improve operational efficiency, ensure compliance and reduce IT costs.