Bradley Fenster is a former regulatory examiner, having more than seven years experience with the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA). He has significant understanding of business continuity, information security and information technology governance. Fenster has reviewed a wide range of financial institutions and related service companies, including fully-serviced institutions, in-house operations, regional service bureaus, bill payment providers and corporate credit unions.
You are hereResourcesOur ViewpointsIntrusion Detection and Prevention Systems for Banks
Intrusion Detection and Prevention Systems (IDS/IPS) can be quite expensive for a financial institution, especially if they are implemented in the proper way, which requires 24/7 proactive management. As such, a risk-based decision should be used to determine which system is best and where it should be located within the network in order to provide the most cost effective benefits. There are typically two deployment scenarios that determine the appropriate system or systems to provide the best value. The institution either hosts Internet accessible servers or it does not. The distinction plays a key role in determining the appropriate deployment of IDS/IPS systems for the financial institution.
Two Deployment Scenarios
Internet Accessible Systems
If the institution hosts systems that are accessible from untrusted sources, such as a web server being accessed from the Internet, an in-line IDS/IPS system would be appropriate. This system should monitor traffic destined for the network segment hosting the accessible systems. In the web server example, authorized traffic would pass through a firewall into a screened subnet (aka, Demilitarized Zone, or DMZ). This public internet traffic would then pass through an IDS/IPS on its way to the web server. In this configuration, the firewall would filter most traffic, with the IDS/IPS evaluating the traffic destined for the web server. Should malicious external traffic pass through the firewall, the IDS/IPS should identify and stop the traffic before it enters the internal network. However, often times IDS/IPS systems are not totally effective unless there are a trained security engineers also analyzing the anomalies around-the-clock as not all intrusions will be signature based, and may be missed without the visibility from 24/7 security personnel.
If the institution does not have externally accessible systems, an inline IDS/IPS may be overkill, as there would be no traffic allowed through the firewall that originated from untrusted networks, such as the Internet.
The FFIEC recommends intrusion detection or prevention systems “…at any location where network traffic from external entities is allowed to enter controlled or private networks."
No Internet-Accessible Systems
As mentioned above, if the institution does not maintain any Internet accessible servers, then a fully managed inline IDS/IPS may not be efficient as it would be costly and provide little benefit over and above a properly configured firewall. Given that all traffic originating from external entities would be blocked at the firewall, it is unlikely that the internal systems would be attacked from the outside.
For example, if a financial institution does not have Internet accessible servers and employs an inline IDS/IPS configuration, the system would only be monitoring private, internal traffic. In this case, an inline IDS/IPS would not detect an internal system from attacking another internal system. If malicious traffic from internal system A attacked internal system B without passing through the IDS/IPS, it would go undetected. You may wonder if this could actually happen. The answer is Yes! However, for that to happen, the attacker would have to first gain access to the internal corporate network. In many cases, this illicit access stems from:
- A malicious employee
- Insecure or unauthorized wireless access point
- Remote access software
- Directly connected device
- Unpatched systems
Given that an inline IDS/IPS would not mitigate the risk in the aforementioned scenario, a fully managed Intrusion Detection System that monitors an entire network segment would be more appropriate. Such a system would alert management to any suspicious traffic that is being monitored. With that said, it could be quite costly to monitor all network segments with an IDS, such as all branch locations. In order to provide a good value for the security dollars spent, an IDS could be limited to the network segments that host critical systems. For instance, if a financial institution has 20 locations, but only two locations contain critical systems, the institution may warrant installing IDS only at the locations where critical systems reside.
The FFIEC states: "Multiple NIDS [network-based intrusion detection systems] units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the NIDS is to sensitive data, the more important the tuning, monitoring, and response to NIDS alerts."
Should a non-critical system be compromised at a location without an IDS, the damage would be minimal, as the system should not have any critical and/or sensitive information. Should the compromised system then attempt to attack critical systems, the IDS framework monitoring the network segment with the critical systems would trigger appropriate alerts. Even with those controls in place, an Intrusion Detection System should be managed around the clock by a security expert in order to improve effectiveness given that not all suspicious activity will trigger an alert and often, analysis needs to be done on the behavior of the traffic to determine whether it may be harmful.
Your financial institution’s Intrusion Detection and Prevention Systems need to be comprehensive, fully managed, and an integrated component of your organization’s information security plan.
The FFIEC further states: "To use a NIDS [network-based intrusion detection system] effectively, an institution should have a sound understanding of the detection capability and the effect of placement, tuning, and other network defenses.” (FFIEC Information Security Booklet pg. 82)
Therefore, community banks need to ensure that they have a well-engineered and thought out IDS/IPS program not only to meet regulatory guidelines, but also to mitigate the very real vulnerabilities and threats that are present in the financial arena and targeting your critical information systems. Of course, even with the best security systems and practices in place, the reality exists that the bank will need to consult with a company skilled in forensics investigation should the bank’s defenses at one time or another fail.
D+H finds that many clients who attempt to integrate and IDS/IPS solution themselves do not always have adequate scope or depth to properly protect the bank’s networks and information assets. Employing a company such as D+H to assist in planning, sourcing, deploying, and monitoring your IDS/IPS solution can save time and provide peace of mind to community banks. D+H takes pride in the very positive results of its fully managed Intrusion Detection and Prevention services, as well as its professional forensics teams, in helping its clients meet and defend against these threats and security challenges.