Introduction
Arguably, one of the most epic accomplishments of the 21st century was the invention of the computer and the subsequent creation of the internet. These two entities have virtually transformed the world as far as information processing and communication is concerned. Organizations have extensively employed the use of computer systems as efficient global communications became the defining attribute of successful organizations. However, these advancements have also increased the frequency and sophistication of computer crimes. It is therefore imperative that countermeasures be developed to detect and prevent these attacks.
The key to fulfilling these countermeasures is the gathering of information on vulnerabilities and gaining an insight into the strategies employed by attackers. In a bid to protect their businesses, organizations all over the world have in the recent past invested heavily in various information technology infrastructures which enable them to monitor and prevent unwanted intrusions into their business networks. However, securing a network is at the best a very challenging task since new software and hardware keep being developed and hence the security implementations of the previous year might prove to be grossly inadequate this year. These new technologies at times lead to the introduction of new threats and vulnerabilities against which a network must be protected as more powerful tools for compromising a network are developed.
Wilshusen (2010) asserts that when dealing with intruders, the first step is to prevent them from accessing the network. Should they be able to do this, one should have a means of detecting and defeating the intruders. As such, a secure network can be achieved by ensuring that the latest security technologies are always implemented by the network administrator. This will have the multiple functions of protecting the network from opportunistic intruders who are on the lookout for an easy target, preventing access to unauthorized parties and if the system is compromised, early detection and expulsion of the same.
IT and Banking
The 21st Century has witnessed integration and increased cultural interaction among people on a previously unprecedented scale. This frequent interaction between people from varied countries and cultures has risen mostly as a result of the advances that have been made in transport and communication technologies (Gudykunst & Mody 2002, p.12). As a result of this interaction, there has been the major integration of economies and cultures in a process known as globalization. Rosenbloom and Larsen (2003, P.309) advance that as a result of globalization, “businesses from various parts of the world interacting and dealing with each other is expected to be the normal state of affairs for the majority of businesses”. Businesses that were once confined to a particular country will therefore seek relationships all over the world as a result of the communications and transportation technologies that have made such endeavors possible.
The banking sector has in the recent past reaped a lot of benefits from implementing technological advancements into their operations. Technological infrastructures have enabled banks to provide services that are more efficient, affordable, convenient and most important of all, time-saving (The Standish group, 1995). In addition, banks have been able to conduct their businesses in various localities, regions and countries which are beyond their jurisdiction. As such, comprised technologies have proven to be an effective tool in broadening the market base of many banks.
Bank of America: A corporate Overview
The Bank of America that we now know has had a long history dating from as far as 1904. Since then, the bank has evolved (through mergers, acquisitions and expansions) into a multi-national corporation with branches and affiliates in more than 150 countries of the world. According to recent statistics, the bank has more than 6,000 branches in the United States and an additional 300 offices in countries all over the world. This broad market base accompanied by a long list of services that the bank offers its clientele has made Bank of America the largest bank holding company in the United States and is the fifth-largest company in the United States by total revenue. Indeed, the bank’s success is unfathomable.
This sentiment can be backed by the fact that in 2010, the bank was featured in Forbes magazine as being the third-largest company in the world. On the same note, it is ranked 16th in the FT global 500 and 5th in the fortune 500 (Hoover’s Inc, 2011). In addition, statistics indicate that as of 2009, the bank had in its possession a total percentage of 12.2% of all U.S. deposits. Similarly, during the recent financial crisis, the bank proved its capability when it acquired Merrill Lynch in 2009. Consequently, Bank of America now boasts of being among the leading wealth managers in the world. It has more than $2 trillion under its management (Hoover’s Inc, 2011). Such a successful history makes the bank a force to reckon with concerning financial management strategies. Its corporate headquarters is located at 100 North Tyron Street, Charlotte, North Carolina, U.S. However, as earlier mentioned, it has other branches spread out in America and abroad.
Product and services
According to its website, the bank offers an array of products and services to its clientele. The products that this corporation deals with, both in-person and electronically are as follows:
Consumer
The bank’s largest division in terms of consumer product and service delivery is Global Consumer and Small Business Banking (GC&SBB). This division is tasked with the duty of meeting consumer banking needs and issuing credit cards to the same. This division contributed to 51% of total revenue earned in 2005. This was a collaborated effort of the more than 6,100 retail branches and ATMs above 18,700 which are managed under this division (Hoover’s Inc, 2011). Since 2008, the bank has also introduced new banking and brokerage products and services as a result of the Merrill Lynch acquisition.
Corporate
In this section, the bank provides services such as mergers and acquisitions advisory. In addition, it offers underwriting services as well as capital and equity markets sales and trading services.
Other services
Other products and services offered by the bank include but are not limited to Finance and Insurance, Retail Banking, Commercial Banking, Investment banking, Private banking, Private Equity, Mortgages & Credit cards. The bank recorded total revenues of $110.22 billion, with total assets of $2.265 trillion in the 2010 financial year.
Topic justification
As of 2010, the bank had a staff of 288,000 employees working on its diverse operations (Hoover’s Inc, 2011). I chose this organization because of its size, its’ secrecy and its’ vulnerability. There is little information available on past cyber-attacks as most financial institutions fear publishing this information. However, there are numerous articles and white papers, many by government organizations that express the fear and anxiety of “what might be” if a full-scale cyberattack on the financial system were to occur. What I hope to demonstrate in this paper is that the greatest economic threat is caused by internal sources. Physical and technical perimeters and controls are the weakest points in any defense measure. To achieve this aim, I am going to do a risk assessment based on the steps recommended by Stoneburner, Goguen and Feringa (2001) in the NIST special publication 800-30.
BoA. Risk Assessment and Management
Stoneburner, Goguen and Feringa (2001), state that risk assessment is core to the success of any organization. The authors suggest that not only does risk assessment enable business organizations to determine threats and their impacts, but the results of the assessment also enable them to produce solutions that can be implemented to avoid, reduce or mitigate their impacts on an organization’s wellbeing. In their report, the authors define risk as: “Risk is a function of the likelihood of a given threat-sources exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization (NIST Special Publication 800-30; as cited by Stoneburner, Goguen & Feringa, 2001, p. 8). Arguably, a risk assessment should be a priority to any organization that wishes to remain relevant in today’s business environment and as Stoneburner, Goguen and Feringa (2001) recommend, some steps should be followed to ensure that this methodology is effective towards the management of risks. The steps shall therefore be used to carry out the risk assessment of Bank of America presented herein.
System Characterization
According to Stoneburner, Goguen and Feringa (2001), this step aims at defining the scope of the IT system in use. In this regard, the analysis should provide information on the characteristics of the system(s), its boundaries (capabilities and functions) and the resources that make up the system. As mentioned earlier, information about Bank of America’s information technology systems is not readily available to the public, mainly due to security reasons. However, there are credible sources that have published some aspects of the system. This information combined with common sense can be used to provide valuable information regarding the system characterization.
As mentioned earlier, the bank has numerous branches which offer diverse products and services to their clients. In addition, these products and services are encompassed in two categories: online and offline services. As such, much emphasis will be placed on online products and services.
Considering the number of clients served by the bank, it would be safe to assume that the bank utilizes state of the art technological systems to facilitate service delivery. Some of the components required to enable this include but are not limited to: computers, servers, networking infrastructure, tailor-made software applications, and professional IT staff among others. According to the bank’s website, the systems in place are specially designed to monitor and facilitate bank-to bank and bank-to-client transactions, all the while maintaining high levels of security and confidentiality regarding the same. In addition, the systems also facilitate communication within the bank and without (clients and stakeholders) via websites, e-mails and other communication channels carefully designed to perform this crucial task.
Similarly, the systems are differentiated following their purpose. For clients who prefer online transactions, there is a website designed to aid them access services of this sort. The website has an easy to use interface with clearly spelt out directions on how to perform certain tasks without necessarily going to the bank. Also, regarding system usage, the systems cater for employees, stakeholders, the general public and clients’ needs. As such, it is a large system comprising of smaller ones that are designed to achieve the aforementioned system purposes, missions and objectives.
On the same note, the managers and top executives use executive information systems (EIS). In all organizations, it is the prerogative of the Executive (top) Managers to make monumental decisions that can make or break the organization. It is therefore imperative that these executive managers have access to information that enables them to make reliable decisions that will enable them to meet the organization’s goals. Executive Information Systems are easy to use systems for strategic decision making. Some of the features that differentiate EIS from other systems are that they are used to assist in the setting of long-range goals and are used to support non-routine and subjective decision making.
Stoneburner, Goguen and Feringa (2001), further assert that the risk assessor can use various tools to collect relevant data regarding the purpose and effectiveness of the system in use. Regarding the Bank of America which already has the systems in place, data collected from system configuration logs, connectivity, procedures and practices can be used to achieve this purpose. After describing and understanding the scope of the system, Stoneburner, Goguen and Feringa (2001) recommend that a threat analysis should be carried out. In this case, this is the next logical step since the system characterization provides a detailed layout of the system in use concerning functionality, usage, applicability and infrastructure.
Threat Identification
As Poulse (2004) states, a threat can be defined as the extent to which a particular threat source can exploit or present a specific vulnerability to a system. He further asserts that a threat may be accidental or intentionally triggered by several factors. As such, this step seeks to identify the potential threats as well as their sources. Some of the threat sources that are eminent to the bank’s IT system include human, environmental and natural factors. However, as mentioned earlier, the purpose of this research is to show that the greatest economic threat is caused by internal sources. As such, much emphasis shall be directed to the human factor as the main source of threats that may present risks to the bank’s IT systems. To this end, a table showing the threat source, what motivates that source and how they affect the system shall be provided. Thereafter, a detailed description of the same shall be offered and an evaluation on how their actions may impact Bank of America’s systems presented.
A table showing the human threats, what motivates them and, how they threaten the bank’s systems:
N.B: This table shows the threats according to their priority and likelihood of occurrence.
The threats noted above have been documented as being the most likely to affect financial institutions and other technology-oriented business organizations inclusive of Bank of America. With internal human errors, the success of top executive decisions is greatly pegged on them having highly accurate information. Therefore, delegating the task of information scanning to subordinates may lead to undesirable results since this information may be inaccurate. A very significant problem that top management faces are that of information overload. This arises from the fact that the executive may be required to monitor various projects especially if the business in question is of significant size. This is the case with Bank of America where vast amounts of financial data are supposed to be monitored from the company’s branches throughout the country.
Vulnerability Identification
This step sets out to identify the flaws or weaknesses that can be exploited by the aforementioned threats. In this case, the areas which are vulnerable to such threats include system security, design flaws, implementation procedures and internal controls such as programming errors and omissions or inclusions errors (Jansons, 2005). Examples of vulnerabilities applicable to the bank include sharing of passwords, failure to deactivate work IDs belonging to fired employees, inadequate security measures regarding bank servers and networking infrastructure, delays in repairing system flaws and exposure of systems to likely threats such as water sprinklers and flammable elements. Such weaknesses will inevitably expose the bank’s system to hackers, disgruntled employees, negligent personnel, unauthorized users and fired employees among other threats.
If such threats access the system, they may be able to compromise the system by accessing the bank’s financial records and altering them or destroying them. In addition, the threats can use such vulnerabilities to sabotage the system by inserting malicious codes (Viruses and Trojans among others), which may make the system more susceptible to other threats or even damage the system. This is very risky because the bank may lose clients’ information, experience various forms of fraudulent activities (theft and insider trading) and worst of all; lose the trust of their clients who may inevitably leave the bank or use it for damages. According to Stair and Reynolds (2008), some tools can be used to test and identify system vulnerability. The author states that there are tools that can be used to test the security systems in place, scan for vulnerabilities within the system and monitor user practices.
Control Analysis
This step aims at analyzing the measures that are implemented to mitigate or avoid a threat’s ability to exploit a system’s vulnerability. Considering the size of the bank, some technical and nontechnical methods can be used to control and monitor system use. Examples of technical controls used by the bank include but are not limited to ID cards and biometric scanners, firewalls and access controls, encryptions and intrusion detection systems (IDS). Nontechnical controls include rules, procedures, personnel security, and codes of conduct. The control mechanisms implemented by the bank are both preventive and detective in nature. This means that they can prevent unauthorized access to the system or warn the system administrator if an attempt to penetrate the system or misuse it is detected. According to Blazewicz (2003), most banking institutions have set security guidelines that are used to ensure that the security protocols in place are followed accordingly.
Likelihood Determination
The following table shall be used to determine the likelihood of the aforementioned vulnerability being exploited.
N.B: High= Threat-source is very motivated and capable whereas the controls implemented to prevent exploitation of the vulnerability are ineffective.
Medium: Threat-source is motivated and capable but the controls implemented to prevent exploitation of the vulnerability can impede the process.
Low: Threat-source is not motivated or capable and the controls implemented to prevent exploitation of the vulnerability are efficient and effective.
Impact Analysis
As has been demonstrated throughout this assessment, the IT infrastructure implemented by the bank is pivotal to the bank’s success. Its main mission as has been described is to facilitate bank-to-bank and bank-to-client transactions all the while maintaining a high level of security and confidentiality. However, like any other information system, it is very sensitive and is susceptible to various threats and vulnerabilities (Kitten, 2011). The impacts of the threats and vulnerabilities applicable to the bank have been highlighted in the table above concerning their severity.
Risk Determination
After analyzing and understanding the threats and their likelihood of exploiting the vulnerabilities present in the banking system, the risks can be determined. The bank’s employees pose the greatest threat to the system. As such, the risk level associated with their actions is the greatest (High). This can be attributed to the fact that the bank stands to lose the most if the employees manage to exploit the vulnerabilities within the system. In as much as the systems have been working and providing the expected results, there is a dire need to correct the flaws and weaknesses therein as soon as possible. Failure to do so will put the bank at risk of a major collapse; lose of reputation or irreversible damages to the system. Similarly, cracking and hacking as well as cyber-crimes are potentially high risks that can cripple the bank’s operations. As such, corrective measures should be implemented as soon as possible if the bank wishes to avoid a catastrophe.
On the other hand, terrorism and industry espionage is less likely to pose any immediate risk to the bank’s operations. However, corrective actions should be designed and implemented within a reasonable time frame. In addition, natural and environmental threats such as rain, earthquakes and pollution among others pose low risks to the bank. As such, the assessor has to determine whether preventive measures should be developed or implemented to safeguard the bank against such risks.
Control Recommendations
Regarding the risks posed by employees of the bank, Bonnette (2002) recommends that all organizations should invest in promoting good communication because communication is considered to be one of the fundamental building blocks of a successful organization. If efficient communication is to take place, there must be some levels of trust exuded and mutual respect by parties involved in any business dealing. This can be achieved by encouraging team building exercises e.g. sporting activities, interdepartmental parties and other social events, which can avert the communication hurdles that may lead to the existence of various risks. In addition, Gorman (2010) reiterates that organizational failures are in most cases a result of poor planning, managerial skills and conflicts. As such, the author proposes that managers should ensure that their teams have a sense of purpose and are working towards the achievement of organizational goals. This can be achieved by instituting codes of conduct, training and retraining employees on various skills including system security maintenance, conflict resolution and incident reporting (Otani, 2002).
An upgrade in their executive information systems, which are supposed to have a powerful ability to direct management’s attention to specific areas of the organization, would be worthwhile (Turban, Aronson & Liang 2007). While this is one of the functionalities that makes EIS especially expensive, it is also the functionality that makes them most useful to an organization since managers are forced to prioritize matters by dealing with the most significant issues first. An EIS provides for this very functionality through its inbuilt alarm system which highlights critical situations to the user, therefore, forcing him/her to pay closer attention to the situation (Edwards & Bramante 2001). This will inevitably help the managers get information faster, thereby enabling them to deal with risky situations before they get out of hand.
As relating to computer criminals, hackers and crackers, Honeypots and Honeynets are an effective method to identify attackers, system vulnerabilities and attack strategies, therefore, providing a basis for improved security as well as catching attackers. A honeypot is defined by Lance Spitzner as “a security resource whose value lies in being probed, attacked or compromised”. (Pouget, Dacier & Debar, 2003; Spitzner, 2002). As such, a honeypot is a device that is exposed to a network to attract unauthorized traffic. An important point to note is that honeypots are not designed to prevent a particular intrusion but rather, their objective is to collect information on attacks, therefore, enabling administrators to detect attack patterns and make necessary changes in their system to protect from attacks on their network infrastructure. A honeypot device is placed openly to attract unauthorized activity (Carter, 2004).
Using honeynets, an administrator can detect other compromised systems on the network (Krasser, Grizzard & Owen, 2005). This is possible since attackers use the honeypot as a starting point to hijack other systems. By having the honeynet log files analyzed, one can trace out the path that the attacker used and end up at the other system that was possibly compromised by the intruder. As such, Honeypots will enable the bank to research the threats that it may face. As such, questions such as who the attacker and what kind of is tools they use in their attacks can be answered (Cardei, 2005). This will enable the IT security branch of the bank to better understand their potential threats thus increasing their preparedness and their defense mechanisms.
Insurance has also been documented as a viable means of protection against cybercrimes and terrorism activities. Neal (2011) asserts that large corporations are always potential targets for various forms of cybercrimes. As such, the author recommends that cyber insurance should be taken by these corporations to protect them if an attack occurs. In addition, Christopher (2010) states that major banking institutions such as BoA are among the top ten most targeted institutions by Cybercriminals. This sentiment aims at showing the severity of cyber rimes all the while reflecting on the importance of being insured against the same.
Conclusion
The IT arena is ever evolving and as its effectiveness increases, so do the risks. Preventive and detective measures should therefore be employed to improve security. This paper set forth to illustrate that each business organization has some points of weaknesses which can be exploited by other people. To achieve this aim, this report has given a detailed overview of Bank of America. In this regard, a comprehensive analysis of the organization’s business structure and mechanism has been offered. Points of vulnerability applicable to the bank have been pointed out and viable solutions that can be used to identify and catch security threats as well as identify vulnerabilities in an organizations network system provided. I believe that by implementing the recommendations and solutions stated in this report, the Bank of America will be better placed to deal with all threats that may destabilize its operations. Not only will the management be able to better understand the organization but will also make sounder decisions for the entire organization’s good. This will in turn ensure that the bank maintains its competitive edge while thriving where others have failed.
References
Blazewicz, J. (2003). Handbook on Data Management in Information Systems. Russia: Birkhäuser.
Bonnette, C. (2002, April). How Are You Managing Technology Risk? Bankers Online.com. Web.
Cardei, M. (2005). Resource Management in Wireless Networking. New Jersey: Taylor & Francis.
Carter, W. L. (2004). Setting up a Honeypot Using a Bait and Switch Router. Web.
Christopher, T. (2010). Citibank (NYSE: C) and Bank of America (NYSE: BAC) Rank in Top 10 for Cyber Attacks. American Banking & Market News. Web.
Edwards, J., & Bramante, R. (2001). Networking Self-Teaching Guide: OSI, TCP/IP, LAN’s, MAN’s, WAN’s, Implementation, Management, and Maintenance. New York: Wiley.
Gorman, S. (2010). Utilities, Refineries and Banks Are Victims of Cyber Attacks, Report Says.Wall Street Journal.com. Web.
Gudykunst, W., & Mody, B. (2002). Handbook of International and Intercultural Communication. New York: Sage.
Hoover’s Inc. (2011). Bank of America Corporation. Web.
Jansons, A. (2005). Pirates of the Baltic. Computer Crime Research Center. Web.
Kitten, T. (2011). Internal Fraud and Dollar Losses. Research suggests Banks Don’t catch Most Internal Fraud Schemes, Bank info Security. Web.
Krasser, S., Grizzard, B., & Owen, H. (2005). The Use of Honeynets to Increase Computer Network Security and User Awareness. Haworth Press. Web.
Neal, M. (2011). Protect Your Assets With Cyber Insurance. Small Business Review. Web.
Otani, H. (2002). Let’s Set Up A Community WLAN. Web.
Pouget, F., Dacier, M. & Debar, H. (2003). White Paper: Honeypot, Honeynet, Honeytoken: Terminological Issues. Web.
Poulse, K. (2004). Banks brace for cash point attack, Global ATM Security Alliance.The Register. Web.
Rosenbloom, B., & Larsen, T. (2003). Communication in international business-to-business marketing channels: Does culture matter? Industrial Marketing Management 32: pp. 309– 315.
Stair M. & Reynolds G. (2008). Principles of Information Systems. New York: Cengage Learning.
Standish Group. (1995). Chaos (Application Project Failure and Success). Web.
Stoneburner, G., Goguen, A., & Feringa, A. (2001). Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology. Web.
Turban, E., Aronson, J., & Liang T. (2007). Decision Support and Business Intelligence Systems. New Jersey: Pearson Education, Inc.
Wilshusen, G. (2010).Information Security, Concerted Response needed to Resolve Persistent Weaknesses, Statement of Gregory C. Wilshusen Director, Information Security Issues to U.S. House of Representatives. GAO-10-536T. Web.