No question about it, protection against risk is front-of-mind for IT executives these days, particularly in the financial services arena.

In recent benchmarks, Nemertes asked IT executives for their total security budgets (including both capital and operational expenses), as well as for their overall IT budgets, and computed the percentage spent on security, to compile this research. We also compared the findings with our previous security benchmarks.

The upshot? Security budgets have increased from a median of 3% to a median of 3.9%, with 27% of participants spending 10% or more of their IT budgets on security. What's driving the trend? By and large, it's compliance. More than 75% of IT executives with whom we've spoken say they've increased their security spending because of compliance requirements. As a result, Chief Security Officers and Chief Information Officers are facing twin challenges: ensure compliance at the minimum cost possible while maintaining the flexibility (business agility) required to maneuver in a fiercely competitive global market. These challenges are compounded by the continuous evolution of security attacks. Especially worrying for financial services are Distributed Denial of Service (DDoS) attacks, which have the potential to disable financial networks, interrupt transactions and lead to direct loss of revenue.

Financial services companies in particular have come under a barrage of regulations, including the Gramm-Leach-Bliley Act (GLBA) and the Sarbanes-Oxley Act (SOX). GLBA requires the protection of non-public personally-identifiable information, that is, non-public information about people such as their credit rating or their social security number. Passed in 2002 in the aftermath of the financial scandals, SOX applies to all public companies, and attempts to create a framework for accurate and trusted reporting of financial accounts.

When we asked IT executives from the financial services sector how much of their security budget was being spent on regulatory compliance the answers ranged from 10% to 90%. At one extreme this represents a staggeringly large slice of the security budget, especially given that SOX measures are not considered by CSOs to be materially strengthening the security posture of a company.

We asked IT executives at public financial services companies (i.e., those affected by SOX), to identify which information security initiatives are driven by regulatory compliance. One of the overriding themes was applying technology controls to ensure "Separation of Duties" and verifiable audit trails. This means controlling access to financial reporting resources in a way that ensures that no one person can violate the integrity of financial statements by compromising a system, at least not without being noticed.

In terms of the specific solutions applied, almost 70% of respondents said that they were instituting more regular and/or more thorough audits of systems. More than half (53%) were also strengthening and documenting corporate security policies. These two initiatives were directly attributed to documenting and ensuring the effectiveness of all the other security solutions that were deployed.

Application level firewalls have been deployed by 31% of respondents to protect assets subject to regulatory compliance. In a departure from perimeter-oriented controls, application level firewalls are higher in the application stack (i.e., they inspect the application-layer content) and are usually located in the data center, very close to the assets they protect. As a result, application level firewalls are better suited to the task of fine-grained and content-sensitive access control and are more effective at protecting the integrity and confidentiality of personal and financial accounting information.

A number of other solutions have also been applied by 15% of respondents. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are used to supplement the audits with real-time monitoring of threats. IDS and IPS systems can monitor and block attack attempts originating from external or internal sources.

Internal encryption has also been deployed to protect communications between critical systems. While encryption has been deployed on external links (in the form of VPNs) and remote access links (for dialup and broadband users), it is not often deployed internally. The regulatory compliance pressures for "separation of duties" have persuaded some IT executives that even internal links need to be encrypted to protect them from eavesdropping by an insider.

Vulnerability scanning is also being used, as part of overall audit activities. Vulnerability scanning is often used in conjunction with a patch-management process to ensure that all systems are properly patched against security vulnerabilities in operating systems and applications. The importance of maintaining a secure posture at all times has become part of the overall "internal processes" for verifying financial controls.

One of the areas generating a lot of security spending is authentication, authorization and access control of users. As part of guaranteeing the integrity of financial controls, IT managers must be able to show that the systems cannot be accessed by unauthorized users. Even "trusted" users need to be monitored to prevent insider attacks. Two-factor authentication systems and sophisticated identity management systems are being deployed by many companies as a response to the regulations. Part of the reason that identity management is not a higher priority for IT managers is that such initiatives predate the regulations and significant resources have already been invested in that area. Had there not been significant investment in these areas, they would certainly be higher on the list of priorities for SOX compliance.

Virtual private networks (VPNs), deployed primarily for site-to-site and remote-access, are also being funded because of regulatory compliance. As with identity management, VPNs have been part of the landscape in financial organizations for many years and therefore are not as high on the list as other security controls.

Yet there's one area that's surprisingly not on financial services firms' "hit-lists" when it comes to hardening their security architectures: Protection against distributed denial-of-service (DDoS) attacks.

DDoS attacks are those in which the attacker plants malicious code on numerous, scattered and usually unwitting, servers or desktops. Those machines (called zombies) then flood a single IP address with packets so it is driven offline, unable to handle the volume. DDoS attacks have taken entire organizations offline, causing untold amounts of damage and wreaking havoc with productivity.

But most financial services firms aren't yet on board with DDoS protection.

In a recent (November 2005) benchmark Nemertes conducted of WSTA members, fully 40% of participants said they failed to protect against DDoS. That's a huge mistake, because DDoS attacks are rapidly growing in size, frequency and scope. Several security companies have noted the increase in size of zombie armies - compromised hosts that are remotely controlled and used to launch coordinated attacks. The zombie systems are often traded online in a barter system. At times, tens of thousands of compromised hosts trade hands in exchange for information, exploit code or money. This has allowed some hacker groups to cobble together even larger armies of zombies, outsourcing the cumbersome job of compromising the hosts to smaller groups or freelancers. The sheer size of the problem and the variety of groups behind these attacks makes DDoS a growing concern for enterprises, particularly financial services firms.

Two factors have led to the increased threat: Firstly, DDoS attacks are no longer initiated by a few hosts, they involve hundreds or even thousands of hosts acting in a concerted manner against a single target. Secondly, DDoS attacks are closely related to other nefarious activities such as spyware, viruses, Trojans and spam, all of which either create massive armies of zombie hosts or fund such activities.

Figure 2: DDoS is a coordinated attack from thousands of zombies

DDoS attacks can shutter businesses, as the CTO of a professional services firm told us recently. "About 18 months ago, we were essentially out of business for 72 or so painful hours. Mercifully, we started off as a secondary target in the attack. We were on our knees for the better part of a week--and it was an important week," he says. As a result, the company began to take security seriously.

Figure 3: When your own systems turn into zombies

The risk doesn't just affect services and systems that need to stay up: It can be a sign of compromised internal systems as well. Says the CTO of another professional services firm that's been hit, "We had a couple of episodes where our Internet site was smoked because of outgoing stuff. We had a dozen or so of our own machines pounding away at a server in the Netherlands, and it saturated a 12-Mbit/s pipe."

Fortunately, solutions exist. Major service providers offer DDoS protection services that reroute DDoS attackers via "blackhole routing" and scrubbing the packets from attacking sources to let only legitimate traffic through.

Figure 4: Service-Provider solutions may limit the impact on the WAN and LAN

The bottom line: Financial services firms are doing a pretty decent job overall when it comes to investing in security initiatives in support of compliance. But they need to shore up attention to certain types of risk, and in particular, implement DDoS protection. If you're interested in learning more about DDoS protection, business continuance best practices, and effective strategies for enabling compliance, check out the WSTA Conference "Effective Risk Management: Security, Compliance and Disaster Recovery" on April 5 (see www.wsta.org for details).

Andreas M. Antonopoulos (andreas@nemertes.com) is Sr. Vice President & Founding Partner, and Johna Till Johnson (johna@nemertes.com) is President & Sr. Founding Partner at Nemertes Research Inc. (www.nemertes.com) , 888-241-2685.