Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk Management

04:00 PM
Connect Directly
RSS
E-Mail
50%
50%

A Spy in the Ernst & Young Advanced Security Center

This morning I was invited to the Ernst & Young headquarters in Times Square to tour the firm's Advanced Security Center (ASC). The center, along with a location in Houston, employs a staff of 30 security professionals dedicated to performing assessments of companies' security infrastructure, and focusing on the financial services industry. Through the dually authenticated door-locks and under the concrete lined ceilings of the office were an impre

This morning I was invited to the Ernst & Young headquarters in Times Square to tour the firm's Advanced Security Center (ASC). The center, along with a location in Houston, employs a staff of 30 security professionals dedicated to performing assessments of companies' security infrastructure, and focusing on the financial services industry. Through the dually authenticated door-locks and under the concrete lined ceilings of the office were an impressive facility and a team of truly dedicated white hats, diligently probing the defenses of your bank or brokerage and mine.The ASC is built like a NASA control room, with rows of desks all facing a wall of large monitors. Among the displays are a 6-foot high live-video feed of the Houston ASC, placed there to facilitate collaboration and communication of the discovery of new threats, prevention techniques and so forth. However, there was none of this collaboration going on while I was there, as the most notable feature of the ASC was the eerie calm and quiet with which the team was going about their daily work of pounding the digital defenses of the world's largest companies.

E&Y takes a vendor agnostic approach to consulting its clients, focusing on best and leading practices, and thorough training in secure development techniques. Knowing that the resources of the IT organization are perpetually stretched, and that business users care only about results and not security, the ASC's assessments ferret out the security gaps that occur due to lack of human capital. Most financial firms simply do not have the resources to test their applications and infrastructure with the type of rigor that a dedicated team will afford.

I was given a demonstration of two common types of attacks on vulnerabilities of Web applications - the SQL injection attack, and the newer Cross Site Scripting (XSS) exploitation. Although these types of techniques are clearly old news to the folks in the ASC, it was surprising to me that not one person so much as looked up from their workstations to give a once-over of their visitor, or the tail of E&Y suits that followed. Then again, given that it was a room full of ex-military personnel and Carnegie Mellon PhDs, maybe I shouldn't have been so surprised.

But their mentality no doubt correlates to their success in finding high-risk vulnerabilities in 93 percent of their vulnerability assessments, of which the ASC performed more than 600 in 2006, according to Jose Granado, principal of security and technology solutions and founder of the ASC at E&Y. And it's a damn good thing, too. The value of a facility of this nature is clear. As the threats of hackers, phishers, spammers, and their ilk grow increasingly sophisticated, it's reassuring to know that such a sophisticated organization exists solely to point out financial institutions' vulnerabilities for the purpose of remedy rather than exploitation.

Register for Wall Street & Technology Newsletters
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.