Tuesday | 7 July, 2009
CSO
AMP mitigates IIS SSL exploit
Rodney Gedda (Computerworld) 29/04/2004 09:14:01

Continuing exploits and Internet Information Services Secure Sockets Layer vulnerabilities have not deterred one of Australia's largest financial institutions from using the Web server.

Lee Barnett, the CIO of financial services giant AMP, said Microsoft is "clearly targetted by the malicious hacker community", but said risks can be mitigated and auxiliary security technologies used.

“The key is to have an efficient and responsive patch management process in place, with appropriate vendor support,” Barnett said. “AMP is currently happy with its vendors' (Microsoft and CSC in this instance) support of such processes.”

As reported in Computerworld previously, most of Australia’s banks rely on Microsoft IIS for Web serving which has earned a bad reputation due to the high number of ways to exploit it.

In a press statement late last month Microsoft revealed that it had recently been made aware of a new IIS exploit.

“This exploit code targets server platforms that are running Internet Information Services to serve Web sites with Secure Socket Layer authentication enabled,” the statement read. Windows 2000 and Windows NT 4.0 are primarily at risk and the exploit does not affect the default IIS settings on Windows Server 2003, according to the statement.

AMP was not at risk with this exploit as the company uses a separate SSL accelerator.

“AMP uses a technology called SSL Accelerator, which sits in front of the IIS server and does mitigate the particular risk identified in the latest Microsoft vulnerability,” Barnett said.

When asked if this exploit is reason enough for AMP to consider an alternative Web front-end, Barnett said: “AMP makes decisions on technology selection based on many factors, one of which is security.

“The issue of open source versus proprietary software is clearly a ‘hot’ topic in the industry at present, with pros and cons with each alternative, but again is subject to many factors - only one of which is security."

However, Barnett conceded that AMP Bank uses WebSphere (based on Apache) in lieu of IIS for its Web server.

Brisbane-based information security firm BSD Australia’s managing director Brian McKerr has boldly claimed that the banks could be “considered negligent if they are not already investigating alternatives [to IIS]”.

“The functionality, performance, security and reputation of an Apache-based solution running on a [Unix] platform are already streets ahead of where IIS is at,” McKerr said. “The OpenBSD project's number one aim is to be the most secure OS.”

More about CSC, Financial Institutions, OpenBSD, Apache, Microsoft, AMP

Comments

Post new comment

Login or register to link comments to your user profile, or you may also post a comment without being logged in.
The content of this field is kept private and will not be shown publicly.
Enter the fully qualified URL, eg. http://www.example.com/
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Add to Google
Additional Resources
Newsletter Subscription
Sign up for our CSO Online newsletters!
RSS Feeds
Syndicate content
 
Get a job Careerone
Whitepaper


Read Whitepaper

Look before you leap | Key considerations for moving to 802.11n

Discover how you can plan a high performance 802.11n network and how your business can reap the maximum benefit from a clean-slate 802.11n impementation. Read on to discover the best 802.11n strategy for your organisation.

Sponsored Links