[linuxydave]

While I've never worked in banking/financial environments I do know of people who have; they often had two workstations (one for the 'public' network, the other for the systems) and weren't allowed to use software like Synergy to share the keyboard and mouse. I guess not every company does stuff like that, though.

[patcheudor]

It's nearly impossible to isolate banking system networks these days. As an example, ATMs run transactions through public networks. Customers access their accounts via public networks, etc. Further, network isolation as a primary control fails time and time again.

It's best to focus on the end points and beef up security there. Focus primary security controls on the application and not the perimeter. One of my biggest frustrations as a security professional is walking into an environment where systems which must be highly secure are accessed via simple username & password. All banking applications at a minimum should require x.509 client auth for employees utilizing a private-key stored on a device which is not permanently attached to the system. Monitoring solutions should then be in place to track authentication actions and provide that visibility to security staff and the employee's themselves. That's a pretty basic first step and one I rarely see in practice. Next, rather than isolating networks, start paying attention to the traffic on the networks & limit transactions to known good entities. After that organizations need to consider their customer environment security and how they may be inadvertently compromising it. It's amazing how many times I've gone to a public facing banking portal and spotted third-party JavaScript loaded within the same origin context of an authentication form. One bank I looked at awhile back actually had an advertisement from a third-party ad network on a page where they asked for credentials! That's pretty much asking for their customers and thus their accounts to be compromised.

[Spearchucker]

"It's best to focus on the end points and beef up security there"

Not the way I'd do it. Defence in depth means securing everything. Starting with the perimeter, working inwards to individual apps - on both clients and servers. Every resource needs to be secured. That means spending cash, and the amount of cash that should be spent should be proportionate to the value of the asset being protected. If you have a server application or service, put an application firewall in front of it, so that both internal and external access goes through it. Don't just write a threat model, document the threat tree. Don't trust your employees, your software, hardware or building security. And don't trust the bosses either.

It's analogous to having a bodyguard. If you're in the bedroom and leave your bodyguard in the kitchen for a private conversation, the bodyguard and his big six gun are going to be of absolutely zero use when ninjas come crashing through the bedroom window.

[lifeisstillgood]

To run with your analogy a bit I occassionally see CEO types with "bodyguards". Because the kidnapping attempt is theoretical and not happened for ten years the bodyguard is carrying the luggage or opening the doors or answering the phone.

The analogy is fairly clear - you can spend the money on security in depth. But humans tend to use those in segments for other things eventually. Banks hav been around long enough that all their bodyguards are now bellboys.

[patcheudor]

The problem is, most organizations start at the network rather than focusing on the application tier. In the development of applications, they should be designed to work safely within a very hostile environment. Far too often they are not.