|
 |
 |
 |
 |
|
The Information Security Media Group, Corp.(ISMG) today announced the launch of its two redesigned websites, www.BankInfoSecurity.com and www.CUInfoSecurity.com. The redesign offers easier navigation throughout the sites and access to even more information on topics, events and regulations that affect financial institutions.
Swart: I would like to start by talking about what are the personal risks that executives of financial institutions face if they fail to implement effective security or to comply with IT security regulations. Herold: Well, there are many. It is first important though for the financial institution leaders to understand that there are many laws and regulations requiring information security programs and these programs must be built based upon risk assessments directly related to safeguarding customer information. Some of the laws and regulations include the U.S.A. Patriot Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Fair and Accurate Credit Transactions Act. Also the FFIEC IT Examination Handbook, the FDIC IT Examination Workpaper, the OTC Consumer Regulations Handbook and various other oversight agencies guidance requires and emphasizes the importance and responsibilities of executive leaders to ensure security is in place. Besides those, there are at least 39 state level breach notice laws along with hundreds of other state laws that address and require institutions to provide data protection activities. And then, if your organization has offices outside the U.S., there are over 100 data protection laws within countries throughout the world.
Swart: Well, speaking of accounting, a lot of executives are quite concerned that achieving ISO compliance, or excuse me, IS certification, will significantly increase their costs, and lead to the adoption of significantly more controls. Is that perception accurate? Bernard: Actually it's not. ISO is a big thing to take on, and there has been a lot of reluctance, as you know. We are going to be likely the first on-line banking system in North America, perhaps even the globe, to become ISO certified. And I think the reluctance is because they just haven't found the right person or the right group who can deliver that package in a way that they can accept. In fact, the ISO framework, once it's properly implemented, will actually help reduce controls, which is usually a big selling point with senior managers. As we have external consultants and monitors coming in and telling us to implement more and more controls, the concern is that we have layers and layers, and all of the sudden productivity slows down within the organization. We have to hire new people to manage the controls because there are so many of them. And ISO is not about that at all. There are 133 controls within ISO. And they can be basically applied in a number of different ways.
Swart: Let’s start talking about risk management, but rather talking about traditional issues of information and business impact analysis. I was wondering, is there some fundamental question or fundamental process that banking and finance executives should start with when they start thinking about risk management? Pironti: There actually is. As we start looking at risk management and more specifically information risk management, which is really what we’re focusing our attention and the work I’m doing on, one of the first things we often ask ourselves is to figure out what problem are we trying to solve. To what degree are we trying to solve a problem? With what degree are we trying to protect the information? And once we understand those basic principles, then we should be looking to go through a process that we call Threat and Vulnerability Analysis.
Know What Assets You Have and Where They Are – This may sound very basic, but after one laptop turns out to be missing, the basics look like very good rules to follow
It’s hard enough to secure the data you control. But how about when your employees are running around plugging in unapproved USB drives into computers and sending out unencrypted sensitive information in emails to customers, putting your institution at risk for a data breach?
When it comes to information security, there are as many ways to go wrong as to go right. That is why, before a financial institution attempts to implement and improve its security risk management process, it must examine its fundamental level of maturity. Is the organization ready for risk management?
The estimated number of reported credit card numbers that were taken in the TJX breach has doubled from more than 45 million to nearly 100 million accounts being affected, according to VISA.
Vulnerable Web Servers Are More Quickly Identified By Fraudsters The news from the crimeware front isn’t good. The research team at RSA Security reports the discovery of a tool that fraudsters are using to automatically trace vulnerable web servers, allowing them to quickly launch multiple phishing attacks.
To safeguard digital customer files and stymie potential identity thieves, Brintech’s Chris Koger has a quick list of tips for bank officers. They’re based on the most common errors that risk assessors come across
Sometimes a Breach is as Simple as Walking in the Front Door Chris Koger is not an actual identity thief, but he may play one soon at a bank branch near you. An Atlanta-based “ethical hacker” and information risk assessor, Koger specializes in human, operational and physical weaknesses of small- to medium-sized banks. In short, Koger’s job is to expose potential breaches before an actual thief does. Oftentimes, it’s too late.
Spending on security technology, training, assessments and certification now accounts for 20 percent of total technology budgets, according to new research from the Computing Technology Industry Association (CompTIA).
RICHARD SWART: Hi. This is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we will be speaking with Dan Manley, who is a Senior Manager at KPMG’s Risk Advisory Services Information Protection Practice. He has over 19 years of experience, and has both a CISSP and a CISM. Good morning, Dan. DAN MANLEY: Good morning, Richard.
RICHARD SWART: Hi. This is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’re speaking with Kenneth Newman. He joined the American Savings Bank as the Vice President of Security in March of 2005, and is responsible for managing their business continuity, information security and records management programs. He has extensive experience in information security for over 15 years, and has previously worked at Deutsche Bank, and also with Citigroup. Good afternoon, Ken.
It’s About Protecting the Network Endpoints Last week’s announcement of yet another unencrypted laptop being stolen – this time it is retailer The Gap’s recruiting vendor and its gaping lack of security (the vendor laptop was stolen with personal information of 800,000 applicants Gap Press Release ) opens another line of questions for financial institutions. Is the increased productivity of portable devices, (laptops, USB drives, etc.) worth the risk of infection or data theft? More importantly, are you able to defend your networks from the invasion of the external threats that seemingly pile up at your firewall due to the use of these endpoints?
Too Much Data, Too Little Security -- a Recipe for Disaster The risk of a breach of sensitive personal information held by TJX Companies Inc. was foreseeable, but the company failed to put in place adequate security safeguards, according to the report released this week by Canada’s Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of Alberta (AB OIPC).
Bad Guys Getting Better, Aiming Higher
CA Bill Would Make Bad Security Costly To Retailers Move over data breach notification laws: There’s a tough new bill in town, under which banks and credit unions could get money back from breached retailers that didn’t do right in protecting credit or debit card information. This new data breach reimbursement bill is sitting on the desk of California governor Arnold Schwarzenegger, awaiting his signature.
Breach is a Warning to All Financial Institutions The announcement by online brokerage TD Ameritrade that a database had been breached reinforces an important lesson to other financial institutions: Know your systems and who’s accessing them. On Sept. 14, Ameritrade went public with the news that it had “discovered and eliminated unauthorized code from its systems that allowed access to an internal database
Richard Swart: Hi, this is Richard Swart with Information Security Media Group. Today I’ll be speaking with Debbie Wheeler, CISO of Fifth Third Bank. How are you doing this morning, Debbie? Debbie Wheeler: I’m doing well. Thank you. Swart: I appreciate you taking time to talk to us today. I’d like talk about some of your experience. I know you have an extensive background in information security, and you’ve also spent quite a bit of time there at Fifth Third Bank working on issues around identity access management. I was wondering if you would tell our listeners, what are the critical success factors for an identity and access management program. Wheeler: I’d have to start with understanding what roles the organization uses or needs. That’s probably first and foremost. And some of the conversations that Fifth Third has had with some other financial organizations that are attempting to implement identity and access management programs, specifically around provisioning; roles are the number one concern that’s raised over and over again. Fifth Third started about four years ago defining the roles that they were going to use to provision access, and having that structure in place has allowed us to very rapidly deploy over 200 applications to a centralized provisioning product from which we delegate and administer access and entitlement. I think the biggest challenges in trying to obtain or administer an access and identity management program are really selling the value to senior management.
Whether you know where the sensitive, personally identifiable information is on your networks isn’t at question, nor is anyone asking if you have secured it. But what about the data on the devices that disconnect from your network (think of laptops, external drives, USBs)?Are they secured, or the data on them encrypted? The results from a recent study by the Ponemon Institute show that the majority of businesses don’t manage the protection of these devices very well.
Incident Response Resources Here are several recommended agencies that institutions will want to check in with when bulking up incident response plans
Incident Response Starts With a Comprehensive – and Tested – Plan of Action It’s 3 a.m., and your cell phone is buzzing off the bedroom dresser. Your boss is calling to tell you that the network servers that support your institution’s online banking site have been offline for the last two hours, and it is suspected that the region’s severe weather overnight may have knocked out the Internet connection. When the IT hits the fan, you don’t want to be without a plan of action. What can you do to prepare for the unexpected?
Forensic Analysis Helps Solve the Crime In the event of a data break-in, forensic analysis -- the use of scientific techniques to investigate crimes -- is needed for various tasks, including: - investigating crimes and inappropriate behavior,- reconstructing computer security incidents, - troubleshooting operational problems, - supporting due diligence for audit record maintenance - recovering from accidental system damage.
Richard Swart: Hi, this is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’ll be speaking with Mark Lobel, an internationally recognized security and internals control professional who is a partner in information security practice at Price Waterhouse Coopers. Good afternoon, Mark. Mark Lobel: Good afternoon. How are you? Swart: I’m doing well. I was hoping you’d talk to our listeners and tell us about, from your position as a Price Waterhouse Coopers partner in the security practice area, what is your assessment of the state of the information security war? How are institutions responding to the increasingly sophisticated threat picture?
Richard Swart: Hi, this is Richard Swart with Information Security Media Group, publishers of bankinfosecurity.com and cuinforsecurity.com. Today we’ll be speaking with William Henley. He is the Director of IT and Risk Management for the Office of Thrift Supervision. Now William, what specific guidance and advice can the OTS give thrifts and financial institutions in the development, implementation and maintenance of policies, procedures and guidelines regarding technology risk management?
Richard Swart: Hi. This is Richard Swart with Information Security & Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we will be speaking with Mr. Nathan Johns. Nathan is an executive with Crowe Chizek and Company, LLC risk services delivery unit, with over 15 years experience in a variety of internal audit risk management leadership and regulatory positions. He has a comprehensive internal audit and risk management background in large financial services institutions, working closely with senior management to address risks and evaluate and implement controls. Before joining Crowe Chizek, Mr. Johns was the chief of the information technology section for the FDIC.
Research reveals that despite the importance internal auditors and corporate compliance professionals put on making sure the right controls are in place for access to systems and data, 70 percent of respondents in a recent survey of auditors said it is critical to IT compliance, the majority said there are inadequacies in current practice. A majority (82 percent) said a risk-based approach would be more effective, this from the Ponemon Institute survey “Audit & Compliance Professionals: Survey on Identity Compliance.”
RICHARD SWART: Hi. This is Richard Swart, Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com Today, we’ll be speaking with Gigi Hyland who was appointed by President George W. Bush to a seat on the National Credit Union Board effective November 18, 2005. Her term expires on August 2, 2011. When nominated to the NCUA Board, she served as the Senior Vice President and General Counsel for Empire Corporate Federal Union in Albany, New York. She previously served concurrently as Vice President, Corporate Credit Union Relations at the Credit Union National Association and Executive Director for the Association of Corporate Credit Unions. > Listen to the Gigi Hyland podcast now
In the most recent CUInfoSecurity.com’s podcast, NCUA board member Gigi Hyland shared her opinions on information security and risk management best practices for credit unions. During her interview Hyland, shared what’s important to the NCUA in regard to information security at credit unions. Hyland, a NCUA board member since 2005, explained why written information security policies are needed and shared her view of annual review of risk assessments at credit unions as well as her ideas on access controls and need for encryption.
RICHARD SWART: Could you tell us a little bit more about your role in the FDIC and could you explain how the FDIC is tracking cyberfraud? DAVID NELSON: Sure. Recently, I have become more of an analyst. Before, I was an examiner, as you well know, but now, I’ve turned into more of an analyst, where I review a lot of information, information that comes from the FINCEN, in the form of FINCEN’s SARs that financial institutions submit.
RICHARD SWART: Well, could you please explain for our listeners your responsibilities as the Deputy Director for Outreach and Awareness for the National Cyber Security Division, and also, how do you interact with the banking and finance community? ROB PATE: Our job at NCSD is to help government agencies, federal, state and local, and the private sector, as well as our international partners, to better defend themselves against cyber attacks and disruptions. Also, if you want, I’ll touch briefly, a little bit on US-CERT, and then we can touch on the financial sector things that we were talking about. If you’re not familiar with US-CERT, the United States Computer Emergency Response Team, that is the focal point for cyber incident response for the nation.
When your regulator comes to your institution during your next examination, will your incident response plan be your Achille’s heel? Ensuring your institution is ready to respond to any breach begins with the development of a response team. Under the interpretive authority granted by the Gramm-Leach-Bliley Act (GLBA), federal banking regulators finalized guidance establishing standards financial organizations must follow to safeguard customer information. The Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice Guidance requires banks to establish a security breach response program and, in general, to notify affected customers when a breach occurs.
The latest report by the IT Policy Compliance Group finds that nine of ten companies are exposed to financial risk from data losses and thefts that can be cost-effectively avoided. The report, “Why Compliance Pays – Reputations and Revenues at Risk,” finds the majority of the 475 firms surveyed must contend with six to 17 business disruptions and five to 22 instances of losses or thefts of sensitive information each year. Those firms with the best IT compliance results have, at most, two disruptions annually. “There are two real key findings from this ongoing report for financial institutions. We are finally able to quantify publicly reported data losses, (this data was also checked from historical databases as well). Financial risk for losing data is absolutely huge, compared to the amount of money being spent on compliance and data protection,” said Jim Hurley, a senior research manager for Symantec and senior director of the IT Policy Compliance Group.
The results of a Ponemon Institute survey underscore the serious challenges organizations face in securing sensitive data.
The recent announcement by Fidelity National Information Services, a financial processing company, that one of its employees at a subsidiary stole 2.3 million consumer records containing credit card, bank account and other personal information is yet another drop in the bucket of data leakage.
Sensitive financial information is leaking from financial institutions, vendors and customers according to a recent study on the risks from inadvertent disclosures of sensitive information on the Internet.
The best passwords are easy to remember, but hard to guess. So why are employees (including yourself) forgetting them at times?
As with any information security threat, your institution needs to plan for them, and social engineering from outside of your institution needs to be expected.
Like comic book super villains, spam kingpins always seem to find new ways to thwart the technology heroes that fight against junk mail. Just as it seems that they’ve finally been vanquished, they manage to elude the traps laid by anti-spam technology vendors in order to flood the inboxes of innocent users.
To create an effective information security incident response capability, banks need to first understand where they are in terms of security readiness. Benchmarking the information security program is one of the most difficult and important tasks a chief information security officer will face. That task has gotten easier now with the publication of a set of incident management capability metrics by the Software Engineering Institute of Carnegie Mellon University.
Financial institutions receive email from a wide variety of sources, and like other companies they’re facing the unwanted solicitation emails that range from replica watches to penny stock offerings. The employees at financial institutions are also faced with these emails that make it past filters and into their inboxes.
Financial institutions need intrusion detection systems that incorporate wireless The biggest credit-card hacking incident in history exploited a weakness in wireless network security that could have easily been fixed. The lesson for financial institutions is to plug all such weaknesses before wrongdoers discover them.
If you ever thought that when you file a Suspicious Activity Report (SAR) that it is filed away with the other SARs, think again. SARs are an important and valuable part of the Bank Secrecy Act (BSA) data that law enforcement uses to build criminal cases. Financial institutions can read more on the enforcement actions taken by law enforcement in the latest edition of the SAR Activity Review.
Any good information security professional knows good passwords should be very easy to remember but hard to guess, and that’s because there are constant attempts to crack your passwords. A recent study by the University of Maryland's Clark School of Engineering is one of the first to quantify the near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average—and the non-secure usernames and passwords used that give attackers more chance of success.
The receptionist at ABC Financial Institution headquarters glanced up from her work and saw the phone man standing there.
I’m a social engineer. And no, you won’t recognize me or be able to spot me when I come into your bank or credit union. My job is to scope a target (it could be your institution) and probe potential weaknesses in the security, both physical and cyber. I’m paid to find the holes and potential places where we could launch an attack on your branch or even your entire institution.
At your financial institution, what would you consider as your worst threat for data loss? Hackers? Let’s face it, everyone who is trying to breach your defenses really just wants to join those insiders who are already running amuck on your network. If you’re not cognizant of the insider threat in your institution you will need to rethink your security strategy.
Knowing where and when your employees are accessing data means watching your endpoints. Endpoint controls can play a key role in preventing or reducing the insider threat, says Ari Tammamm, an information security company executive. Financial institutions are doing a better job than many other companies because of the regulatory compliance that goes along with being a financial institution, but the threat is still
In spite of doom-and-gloom predictions following the FFIEC’s guidance announcements, financial institutions are able to balance convenience with security As many U.S. banks and credit unions turn a corner on two-factor authentication deployments precipitated by last year’s Federal Financial Institutions Examination Council (FFIEC) guidance on the matter, they are still finding that they must balance customer satisfaction with customer security. However, online banking consumers are proving to be far more accepting of strong authentication than industry pessimists predicted—in spite of the fact that most of them are unaware of the new regulation.
It’s always sitting there like the 800-pound gorilla in the room – the upcoming IT Audit at the institution. No one asks if it’s still there, because we all know it is. We’ve all gone through at least one IT audit, some successfully, others of us have been handed a list of recommendations from our auditors. One of the drivers behind an IT audit is the list of 114,000 new regulations (according to the OMB) passed in the U.S. since 1981, and these regulations include the Sarbanes Oxley Act (SOX). SOX is more than just 404 documentation. From proper retention, retrieval and disposition of audit data to corporate responsibility for financial reports to real-time disclosure, SOX places a comprehensive compliance burden on a financial instit
We’re all guilty of it. The conversation at the table next to you in the fancy restaurant is sounding interesting and as you’re sitting nearby, you can overhear the people as they talk. Sometimes it’s innocuous tidbits of family life, other times it’s more important information, like say, two bank employees discussing network IP addresses, or what type of configuration they’re going to propose for the new firewall. If you were not the upstanding citizen and information security professional with a high ethical standard, you could possibly share that information with your friends in a chat room, or post it on your blog. As we all continue to blur the lines between work and personal life, dragging home laptops and blackberries and doing business as we commute back and forth each day, it’s almost surprising that more of us are not ending up in the blogosphere or on Internet chat forums or on MySpace, and then are known as “the employee who talked in public,” says one information security exp
One of the best ways financial institutions have of protecting critical infrastructure is to monitor system logs, which contain a gold mine of information about the health of the network. Network devices such as servers, routers, firewalls, wireless access points, and antivirus systems all generate log data, which should be archived and monitored regularly for oversight of employee activity, as well as preventing and detecting system outages and breaches. When properly configured, logs record the day-to-day activity of system users, administrative changes made to critical production systems, and evidence produced by malicious activity. Logs provide a way to spot unusual activity from authorized users, as well as the ability to monitor unauthorized users and what they’re doing when they get in. With the right logging configuration financial institutions can capture the history of a hacker's activity, from the establishment of unauthorized accounts to the installation of back-doors, enabling them to quickly isolate and repair affected systems after an intrusion.
As an information security professional at your institution, would you know what signs and indicators to monitor for an insider attack? Dr. Eric Cole, a noted information security expert who has studied insider threats and investigated them at financial institutions describes the problems aren’t only in identifying potential insider attacks, but how much attention is being focused on this continuing threat. During a recent interview Cole described the typical breakdown of information security budgets at financial institutions, “If you go into the average financial institution now, and you track its security budget and map it, around 80 percent of the budget is spent on external attack security and only 20 percent is spent, if that, on mitigating insider threats.” Cole continued, “External or internal, attacks cost an institution both time and money. When a worm or virus hits your network, you immediately know, or can pinpoint when and where it started. But in the case of an insider attack, you don’t always know when it started, or what damage has been inflicted, until you investigate and track it.”
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly? To assist financial institutions in this process, the Federal Deposit Insurance Corporation has published guidance on incident response program best practices—a how-to approach to keeping sensitive data from being accessed by unauthorized individuals. Many financial institutions are finding it challenging to assemble an incident response program (IRP) that not only meets minimum requirements as prescribed by financial institution regulators, but also provides for an effective methodology to manage security incidents for the benefit of the financial institution and its customers. Financial institutions are required to include incident response as part of their information security program. The federal financial institution regulatory agencies have issued interpretive guidance prescribing standard procedures that should be included in IRPs. In addition, at least 33 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.
One of the recommendations from the President’s Identity Theft Task Force: Decrease the unnecessary use of social security numbers in the public sector by developing alternative strategies for identity management. Deborah Platt Majoras, Chairman of the Federal Trade Commission and co-chair of the Identity Theft Task Force gave this example why this recommendation is at the top of the list of 31 recommendations from the Task Force. “We [at the FTC] recently received an identity theft complaint from a young consumer who recounted his experience of going with his mother to open his first checking account before he headed off to college. At the bank, he learned that a woman using his social security number had already opened a checking account which has been subsequently closed for default. When he contacted us, this young man was still working to clear his record. It is hard to regain trust in a system that allows that kind of a breach. So if you multiplied this consumer’s story by the thousands of consumers we’re hearing from each week you would have an instant calculation on the scope of the problem.”
When identity theft occurs, 9 times out of 10 the source of where the person’s identity was taken is never fully found. Trust and money are the two things financial institutions have as their products. Once a member loses trust in your institution’s ability to protect their personal financial information, you’ll lose them as a customer. Part of the building confidence in your institution is communication with your members. Tell them what you’re doing to protect their information. While you can’t meet with every single member individually, take the lead and reach out to them with your marketing vehicles. Use your statement stuffers, fliers, posters, and your website, and put the message out there. Market your efforts on protecting them like you would a banking product. Financial institutions can use this draft memo as a place to begin the education of members about identity theft.
The financial services industry is one of the most highly regulated and closely supervised among those handling sensitive consumer information. Besides being subject to security breach disclosure laws at the state and federal levels, it must comply with industry-specific laws and regulations related to information security and privacy.
As a service-based business, financial institutions must provide customers with confidentiality or else risk losing their trust and their business. Protecting information is critical to maintaining trust. Because they generally don’t pass along losses associated with fraudulent transactions made on existing accounts to their customers, financial institutions incur significant losses from ID theft and account fraud. This is in addition to reputation damage and other costs incurred in responding to the security breach.
The Gramm-Leach-Bliley Act requires financial insitutions to not only limit the disclosure of customer information, but also to protect that information from unauthorized access and to notify customers about security breaches. Under the guidance issued by federal regulators, financial insitutions must establish and maintain comprehensive information security programs to identify and assess the risks to customer information and then address these risks by adopting appropriate security measures.
The revelation by TJX Companies, owner of T.J. Maxx and other retail brands, that at least 45.7 million credit and debit cards were compromised over several years highlights anew the risks associated with processing card transactions and the need to protect the information they contain.The breach eclipses the previous disclosure of 40 million compromised payment card records by CardSystems in 2005. Intruders gained access to TJX’s computer systems beginning in 2005 and continuing until January 2007. Although debit card PINs weren’t compromised, unencrypted magnetic stripe data, also known as “track 2 data,” was stolen on transactions that occurred before September 2003, the company said.
The Check Clearing for the 21st Century Act (Check 21) has created new opportunities for financial institutions and customers. By eliminating the need to transport paper checks, remote check capture can provide significant cost savings for financial institutions. Customers benefit as well: retail customers can receive image proof-of-deposit at an ATM or other remote capture site, and commercial customers can deposit imaged checks directly at their own premises.
At the same time, remote check capture carries with it operational risks that left unmitigated could expose a financial institution to fraud losses. According to a 2006 white paper published by the BITS Fraud Reduction Steering Committee, the use of the Internet to transmit check image files could be exploited by criminals. “Remote deposit image files will be open to all the same attacks that online banking or online commerce face. Files could be intercepted on the Internet and either be edited for fraudulent submission or mined for fraud and identity theft.”
Information security risks include unauthorized access to and/or use of the imaged information, submission of edited or unauthorized files for clearing, and loss of data. Fortunately, strategies exist for mitigating these risks.
A recent survey of banking executives showed the overwhelming majority plan to increase spending on automated Anti-Money Laundering (AML) transaction monitoring and on staff to help strengthen their compliance programs. Darren Donovan, head of KPMG’s Forensic Services said the survey, administered by KPMG during the Florida International Bankers Association Annual AML Compliance Conference, showed that some 75 percent of the respondents said they plan to either implement an automated AML transaction monitoring system, or upgrade their current one. Of the respondents, the 29 percent who said they don’t use automated tools, “They probably also stand a pretty good chance of missing things, due to level of information that must be processed,” said Donovan. The automated functions of an AML monitoring tool helps with aggregation, a manual process can’t do that,” he added. If an institution is deficient in AML regulatory examinations, “it is likely that they usually are deficient in other areas as well,” he noted. Regulators need to have the ability to “look back” at transactions over a period of time, on a historical level for the purpose of detecting suspicious activity. Automated tools are popular with institutions for that very reason, Donovan pointed out, as it gives the BSA officer, and the regulators the ability to look for certain anomalies. “You can sort through millions of transactions and decide if they are legitimate, or if they need closer inspection,” he explained.
While most financial institutions guard against the external threat of hackers, malware, and network intrusions, there is an insidious insider threat that lies hidden inside the walls of financial institutions. According to Dr. Eric Cole, a noted information security expert who has studied insider threats and investigated them at financial institutions, much more can be done to mitigate this unseen threat.
Manual processes leave financial institutions open to insider threats, said a study showing that nearly 60 percent of U.S. businesses and government agencies report they don't have the information or the technology to deal with insider threats to their network. This is according to a new study done by the Ponemon Institute. “For the financial services industry there are some important implications in terms of account takeover, authentication credential and a very big risk of a harmful event if someone gains control of part of a financial institution’s network,” said Larry Ponemon, President of the Ponemon Institute.
The Gramm Leach Bliley Act may not appear to have anything to link it to the Voice Over IP technology being implemented in financial institutions, but IT departments and Information Security officers should look closely at how the new phone systems may be audited under GLBA regulations. GLBA audits would focus more on data privacy, and specifically under Section 501 Subtitle A that requires companies ensure the security and confidentiality of customer records and information. They also need to protect against any anticipated threats or hazards to the security and integrity of these records, and protect t against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
Banks are attracted to Voice over Internet protocol (VoIP) as an alternative to traditional telephone networks because of the potential cost savings, including elimination of long distance charges and the need for only one network to manage both voice and data. However, VoIP entails increased data security risks, which must be addressed before implementing a solution. According to the FDIC, VoIP is susceptible to the same risks as data networks that use the Internet, such as exposure to viruses, worms, Trojans and man-in-the-middle attacks. Configuration weaknesses in VoIP devices and underlying operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking) and toll fraud (theft of service), all of which can result in the loss of privacy and integrity.
Being an information security officer at a financial institution isn’t an easy job, but imagine being the first Chief Information Security Officer at your institution, and the first one, period. Steve Katz shared his thoughts on information security from his unique perspective of being just that—the first CISO of a major financial institution. What many of us take for granted in our programs was hewn out of thin air by Steve since the mid 1980s. Steve Katz is a true luminary among the information security community. Known as the world’s first chief information security officer, Katz is widely regarded as one of the discipline’s thought leaders. In addition to his role since 1985 as a senior security executive for J.P. Morgan, Citibank/Citigroup and most recently Merrill Lynch, he has been a force at both industry and government levels in raising the visibility and shaping the direction of the security industry.
LINDA MCGLASSON: Are we in information security becoming too complacent? I mean, we have a lot of zero-day threats, hundred thousand node botnet sending us virus threats and all things like that, and those of us in information security, you know, look at the situation and think that this is normal operation procedure, are we too complacent? WYATT STARNES: I think we are too complacent, and I actually think we’ve been overly, sort of, complacent and self-secure, self-assured for actually quite some time. When you kind of zoom back and look at some of the physical threats in our world, specifically, the tragic events of September 11th, 2001, where we found we were dramatically exposed to physical harm within our own boundaries, I think in the cyber-security world, we haven’t really seen our September 11th, 2001 yet. We are exposed. We continue to be exposed, and information technology is prospectively an important new attack vector for us in our industry and in our economy, and frankly, in our political system as well.
The alert from a federal regulatory agency about a 419 scam appearing to come from the US House of Representatives’ Financial Services Committee isn’t something new -- this type of scam is just a new twist to something that has been around for many years. As long as there are people who believe they can get something from little or nothing without a great deal of effort, the 419 scams will continue to wreck havoc on the American public. As financial institutions, we must help educate those who could fall under the 419 spell of easy money.
Unless you’ve been on extended vacation since last year, you know it's coming - the change to Daylight Savings Time (DST). The changes required in financial institutions’ computer networks and software in the timing of the beginning (and end) of Daylight Savings Time has been viewed as mostly a thankless task, reminiscent of work done on Y2K. Daylight Savings Time will be extended by four weeks in the U.S., Canada, Bermuda and the Bahamas. This came about when Congress passed the Energy Policy Act of 2005. It will begin the second Sunday of March (March 11 this year) instead of the first Sunday in April, and will be extended until the first Sunday in November (November 4 this year) instead of the last Sunday in October.
Pharming" say that by viewing a malicious web page users can set off changes in a broadband router or wireless access point, making the computer connected to it susceptible to attack. The paper, authored by researchers Zulfikar Ramzan, from Symantec, and Markus Jakobsson and Sid Stamm of the Indiana University School of Informatics, shows the dangers of not changing a default password in this important part of connecting to the Internet.
The Office of the Comptroller of Currency (OCC) issued a bulletin on February 21 about the changes in Daylight Savings Time. All financial institutions should be aware that Daylight Savings Time begins earlier and ends later this year. The OCC bulletin reminds institutions and their technology service providers of the upcoming change in the schedule for Daylight Savings Time. Institutions may be exposed to a variety of risks if they do not prepare their systems to reflect this change. The Credit Union National Association (CUNA) also noted DST change to its membership earlier in February. Daylight Savings Time (DST) in the United States will begin earlier and end later in 2007. The Energy Policy Act of 2005, signed into law August 2005, moves the beginning of DST from the first Sunday in April to the second Sunday in March (March 11). DST will now end the first Sunday in November (November 4) instead of the last Sunday in October.
The need to store and manage mushrooming quantities of unstructured content such as e-mails, instant messages, voice messages, and images is a major pain point for financial institutions of all sizes. An estimated 60 billion e-mails are sent across the globe each day and almost 80% of companies accept e-mail as confirmation of business transactions. With the recent amendments to the Federal Rules of Civil Procedure (FRCP), which bring e-mail and other electronically stored information squarely into the discovery process in court proceedings, it's imperative that electronic communications be rigorously managed throughout its lifecycle.
A world authority on software and application security, Gary McGraw, PhD and CTO of Cigital, carries the software security torch. Over the past 11 years his six books on the subject of software security seem to have touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and antivirus mechanisms came to understand and embrace the necessity of better software. Author of more than 90 peer reviewed technical publications, he is a principal investigator working with the Air Force Research Labs, DARPA, National Science Foundation and NIST's Advanced Technology Program. He also is an advisor to top U.S. university computer science departments, and sits on the IEEE Board of Governors. In this interview McGraw discusses with CUInfoSecurity.com the state of information security in the financial services industry, pervasive computing, the trusted computing initiative, cyber threats on the horizon for financial institutions, software security, information security for mid and smaller institutions; Vista - Microsoft's new OS, and Google's code search capabilities.
With the deadline passed for compliance with the Federal Financial Institutions Examination Council (FFIEC) guidelines, financial institutions are seeking cost-effective strategies that meet or exceed meeting regulatory and customer expectations. According to the FFIEC, any system that permits the movement of funds to other parties or access to customer information is deemed high-risk, necessitating stronger authentication or additional controls. At a minimum, this means two-factor or layered single-factor authentication. In two-factor authentication, the user presents both something he knows, such as a password or PIN, and something he owns, such as a PC, phone, or one-time password. In layered single-factor authentication, the user presents two of the same factors (e.g., two separate passwords). This is as far as most financial institutions go in authenticating customers.
During Howard Schmidt's remarkable career in public and corporate service, he has seen it all from the inside. He began his information security career in government in the U.S. Air Force and helped establish it's groundbreaking computer forensics lab. He then moved into law enforcement. Later he left public service to head information security at software giant Microsoft, and then also at online auction site e-bay. After 9/11, he was appointed Vice Chair of the President's Critical Infrastructure Protection Board and was Special Advisor for Cyberspace Security or the White House. Schmidt is currently the International President of the Information System Security Association, ISSA. He has also served as the first President of the Information Technology Information Sharing and Analysis Center, and as the Co-Chair of the Federal Computer Investigations Committee. He is a member of the American Academy of Forensic Scientists, and an Advisory Board member for the Technical Research Institute of the National White Collar Crime Center.
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
In December, a milestone of sorts was reached when Boeing Co. disclosed that a laptop containing names, SSNs, home addresses, phone numbers and dates of birth of 382,000 current and former employees had been stolen from an employee's car. The theft pushed the number of records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. The number of individuals affected isn't known, because some individuals may be the victim of more than one breach.
Wish List from Financial Institutions to Our Customers As the weather outside gets colder and the year draws to an end, we're thinking of what would be some of the things we'd like to give and receive as gifts during the holidays. While your personal list may be longer than this, here's the 12 things we wish all of our customers and employees would do - loosely based on "The Twelve Days of Christmas". Hum along if you don't sing.
If your financial institution is facing an IT regulatory exam soon, you'll want to be ready for it. Despite the best efforts of your team, will your institution be ready? CUInfoSecurity.com's webinar will prepare your team for this arduous task. In the meantime, we interviewed Susan Orr, an ex-federal examiner, who will lead the webinar, to illuminate your path to prepare for an IT regulatory exam. CUIS: If you were to narrow down to the top items that institutions should focus on in preparing for an IT regulatory exam, what should the number one concern be?
The recent announcement from Microsoft of the long-anticipated ship to manufacturers of the Vista operating system brings visions of patches and problems to the dreams of veteran infosec practitioners. Those companies large enough to hold corporate licenses will have it made available by November 30 for bulk download or via CD. The question for us in the financial industry is - when to upgrade to Vista? A wise CEO once noted when his IT department was clamoring to upgrade to a new OS, "Let's let the dust settle, let others shake the bugs out, then we'll wait until it's a robust product before we move over." That was back in the day of Windows 95 when customers came to your institution to transact business, or they picked up their land line telephone to call in.
When planning for an internal IT risk assessment, it is a good idea to have a solid understanding of risk management first. The finance and accounting departments in most organizations now have a firm grasp on risk management from a business perspective, thanks to Sarbanes-Oxley. However, when the IT Security department takes responsibility for an internal IT risk assessment, some things are lost in translation. An effective risk management program protects the company and its ability to perform their mission. Sarbanes-Oxley, Section 404, requires public companies to annually assess and report on the effectiveness of internal controls over financial reporting. A component of risk management is information technology (IT) risk management and should be part of any IT security program.
Financial institutions are subject to a slew of laws and regulations aimed at information security. There's Gramm-Leach-Bliley (privacy), Federal Financial Institutions Examination Council (authentication and online banking), and Payment Card Industry (card security). There's also California's and other states' data breach disclosure laws, and the Sarbanes-Oxley Act, which requires IT to test the effectiveness of controls over financial-reporting systems. And the European Union's privacy laws, etc. While these laws and regulations do a good job of defining the scope of information security and spelling out the role of information security in risk management, they have little to say about what constitutes effective information security or how to achieve it. Fortunately, the International Standards Organization has developed two standards that do precisely that, and by adhering to them financial institutions can go a long way toward satisfying regulatory compliance requirements.
The Interagency Guidelines Establishing Information Security Standards as per Gramm-Leach-Bliley Act (GLBA) of 2001 require each financial institution to have a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. The following publications from the NIST (National Institute of Standards and Technology) outline a model for information security training and awareness programs. While published several years ago, they remain a standard for all programs.
Visa is mounting a full-scale blitz to encourage merchants to use payment software that doesn't compromise consumer passwords. The card company has asked merchants to ensure that the software they use to process card transactions doesn't store the full contents of "track data", which contains passwords and other sensitive information. Last year, a breach at CardSystems, a processor of card transactions, led to the exposure of 40 million payment records, setting off a firestorm that's led to a crackdown on data security vulnerabilities by regulators and lawmakers. Visa's Cardholder Information Security Program prohibits the storing of full track data by merchants. Account numbers, expiration dates, and names are the only elements of track data that may be retained once a transaction has been authorized. In addition, Visa requires compliance with the Payment Card Industry Data Security Standard (PCI DSS) by all merchants and any entity that stores, transmits or processes cardholder data.
Computing Technology Industry Association (CompTIA) released results of a study earlier this year that cites human error was responsible for nearly 60 percent of information security breaches experienced by organizations over the last year. Additionally the results of the study show that most companies don't require security awareness training and only 36% of companies surveyed offered end user security awareness training. Why is the security awareness training landscape so dismal? While we have installed firewalls, intrusion detection systems, robust anti-virus and anti-spyware solutions, and strengthened authentication methods, we have still largely ignored security awareness training. And when I say ignored, I mean that most companies now have an Acceptable Use Policy in place that employees have to sign upon employment, but that's where the effort stops.
Deloitte Security Survey The world's largest financial institutions have faced a surge in the number of security attacks over the past year, particularly from external sources, according to the 2006 Global Security Survey released by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT). More than three-quarters (78 percent, up from 26 percent in 2005) of respondents confirmed a security breach from outside the organization and almost half (49 percent, up from 35 percent in 2005) experienced at least one internal breach. The fourth annual survey consisted of interviews with senior security officers from the world's top 100 global financial institutions and acts as a global benchmark for the state of IT security in the financial sector.
NSI An experiment carried out within London's financial district has demonstrated what security experts have been saying for years: employees - even those working with ultra-sensitive financial data - are unaware of or don't care about basic security practices.
In the experiment, CDs were handed out to commuters as they entered the city. Recipients were told the disks contained a special Valentine's Day promotion. In reality, though, the CDs contained nothing more than code that informed the company performing the experiment how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail financial institution and two global insurers.
No, "pod slurping" is not something that happens in a sci-fi movie (although that's not a bad idea...); it's the practice of using an iPod or other small, portable memory device to illicitly download corporate data. Here are three things you need to know about this alarming new security threat, also called "bluesnarfing." 1: It's a growing risk. In two minutes, analysts say, it's possible for an iPod to extract about 100 megabytes of Word or Excel data from a corporate network. Experts agree that as iPods, memory sticks, and digital cameras proliferate in the workplace, more employees are bluesnarfing critical information at an alarming rate. To prove the point, one security guru wrote a program that searched the corporate network for business-critical data, which he then downloaded to his music player - looking for all the world like any worker listening to tunes.
In this article, I talk briefly about security incident investigators, their training and their role within an organization. Some regulations and standards require proper training of security incident investigators. ISO/IEC 17799 clarifies the need for trained security investigators when it states "When an information security event is first detected, it may not be obvious whether or not the event will result in court action." Let's talk for a moment about the initial detection of a possible security event. Who normally suspects or discovers it? Nearly always, the breach will be noticed either by an end user or a member of the Information Technology (IT) staff. I'll not spend time talking about end user training except to say that end users must be trained to notify a member of the IT staff immediately any time that something doesn't appear "right" with their machine - and take no other action. We do not want or need well-meaning but inept end users "assisting" us in gathering evidence. The IT staff should respond immediately to reports of suspected breaches and should be able to determine quickly if a possible security incident has occurred. Once confirmed, the matter is turned over to security investigators for further action.
Preparing for security incident investigations Preparation is the most important phase of security incident investigations since most of the requirements previously discussed can't be addressed at the time the investigation is being conducted. Preparations shall therefore address these requirements (what the investigation must provide) and also the needs of the investigation process itself (i.e. all that is required by the investigation process from other sources). To increase speed, we need to perform as many tasks as possible before any investigation starts. These tasks include: - Gathering contact information
The way security investigations are performed in financial institutions is receiving more attention nowadays. In the past, general procedures and practices for incident response were acceptable. However, due to security trends and regulations that affect institutions specifically, these institutions require slightly different approaches to their security investigation progrmas in order to account for these new regulations and security trends. This article provides a general overview of the security investigation process, how it fits within the incident response process, the required preparation process, specific issues in financial institutions that need to be considered and the relationship between this process and security intelligence activities.
About a year ago I was in process of trying to find an information security professional to augment existing staff. Our company used a personnel firm who specialized in placing contract IT and security professionals. It occurred to me that we weren't very circumspect about requiring background investigations before hiring contractors. That needed to change. I didn't know enough about how background checks were performed and I wasn't sure that our HR organization was requiring them for contractors, so I took it upon myself to ask the personnel firm to perform one. I never received any kind of report, just an email stating the check had been performed and the person checked out fine. We contracted the young man to work for us, but it bothered me that I didn't really understand what had been done and what "checked out fine" really meant. I did a little research on the net and found very little helpful information. I did notice a variety of websites promising quick background checks for a small fee. I contacted a well known company in San Francisco and talked to the one the HR persons there and found out that they used a company called Inquest. I contacted a company representative to find out more.
Cyber-criminals are targeting the most vulnerable access points within businesses - employees - to execute their attacks, a new study finds. In its annual closely watched security report, IBM warns that although widespread virus outbreaks are on the decline, on the whole online attacks are expected to rise in 2006. The culprit: highly targeted attacks that rely on naive users. According to IBM's 2005 Global Business Security Index Report, e-mail-borne viruses dropped sharply in 2005. In 2004, 6.1% of e-mails contained a virus; in 2005, that declined to only 2.8%. "What we're seeing is more directed targeted attacks, and we really think that's because of the financial motivation and the underground economy driving those things," an IBM security expert said.
New Trojans Target Financial Institution Accounts
There are many unpleasant tasks in life and work. Monitoring employee behavior is one of those unpleasant tasks. Management has to take a strong role in insuring that liability does not come the company's way, i.e., Risk Management. New regulations hold management responsible for employee behavior which can cause the company to be subject to monetary loss, criminal charges, and civil lawsuits. The buck stops here. Most of us don't want to be Big Brother. We don't like the idea of "spying" on our employees. We don't like the taste of infringing on someone's privacy because we value our own. However, what you don't know will hurt you and may hurt you in a court of law. Fortunately technology has made our job a lot easier.
Nearly four out of five technology professionals believe employees are putting their companies at risk by failing to act safely online, according to new research. In a study by anti-virus firm Sophos, 79% of the IT workers polled said that in spite of their group’s instructions, many employees continue to open unsolicited e-mail messages and attachments, and to inadvertently download spyware from Web sites.
According to a Harris Interactive survey of U.S. office workers, 68% of employees have sent or received e-mails that could pose a risk to their company. The survey shows that even if you think you’re e-mailing out a harmless joke, gossip, or innocent information about your company, you could be putting yourself – and your employer – at risk. Although the poll found that 68% of U.S. employees who use e-mail at work have sent or received risky messages, 92% fail to see that the e-mails could harm their company. That means there’s a substantial discrepancy between employees’ perceived and actual risks. The survey examined the e-mail habits of over 1,000 individuals and uncovered a number of issues that raise concerns for businesses – both in the way employees are using and storing their corporate e-mail.
Omar Herrera Information security personnel in Financial Institutions Financial institution have specific requirements for the experience and abilities of their information security personnel. However, it is becoming harder for qualified professionals to satisfy requirements from these institutions. While information security personnel can be trained in specialized areas of information security, they still need to have relevant general information security background and a minimum number of years of experience in the industry.
Andrew Miller- CUInfoSecurity.com Editor The year 2005 will likely go down in history as the year of the data security breach. It was a year in which CardSystems Solutions Inc. revealed a security breach that exposed data on potentially more than 40 million payment-card accounts. DSW Shoe Warehouse disclosed the theft of credit-card data on 1.4 million customers. Information brokers LexisNexis and ChoicePoint revealed breaches involving millions of sensitive records. It was also the year of lost data, with UPS, Citigroup, Bank of America, Ameritrade, and Time Warner all reporting losses of backup tapes containing sensitive data.
Marcia Wilson- CUInfoSecurity.com Editor In the year 2005, there were over 53 million individuals affected by security breaches wherein their personal information was compromised. The ChoicePoint incident was considered one of the first highly publicized events where notification to the individuals affected was made. As the year closed, more than half the States’ Legislatures considered or approved bills to protect citizens’ personal information. Congress considered several bills that would make notification of a security breach mandatory nationwide. The cause of security breaches varies widely from compromised passwords, to stolen laptops, to lost backup tapes, dishonest insiders, online exposure, hackers, and even inadvertent disclosures such as sending out an email containing social security numbers to a mass mailing list. The onus of protecting personal information sits squarely on the data owner’s head. What can financial institutions do to make sure that employees do not participate either willingly or unwillingly in data disclosure?
In our ten years’ experience in detecting, locating, and prosecuting network intruders (hackers) we have seen that, as with many offline crimes, robust law enforcement alone cannot solve the network intruder problem. To be effective, any overall strategy must include the owners and operators of the nation’s computer networks. They are the first line of defense and have the responsibility to take reasonable measures to ensure that their systems are secure. They are also in the best position to detect intrusions and take the first critical steps to respond. At the most basic level, we rely on network operators to report to us when their systems are hacked. Intrusion victims, however, are often even more reluctant to call law enforcement than other business victims. This reluctance has been reflected in the surveys conducted jointly by the Computer Security Institute and the FBI. In the year 2000 survey, for example, only 25% of the respondents who experienced computer intrusions reported the incidents to law enforcement. To better understand why and to learn how we can promote reporting, the Department of Justice has undertaken a concerted effort to reach out to the operators of our nation’s computer networks.
Enacted in the USA Patriot Act of 2001 - star rule Section 202 Authority to Intercept Voice Communications in Computer Hacking Investigations Previous law: Under previous law, investigators could not obtain a wiretap order to intercept wire communications (those involving the human voice) for violations of the Computer Fraud and Abuse Act (18 U.S.C. § 1030). For example, in several investigations, hackers have stolen teleconferencing services from a telephone company and used this mode of communication to plan and execute hacking attacks. Amendment: Section 202 amends 18 U.S.C. § 2516(1) – the subsection that lists those crimes for which investigators may obtain a wiretap order for wire communications – by adding felony violations of 18 U.S.C. § 1030 to the list of predicate offenses.1 This provision will sunset December 31, 2005.
How likely are you to be wooed into a false sense of security by a friendly face or the promise of a cash prize?
Andrew Miller - CUInfoSecurity.com Editor In October, the Federal Financial Institutions Examination Council (FFIEC) issued guidance for authentication in the Internet banking environment. Financial institutions are expected to achieve compliance by year-end 2006. The guidance states: "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Pete Boergermann - CUInfoSecurity.com Contributor Gone are the days when we could just throw a hub on a closet shelf, run a few network cables, connect some PCs and a server to it and have a network. Logs? What logs? Why would we want to look at them? Times have changed and most devices connected to your network have logging capabilities. These devices have the ability to produce large amounts of valuable data. But it can be overwhelming to manage. A new industry that creates technology to manage security event logs is just starting up. As this technology matures, we may end up with products that can correlate the data between devices and alert us to events on a global multi-device level. Maybe these new products will be able to learn and adapt to new event information, possibly make assessments based on trends, then send only the alerts that need to be acted upon. Now that securing of our networks is so important we should be asking q | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
