|
 |
 |
 |
 |
|
Over 3,700 security professionals gathered in Las Vegas early this month to preview the latest threats and to see firsthand what new attacks and compromises are coming. This year’s conference was substantially bigger than last year’s and included significant representation from vendors and the white hat legitimate security community. Unfortunately, the news from Black Hat is not good for banking and finance executives. > Listen to the Black Hat Conference 2007 vendor interviews Numerous experts demonstrated attacks that could be launched without creating malicious script. Many features of commonly used protocols, when used in creative ways, can expose users and companies to significant vulnerabilities. One of the more interesting presentations was by Bryan Sullivan and Billy Hoffman of SPI Dynamics on the vulnerabilities of AJAX applications. Many banks and other financial organizations are adopting AJAX to give their users a richer web experience.
No matter who the vendor is, or how long they’ve supplied their service or item to your institution, you need a written contract. Even the company who supplies your bottled water needs a simple form contract.
They’re doing work for you, and are handling data that would be considered sensitive by your regulators.
The Check Clearing for the 21st Century Act (Check 21) has created new opportunities for financial institutions and customers. By eliminating the need to transport paper checks, remote check capture can provide significant cost savings for financial institutions. Customers benefit as well: retail customers can receive image proof-of-deposit at an ATM or other remote capture site, and commercial customers can deposit imaged checks directly at their own premises.
At the same time, remote check capture carries with it operational risks that left unmitigated could expose a financial institution to fraud losses. According to a 2006 white paper published by the BITS Fraud Reduction Steering Committee, the use of the Internet to transmit check image files could be exploited by criminals. “Remote deposit image files will be open to all the same attacks that online banking or online commerce face. Files could be intercepted on the Internet and either be edited for fraudulent submission or mined for fraud and identity theft.”
Information security risks include unauthorized access to and/or use of the imaged information, submission of edited or unauthorized files for clearing, and loss of data. Fortunately, strategies exist for mitigating these risks.
Manual processes leave financial institutions open to insider threats, said a study showing that nearly 60 percent of U.S. businesses and government agencies report they don't have the information or the technology to deal with insider threats to their network. This is according to a new study done by the Ponemon Institute. “For the financial services industry there are some important implications in terms of account takeover, authentication credential and a very big risk of a harmful event if someone gains control of part of a financial institution’s network,” said Larry Ponemon, President of the Ponemon Institute.
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
EMC Corp.'s recent acquisition of RSA Inc. underscores the convergence of information security and storage. EMC, which sells large storage systems for use in corporate data centers, bought RSA - a manufacturer of encryption software and devices - to provide it with identity and access management technologies and encryption and key management software, which will help EMC deliver information lifecycle management. RSA manufactures password tokens that companies can give to customers and employees in order to securely authenticate users; Bank of America employs these tokens in its SiteKey system for securing online access to banking applications.
|
||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication