|
 |
 |
 |
 |
|
ELAN WINKLER: If you take a look at just complying with HIPPA as an individual project, and then worry about how you are going to comply with SOX, and then worry about how you are going to comply with PCI, you are doomed to fail. If you look at compliance as an individual project it ain’t going to work; bottom line. What you need is a complete infrastructure that enables the right levels of security processes and procedures to protect the data that is being required by that particular regulation approximately.
The Solution: Protect Your Brand Name and All Variations Banks and credit union customers are at risk of falling victim to the classic-and-growing Internet scam known as cybersquatting. Cybersquatters are entities that create Web addresses remarkably similar to addresses for well-known companies, institutions or products. For example, known cybersquatting Web sites include dellcomputersystem.com instead of dell.com, and samslcub.com instead of the correctly spelled samsclub.com, or vvachovia.com instead of Wachovia.com.
It’s About Protecting the Network Endpoints Last week’s announcement of yet another unencrypted laptop being stolen – this time it is retailer The Gap’s recruiting vendor and its gaping lack of security (the vendor laptop was stolen with personal information of 800,000 applicants Gap Press Release ) opens another line of questions for financial institutions. Is the increased productivity of portable devices, (laptops, USB drives, etc.) worth the risk of infection or data theft? More importantly, are you able to defend your networks from the invasion of the external threats that seemingly pile up at your firewall due to the use of these endpoints?
Richard Swart: Hi, this is Richard Swart with Information Security Media Group. Today I’ll be speaking with Debbie Wheeler, CISO of Fifth Third Bank. How are you doing this morning, Debbie? Debbie Wheeler: I’m doing well. Thank you. Swart: I appreciate you taking time to talk to us today. I’d like talk about some of your experience. I know you have an extensive background in information security, and you’ve also spent quite a bit of time there at Fifth Third Bank working on issues around identity access management. I was wondering if you would tell our listeners, what are the critical success factors for an identity and access management program. Wheeler: I’d have to start with understanding what roles the organization uses or needs. That’s probably first and foremost. And some of the conversations that Fifth Third has had with some other financial organizations that are attempting to implement identity and access management programs, specifically around provisioning; roles are the number one concern that’s raised over and over again. Fifth Third started about four years ago defining the roles that they were going to use to provision access, and having that structure in place has allowed us to very rapidly deploy over 200 applications to a centralized provisioning product from which we delegate and administer access and entitlement. I think the biggest challenges in trying to obtain or administer an access and identity management program are really selling the value to senior management.
Whether you know where the sensitive, personally identifiable information is on your networks isn’t at question, nor is anyone asking if you have secured it. But what about the data on the devices that disconnect from your network (think of laptops, external drives, USBs)?Are they secured, or the data on them encrypted? The results from a recent study by the Ponemon Institute show that the majority of businesses don’t manage the protection of these devices very well.
Can Happen Here – Be Vigilant It’s the worst nightmare for an information security pro: Your website is hacked, and user accounts are compromised. The announcement two weeks ago that the Bank of India website was compromised by 30 pieces of malware should be the “shot across the bow” for financial institutions here in the U.S., according to one information security researcher.
Analysts at Gartner and IDC identify “super user” access as the root of three of the top eight common sources of compliance risks. But what can you do about it? Listen to this podcast addressing the following questions: What is the super user? What security risks do super user accounts create? What steps can organizations take to limit super user account threats? This podcast takes a closer look at super user accounts and discusses what can be done to protect against it. > Listen to the Super User podcast now
The sixth anniversary of September 11th draws near, and the question floating among those in the financial services industry remains, “Is my institution ready in the event another 9-11 happens?” For information security expert William Crowell, his thinking is that by having a completely integrated and converged security program at your institution will help prepare your staff to handle what may be termed a catastrophic event. “September 11th was the wakeup call for the security industry as a whole,” said Crowell.
Researchers from New Zealand’s Honeynet Alliance report that anyone is at risk on the internet. More increasingly attackers are now part of organized crime, set with the intent to defraud their victims. The attackers goal: Deploy malware on a victim’s machine and to start collecting sensitive data, such as online account credentials and credit card numbers. Since attackers have a tendency to take the path of least resistance
RICHARD SWART: Hi this is Richard Swart with Information Security Media Group publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’ll be speaking with James Kist who is a senior consultant for Icons Inc. He has more than 15 years experience in information technology and has authored courseware on several topics including network security, Unix system security, web application security and wireless network security. He regularly conducts penetration tests and vulnerability assessments against various types of systems and networks. He is a certified information system security professional, CISSP, and is SANS GIAC GWAS, which is a GIAC Web Application Security Certified Professional. He has a Bachelor’s degree in Computer Science from the University of Buffalo.
Over 3,700 security professionals gathered in Las Vegas early this month to preview the latest threats and to see firsthand what new attacks and compromises are coming. This year’s conference was substantially bigger than last year’s and included significant representation from vendors and the white hat legitimate security community. Unfortunately, the news from Black Hat is not good for banking and finance executives. > Listen to the Black Hat Conference 2007 vendor interviews Numerous experts demonstrated attacks that could be launched without creating malicious script. Many features of commonly used protocols, when used in creative ways, can expose users and companies to significant vulnerabilities. One of the more interesting presentations was by Bryan Sullivan and Billy Hoffman of SPI Dynamics on the vulnerabilities of AJAX applications. Many banks and other financial organizations are adopting AJAX to give their users a richer web experience.
I would not want to be a financial institution in the state of Texas these days. Texas Attorney General Greg Abbott has started aggressively enforcing two Texas identity theft laws. Financial institutions are just like every other business, they produce mounds of paper and trash, the thing financial institutions often forget is that financial trash can be considerably more revealing (and valuable) than that of say an auto repair shop or other business. While recent headlines have covered the myriad stories of electronic data breaches where the personal information of customers numbering in the millions were stolen, most regrettably the loss of paper copies of similarly valuable information is pushed aside.
If your institution is considering a move to “Voice over Internet Protocol” (VoIP) phone systems, you’ve already been doing some research on the subject. VoIP is on its way to becoming the default technology choice for many financial institutions’ voice services, maintaining call quality and ensuring security still present many challenges.
The recent announcement by Fidelity National Information Services, a financial processing company, that one of its employees at a subsidiary stole 2.3 million consumer records containing credit card, bank account and other personal information is yet another drop in the bucket of data leakage.
While consumers like the convenience of online banking, financial institutions need to be prepared to mitigate certain risks that may expose consumer information, says a leading authority on data security and privacy.
Today, we will be speaking with Stephen Northcutt, CEO of the SANs Technology Institute, a postgraduate level IT security college, and an acknowledged expert in training and certification. He founded the GIAC certification and is author and co-author of numerous books, including the seminal book in intrusion detection. Before taking a leadership role at SANs, he served as the Information Warfare Officer at the Ballistic Missile Defense Organization, he founded the Global Instant Analysis Center, and led the Naval Service Warfare Center Shadow Team. Stephen will discuss careers in information security, and the role of certification.
It’s going to be a long hot summer for many U.S. financial institutions when it comes to online attacks. The RSA’s Anti-Fraud Command Center issued its monthly online fraud intelligence report for May, and the statistics point to attacks on U.S. nationwide banks account for 33 percent of all attacks on US financial institutions – that’s more than double since April.
Curtis Moroney, systems administrator at Mississippi-based Britton & Koontz Bank, had been dealing with spam-related issues for almost ten years and had seen the problem get progressively worse
Like comic book super villains, spam kingpins always seem to find new ways to thwart the technology heroes that fight against junk mail. Just as it seems that they’ve finally been vanquished, they manage to elude the traps laid by anti-spam technology vendors in order to flood the inboxes of innocent users.
Financial institutions need intrusion detection systems that incorporate wireless The biggest credit-card hacking incident in history exploited a weakness in wireless network security that could have easily been fixed. The lesson for financial institutions is to plug all such weaknesses before wrongdoers discover them.
Laptop and mobile security is part of any institution’s physical computer security effort. For some people, a laptop is their travel buddy and losing it or any data on it would be disastrous to your institution as well as to the employee.
The science fiction movies from the 1960s had talking computers that interacted with humans. That was considered a far-fatched idea in its time, but the current state of technology for voice biometrics and voice recognition has brought the standard up to a level where banks, including major international entities as ABN AMRO are implementing the technology to augment online banking transaction authentication.
Financial institutions need intrusion detection systems that incorporate wireless The biggest credit-card hacking incident in history exploited a weakness in wireless network security that could have easily been fixed. The lesson for financial institutions is to plug all such weaknesses before wrongdoers discover them. TJX Companies, owner of T.J. Maxx and other retail brands, says that at least 45.7 million credit and debit cards were compromised over several years. Intruders gained access to TJX’s computer systems beginning in 2005 and continuing until January 2007. Although debit card PINs weren’t compromised, unencrypted magnetic stripe data, also known as “track 2 data,” was stolen on transactions that occurred before September 2003, the company said. Investigators believe hackers used handheld de
At your financial institution, what would you consider as your worst threat for data loss? Hackers? Let’s face it, everyone who is trying to breach your defenses really just wants to join those insiders who are already running amuck on your network. If you’re not cognizant of the insider threat in your institution you will need to rethink your security strategy.
Knowing where and when your employees are accessing data means watching your endpoints. Endpoint controls can play a key role in preventing or reducing the insider threat, says Ari Tammamm, an information security company executive. Financial institutions are doing a better job than many other companies because of the regulatory compliance that goes along with being a financial institution, but the threat is still
In spite of doom-and-gloom predictions following the FFIEC’s guidance announcements, financial institutions are able to balance convenience with security As many U.S. banks and credit unions turn a corner on two-factor authentication deployments precipitated by last year’s Federal Financial Institutions Examination Council (FFIEC) guidance on the matter, they are still finding that they must balance customer satisfaction with customer security. However, online banking consumers are proving to be far more accepting of strong authentication than industry pessimists predicted—in spite of the fact that most of them are unaware of the new regulation.
It’s always sitting there like the 800-pound gorilla in the room – the upcoming IT Audit at the institution. No one asks if it’s still there, because we all know it is. We’ve all gone through at least one IT audit, some successfully, others of us have been handed a list of recommendations from our auditors. One of the drivers behind an IT audit is the list of 114,000 new regulations (according to the OMB) passed in the U.S. since 1981, and these regulations include the Sarbanes Oxley Act (SOX). SOX is more than just 404 documentation. From proper retention, retrieval and disposition of audit data to corporate responsibility for financial reports to real-time disclosure, SOX places a comprehensive compliance burden on a financial instit
One of the best ways financial institutions have of protecting critical infrastructure is to monitor system logs, which contain a gold mine of information about the health of the network.
In what is being described as a “wow” product in the growing line of multi factor authentication products being developed to meet increased regulation for stronger authentication, VeriSign Inc., announced its partnership with Innovative Card Technologies, Inc., the developer of the ICT DisplayCard, to launch credit and debit cards that generate six digit, one-time use passwords as a form of online authentication.
As an information security professional at your institution, would you know what signs and indicators to monitor for an insider attack? Dr. Eric Cole, a noted information security expert who has studied insider threats and investigated them at financial institutions describes the problems aren’t only in identifying potential insider attacks, but how much attention is being focused on this continuing threat.
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly?
The Check Clearing for the 21st Century Act (Check 21) has created new opportunities for financial institutions and customers. By eliminating the need to transport paper checks, remote check capture can provide significant cost savings for financial institutions. Customers benefit as well: retail customers can receive image proof-of-deposit at an ATM or other remote capture site, and commercial customers can deposit imaged checks directly at their own premises.
The revelation by TJX Companies, owner of T.J. Maxx and other retail brands, that at least 45.7 million credit and debit cards were compromised over several years highlights anew the risks associated with processing card transactions and the need to protect the information they contain.
A recent survey of banking executives showed the overwhelming majority plan to increase spending on automated Anti-Money Laundering (AML) transaction monitoring and on staff to help strengthen their compliance programs. Darren Donovan, head of KPMG’s Forensic Services said the survey, administered by KPMG during the Florida International Bankers Association Annual AML Compliance Conference,
What are some of the constants - - and you’ve obviously, with your years of experience, seen many of them, but what are we still dealing with, the problems you had back in the early days, in terms of information, security and risk? And is the TJX data breach that just recently hit the headlines a glimpse of what we can expect to happen when security and operational risk management doesn’t occur? RHONDA MACLEAN: Well, I’d like to say it’d be nice if we didn’t see those kinds of things occur. But I think we will continue to see them, and I think this is where the challenge lies. And TJ Maxx is just one of the companies that have had it - - we’ve had recent headlines over this last year. You can go back and look at the Department of Veterans Affairs and the big data loss that occurred there.
The Gramm Leach Bliley Act may not appear to have anything to link it to the Voice Over IP technology being implemented in financial institutions, but IT departments and Information Security officers should look closely at how the new phone systems may be audited under GLBA regulations. GLBA audits would focus more on data privacy, and specifically under Section 501 Subtitle A that requires companies ensure the security and confidentiality of customer records and information. They also need to protect against any anticipated threats or hazards to the security and integrity of these records, and protect t against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
Banks are attracted to Voice over Internet protocol (VoIP) as an alternative to traditional telephone networks because of the potential cost savings, including elimination of long distance charges and the need for only one network to manage both voice and data. However, VoIP entails increased data security risks, which must be addressed before implementing a solution. According to the FDIC, VoIP is susceptible to the same risks as data networks that use the Internet, such as exposure to viruses, worms, Trojans and man-in-the-middle attacks. Configuration weaknesses in VoIP devices and underlying operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking) and toll fraud (theft of service), all of which can result in the loss of privacy and integrity.
Being an information security officer at a financial institution isn’t an easy job, but imagine being the first Chief Information Security Officer at your institution, and the first one, period. Steve Katz shared his thoughts on information security from his unique perspective of being just that—the first CISO of a major financial institution. What many of us take for granted in our programs was hewn out of thin air by Steve since the mid 1980s. Steve Katz is a true luminary among the information security community. Known as the world’s first chief information security officer, Katz is widely regarded as one of the discipline’s thought leaders. In addition to his role since 1985 as a senior security executive for J.P. Morgan, Citibank/Citigroup and most recently Merrill Lynch, he has been a force at both industry and government levels in raising the visibility and shaping the direction of the security industry.
LINDA MCGLASSON: Are we in information security becoming too complacent? I mean, we have a lot of zero-day threats, hundred thousand node botnet sending us virus threats and all things like that, and those of us in information security, you know, look at the situation and think that this is normal operation procedure, are we too complacent? WYATT STARNES: I think we are too complacent, and I actually think we’ve been overly, sort of, complacent and self-secure, self-assured for actually quite some time. When you kind of zoom back and look at some of the physical threats in our world, specifically, the tragic events of September 11th, 2001, where we found we were dramatically exposed to physical harm within our own boundaries, I think in the cyber-security world, we haven’t really seen our September 11th, 2001 yet. We are exposed. We continue to be exposed, and information technology is prospectively an important new attack vector for us in our industry and in our economy, and frankly, in our political system as well.
The small bank market depends on its leading vendors for its latest technologies, including remote capture, and fraud and security applications, according to a report completed last month. In the new report, Evaluating the Vendors of Small Banks' Core Banking Systems, Aite Group evaluated and compared the small-bank core systems, cross-selling strategies, and successes of eight of the leading technology providers in the U.S. small-bank market.
Prior to joining the American Bankers Association, Doug spent ten years as Assistant Director of the Florida Division of banking where he oversaw the supervision and regulation of Florida’s domestic and international banking industry. During that time, Doug served as an advisor to the US Congressional Office of Technology Assessment, assisting in their study of the use of information technologies for the control of money laundering. He also spent time in Miami as a planning analysis for Royal Trust Bank Group as a bank consultant for First Research Corporation. He has a bachelor’s degree in Economics from the University of Florida and masters in finance from the Florida State University. The ABA was founded in 1875 and represents banks of all sizes on issues of national importance for financial institutions and their customers. The ABA, on behalf of the more than two million who work in the nation’s banks, brings together all categories of banking institutions to best represent the interest of this rapidly changing industry. And Doug, we’re going to go right into the questions. First, hello.
Securing the network against intrusion is more than complying with the Federal Financial Institutions Examination Council’s mandate for strong authentication—although it’s certainly that. It also makes good business sense. Financial institutions that implement information security technology and procedures have a much greater chance of allaying customer fears about identity theft than those that don’t. Among the first steps that should be taken is installation of an active monitoring device that actively probes the network to see what devices are on the network and what services are being run. Whenever a new device is plugged into the network or something else changes, the network monitoring system alerts the IT department to investigate.
Are financial institutions implementing the multifactor authentication laid out in the FFIEC Guidance? That was one of the issues discussed at the RSA panel presentation, "37 Days After the FFIEC Guidance Deadline." The panel of banks, credit unions and industry experts talked about what it took to get this far, and what is expected to happen next. Lee Carter, President of Online Banking at Zions Bank in Centerville, UT, was on the panel and he voiced optimism about the multifactor authentication guidance. He explained the Zions Bank's implementation of its new authentication method, "It was days if not hours after the implementation that we had people [hackers] banging on our front door trying to figure out what we were doing. They were pretty persistent, and put up phishing sites to try to figure it out, we got those taken down, and they since have stopped."
LINDA MCGLASSON: Welcome to another podcast in our podcast series. I’m Linda McGlasson with BankInfoSecurity.com, and today we’re speaking with Catherine Allen, CEO of BITS, the financial services roundtable. Catherine Allen is a noted innovator and visionary in the financial services industry. Named as one of 16 unsung heroes and rising stars by Fast Company Magazine, she led BITS from a fledgling organization in 1996 to its current status as key industry forum for cutting edge issues in financial services. She is frequently consulted as an expert on the subjects of security, e-commerce, and payments. She sits on the Boards of the Financial Services Technology Consortium, the Financial Services Sector of Coordinating Council, MIST, and Hudson Ventures, and serves on taskforces as well as a number of industry groups. We’ll get right into the questions. You have the ears and know the opinions of the top 100 financial organizations in the United States. What is their vision, in your view, of the state of information security at financial institutions here in the United States?
Information Security Media Group, Corp. is launching a new sister website specifically for the credit union community - CUInfoSecurity.com. The new site organizes the latest credit union information security related regulations, news, articles, white papers, industry related events, webinars, education and resources all dedicated to credit union information security. Information Security Media Group, Corp. is launching a new sister website specifically for the credit union community - CUInfoSecurity.com. The new site organizes the latest credit union information security related regulations, news, articles, white papers, industry related events, webinars, education and resources all dedicated to credit union information security. Governing bodies such as the National Credit Union Administration (NCUA), and the state banking agencies release guidance and regulations on information security topics (specifically directed toward the credit union and financial industries), and CUInfoSecurity.com (http://www.CUinfosecurity.com) helps the credit union information security community interpret and incorporate these constructive hurdles into their plans and budgets effectively. With the launch of the new site, CUInfoSecurity.com announced its partnership with CUES, the Credit Union Executive Society. The partnership with CUES allows content from CUInfoSecurity.com to be sent to CUES members, including information on webinars, news and original interviews. CUInfoSecurity.com features an editorial staff filled with experts in the Credit Union Information Security industry. By reporting on new regulation topics, industry trends, and concerns, CUInfoSecurity.com writers keep the credit union community up-to-date with industry best practices. CUInfoSecurity.com will offer interactive webinars that keep the credit union information security community in touch with current issues and regulations that affect the way credit unions do business. These sessions focus on topics such as identity theft, penetration testing, IT audits, Strong Authentication in Internet Financial transactions, and the Information Technology Risk Management Program. These webinars are hosted by experts in the credit union information security industry who truly understand the mindset and needs of the credit union community.
Voice verification is a form of biometrics that involves using voice prints and recognition of the user's phone, a combination known as a voice token. It is regarded as a next-generation authentication technology. The more-advanced voice recognition systems record and store combinations of sounds and notes. For example, a user records his name or a snippet of a song at the time of enrollment. In subsequent transactions, the user replays the recording using a special hardware token to authenticate. In the event that a user's biometric credential is compromised, the system enables re-enrollment using a new voice template.
Dr. Jakobsson is also Associate Director of the Center of Applied Cybersecurity Research, and the founder of RavenWhite, Inc. He is the inventor or co-inventor of more than fifty patents, has served as the Vice President of the International Financial Cryptography Association, and is a Research Fellow of the Anti-Phishing Working Group. Prior to his current position, he was Principal Research Scientist at RSA Laboratories, a member of technical staff at Bell Laboratories, and Adjunct Professor at New York University. He is an Editor of The International Journal of Applied Cryptology, and a Group Editor of the ACM Mobile Computing and Communications Review. His latest book, Phishing and Countermeasures was released last year. He is co-editor and author of upcoming books on crimeware from Symantec, click fraud and cryptographic protocols. He has also served as the Editor of the RSA Cryptobytes for several years. Professor Jakobsson researches fraud, social engineering and phishing, and the prevention of these attacks.
The need to store and manage mushrooming quantities of unstructured content such as e-mails, instant messages, voice messages, and images is a major pain point for financial institutions of all sizes. An estimated 60 billion e-mails are sent across the globe each day and almost 80% of companies accept e-mail as confirmation of business transactions. With the recent amendments to the Federal Rules of Civil Procedure (FRCP), which bring e-mail and other electronically stored information squarely into the discovery process in court proceedings, it's imperative that electronic communications be rigorously managed throughout its lifecycle.
Banking via telephone and wireless mobile devices has become an important delivery channel for financial institutions. As with Internet banking, telephones and wireless devices afford great convenience for bank customers, but unfortunately they too are prone to phishing and other forms of attack. The Federal Financial Institutions Examination Council has made clear that banks need to safeguard all customer channels against fraud. Understanding the risks and the steps to mitigate them can go a long way to securing not only a bank's information, but its reputation as well.
Today we're speaking with Alan Paller of the SANS Institute. For those of you who don't know, SANS is the most trusted and, by far, the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system, the Internet Storm Center. Their website is www.sans.org. Alan is the director of research for the Sans Institute, and he's responsible for overseeing all research projects ranging from the Sans' Step-by-Step Guides to the Sans Digest to the top 20 Internet Security Tricks. He's also the founder of the CIO Institute and earned his degrees in computer science and engineering from Cornell and MIT. Alan is the author of the EIS book Information Systems for Top Managers and How to Get the Best Presentation of your Life. In 2001, the President named Alan as one of the original members of the National Infrastructure Advisory Council; and in 2005, the Federal CIO Council chose him at its 2005 Azimuth Award winner, recognizing his vision and outstanding service to federal information technology.
A world authority on software and application security, Gary McGraw, PhD and CTO of Cigital, carries the software security torch. Over the past 11 years his six books on the subject of software security seem to have touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and antivirus mechanisms came to understand and embrace the necessity of better software. Author of more than 90 peer reviewed technical publications, he is a principal investigator working with the Air Force Research Labs, DARPA, National Science Foundation and NIST's Advanced Technology Program. He also is an advisor to top U.S. university computer science departments, and sits on the IEEE Board of Governors. In this interview McGraw discusses with BankInfoSecurity.com the state of information security in the financial services industry, pervasive computing, the trusted computing initiative, cyber threats on the horizon for financial institutions, software security, information security for mid and smaller institutions; Vista - Microsoft's new OS, and Google's code search capabilities.
With the deadline passed for compliance with the Federal Financial Institutions Examination Council (FFIEC) guidelines, financial institutions are seeking cost-effective strategies that meet or exceed meeting regulatory and customer expectations. According to the FFIEC, any system that permits the movement of funds to other parties or access to customer information is deemed high-risk, necessitating stronger authentication or additional controls. At a minimum, this means two-factor or layered single-factor authentication. In two-factor authentication, the user presents both something he knows, such as a password or PIN, and something he owns, such as a PC, phone, or one-time password. In layered single-factor authentication, the user presents two of the same factors (e.g., two separate passwords). This is as far as most banks go in authenticating customers.
During Howard Schmidt's remarkable career in public and corporate service, he has seen it all from the inside. He began his information security career in government in the U.S. Air Force and helped establish it's groundbreaking computer forensics lab. He then moved into law enforcement. Later he left public service to head information security at software giant Microsoft, and then also at online auction site e-bay. After 9/11, he was appointed Vice Chair of the President's Critical Infrastructure Protection Board and was Special Advisor for Cyberspace Security or the White House. Schmidt is currently the International President of the Information System Security Association, ISSA. He has also served as the first President of the Information Technology Information Sharing and Analysis Center, and as the Co-Chair of the Federal Computer Investigations Committee. He is a member of the American Academy of Forensic Scientists, and an Advisory Board member for the Technical Research Institute of the National White Collar Crime Center.
Data breaches were hitting the headlines almost every week in 2006, with an estimated 100 million records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. With all the press coverage and consumer awareness of the issue, expect Congress to take up the matter this year in earnest. We will most probably see several legislative bodies arm wrestling to assign top enforcement duties with whatever form the federal law takes. That is aside from the 30 + state laws on the books that relate to data breach notification. Secure your sensitive data now before the waves of regulations begin washing up on the walls of your institution.
The arms race against phishers, strengthening firewalls, FFIEC authentication deadline issues and the constantly evolving risk management model were among the many topics covered by the FINSEC 2006 conference speakers last week in New York. The security strategies and tools and techniques presentations covered in the two-day conference were led by eleven information security experts from national banks and financial firms. The most highly-sought after seat was in the FFIEC Authentication Guidance talk led by Diana Kelley, VP and Service Director from the Burton Group. It was standing room only within five minutes of the start, showing many of the FIN SEC 2006 attendees wanted to know how the authentication guidelines will apply to their institutions. The Tower Group has estimated that only 20 percent of institutions will have security systems implemented by the end of the year.
The recent announcement from Microsoft of the long-anticipated ship to manufacturers of the Vista operating system brings visions of patches and problems to the dreams of veteran infosec practitioners. Those companies large enough to hold corporate licenses will have it made available by November 30 for bulk download or via CD. The question for us in the financial industry is - when to upgrade to Vista? A wise CEO once noted when his IT department was clamoring to upgrade to a new OS, "Let's let the dust settle, let others shake the bugs out, then we'll wait until it's a robust product before we move over." That was back in the day of Windows 95 when customers came to your bank to transact business, or they picked up their land line telephone to call in.
The 6th Annual InfoSecurity New York Conference and Exhibition was a major draw for financial institutions seeking the best and the latest products and services available in the information security industry. Take the following excerpt for example, which gives a brief but succinct description of the event: We have assembled the finest minds in the information security industry. . . with access to 175 companies, featuring new solutions, crucial to developing a secure and compliant information infrastructure within any size business.
Visa is mounting a full-scale blitz to encourage merchants to use payment software that doesn't compromise consumer passwords. The card company has asked merchants to ensure that the software they use to process card transactions doesn't store the full contents of "track data", which contains passwords and other sensitive information. Last year, a breach at CardSystems, a processor of card transactions, led to the exposure of 40 million payment records, setting off a firestorm that's led to a crackdown on data security vulnerabilities by regulators and lawmakers. Visa's Cardholder Information Security Program prohibits the storing of full track data by merchants. Account numbers, expiration dates, and names are the only elements of track data that may be retained once a transaction has been authorized. In addition, Visa requires compliance with the Payment Card Industry Data Security Standard (PCI DSS) by all merchants and any entity that stores, transmits or processes cardholder data.
The results are in, and BankInfoSecurity.com would like to present the Top 10 financial information security articles on this website from 2006. All articles have been posted since January, and include any articles through the last week in July. Not surprisingly, the number one article referred to actual financial services workers being fooled by a harmless, yet planned CD scam. This can only underly the importance many banks and financial institutions put on educating employees as a starting point to a strong information security program. Rounding off the top 10 are two articles related to phishing, a trend which indicates the problem will continue to be a nuisance to any institution offering online money account access.
Last October, the Federal Financial Institutions Examination Council (FFIEC) issued guidelines to financial institutions stating that single-factor authentication was inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. While financial institutions are expected to comply with the guidelines by the end of this year, expected course of action has also created some confusion in the industry. George Tubin, senior analyst in the Delivery Channels research service at TowerGroup, recently led a roundtable session where top financial institutions shared their experiences in trying to comply with the FFIEC guidance. Issues raised by online banking leaders included multifactor authentication techniques, implementation best practices and concerns, customer education, and usability. Mr. Tubin shared some of the key findings with BankInfoSecurity.com (BIS).
Biometrics, the use of electronically- stored records of physical identifiers that corroborate a person's identity, is now moving out of the realms of fiction and into everyday life. Already there are reports that more than 60 hospitals in the UK use fingerprint technology to access patient files. Commercially, the technology is expected to take off in the ecommerce and online banking arenas, and some European states already recognize a biometric signature as legally binding. From the Microsoft fingerprint mouse to iris retina scans to facial recognition devices, it's a technology that promises to free us from the bane of recalling passwords. And it's essentially a 'cool' technology: IT departments are embracing biometrics in part because almost every systems administrator is a techno-geek, and all geeks love their gadgets. These drivers are fuelling the quick take-up of this technology.
"Botnet" Investigation Led by U.S. Secret Service’s Electronic Crimes Task Force and the Computer Hacking and Intellectual Property Unit of the U.S. Attorney’s Office SAN JOSE – United States Attorney Kevin V. Ryan announced that Anthony Scott Clark, 21, of Beaverton, Oregon, pleaded guilty yesterday afternoon in federal court in San Jose to launching a computer attack against the Internet auction site eBay in July and August 2003 with an army of infected computers he had amassed by using a computer worm program.
Although Skype, which provides Voice over Internet Protocol (VoIP) telephony services and PC-to-PC calling, turns two years old on August 29, it remains unclear what kind of business this relative newcomer will turn out to be. Skype could remain a mere fad for techies, become a next-generation communications platform or evolve into the next eBay or Google, say Wharton experts.
Banks Face Added Risks in a Tough New Regulatory Arena
Bankers Trust was an aggressive and entrepreneurial commercial bank that developed some of the basic risk management tools now used throughout the banking industry. (It merged with Deutsche Bank in 199
"Something fundamentally big is happening that will profoundly affect the life of every person and every business over the next five to 15 years -- the collapsing of everything into one single, global, ubiquitous, collaborative virtual IT world." So said Hossein Eslambolchi, president of AT&T's Global Networking Technology Services, at th
Omar Herrera While we are not analyzing the ethical nature of a hacker, we must still consider a hacker to be a person who maintains a superior level of technical knowledge and abilities. Therefore, by definition we must then accept that there are hackers with good intentions (gurus) and hackers with bad intentions (cyber criminals)
The role of international trade in the U.S. economy is increasing. And although smaller firms (those with less than 500 employees) accounted for almost one-third of U.S. exports in 2001, they are continually challenged to obtain financing to produce export goods or to finance the sale of exports. This circumstance presents opportunities for community banks that are looking for ways to increase small business fee income and strengthen loan demand. This article looks at those opportunities
Q. The local banks are not cashing my checks or letting me withdraw money from teller stations, what can I do? A. If you do not have an account relationship with the bank, it may be concerned about whether there are sufficient funds in your bank account. Ask the bank
According to recent government estimates, some 10 million people a year are victims of identity theft. Some sources estimate that annual losses related to identity theft total as much as: $50 million for individuals and $48 billion for businesses While these figures represent an average loss of only about $500 per individ-ual, the actual impact is much higher. On average, each individual also spends some 30 hours cleaning up the effects of an identity theft attack. That's a total of ab
When online auctioneer eBay announced its intentions last week to buy Internet communications services provider Skype in a potential $4.1 billion deal that will consolidate three of the biggest Internet brands -- eBay, PayPal and Skype -- under one roof and eliminate e-commerce "friction," the questions began. What, people are asking, is the rationale behind the acquisition, and isn't $4.1 billion a bi
George CapehartIn a previous column we talked about some of the characteristics of Web services systems that have implications for Information Security and identified some of the kinds of security problems that arise in systems that are implemented in this paradigm. One of the sets of problems that was mentioned was Emergent Risks. In this article, we will talk a little more about them and give examples from two different ki
Q: First, what is Bluetooth? A: It’s a technology that lets devices communicate with each other sans cables or wires. More specifically, Bluetooth is a wireless standard, which means manufacturers of any device can ensure that their devices communicate with those from other companies. Q: Why is Bluetooth so popular? A: As anybody who’s ever surfed the Internet
The following are links to website's that also offer online training to the to the Banking Infomation Security Community: SANS Webcasts are live web broadcasts that allow you to hear a knowledgeable speaker while viewing presentation slides that you download in advance. You need either Real Audio Player or Windows Media Player (free downloads are available on the webcast access page
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication
