|
 |
 |
 |
 |
|
The Information Security Media Group, Corp.(ISMG) today announced the launch of its two redesigned websites, www.BankInfoSecurity.com and www.CUInfoSecurity.com. The redesign offers easier navigation throughout the sites and access to even more information on topics, events and regulations that affect financial institutions.
Swart: I would like to start by talking about what are the personal risks that executives of financial institutions face if they fail to implement effective security or to comply with IT security regulations. Herold: Well, there are many. It is first important though for the financial institution leaders to understand that there are many laws and regulations requiring information security programs and these programs must be built based upon risk assessments directly related to safeguarding customer information. Some of the laws and regulations include the U.S.A. Patriot Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Fair and Accurate Credit Transactions Act. Also the FFIEC IT Examination Handbook, the FDIC IT Examination Workpaper, the OTC Consumer Regulations Handbook and various other oversight agencies guidance requires and emphasizes the importance and responsibilities of executive leaders to ensure security is in place. Besides those, there are at least 39 state level breach notice laws along with hundreds of other state laws that address and require institutions to provide data protection activities. And then, if your organization has offices outside the U.S., there are over 100 data protection laws within countries throughout the world.
Swart: Well, speaking of accounting, a lot of executives are quite concerned that achieving ISO compliance, or excuse me, IS certification, will significantly increase their costs, and lead to the adoption of significantly more controls. Is that perception accurate? Bernard: Actually it's not. ISO is a big thing to take on, and there has been a lot of reluctance, as you know. We are going to be likely the first on-line banking system in North America, perhaps even the globe, to become ISO certified. And I think the reluctance is because they just haven't found the right person or the right group who can deliver that package in a way that they can accept. In fact, the ISO framework, once it's properly implemented, will actually help reduce controls, which is usually a big selling point with senior managers. As we have external consultants and monitors coming in and telling us to implement more and more controls, the concern is that we have layers and layers, and all of the sudden productivity slows down within the organization. We have to hire new people to manage the controls because there are so many of them. And ISO is not about that at all. There are 133 controls within ISO. And they can be basically applied in a number of different ways.
Swart: Let’s start talking about risk management, but rather talking about traditional issues of information and business impact analysis. I was wondering, is there some fundamental question or fundamental process that banking and finance executives should start with when they start thinking about risk management? Pironti: There actually is. As we start looking at risk management and more specifically information risk management, which is really what we’re focusing our attention and the work I’m doing on, one of the first things we often ask ourselves is to figure out what problem are we trying to solve. To what degree are we trying to solve a problem? With what degree are we trying to protect the information? And once we understand those basic principles, then we should be looking to go through a process that we call Threat and Vulnerability Analysis.
Know What Assets You Have and Where They Are – This may sound very basic, but after one laptop turns out to be missing, the basics look like very good rules to follow
It’s hard enough to secure the data you control. But how about when your employees are running around plugging in unapproved USB drives into computers and sending out unencrypted sensitive information in emails to customers, putting your institution at risk for a data breach?
When it comes to information security, there are as many ways to go wrong as to go right. That is why, before a financial institution attempts to implement and improve its security risk management process, it must examine its fundamental level of maturity. Is the organization ready for risk management?
The estimated number of reported credit card numbers that were taken in the TJX breach has doubled from more than 45 million to nearly 100 million accounts being affected, according to VISA.
Vulnerable Web Servers Are More Quickly Identified By Fraudsters The news from the crimeware front isn’t good. The research team at RSA Security reports the discovery of a tool that fraudsters are using to automatically trace vulnerable web servers, allowing them to quickly launch multiple phishing attacks.
To safeguard digital customer files and stymie potential identity thieves, Brintech’s Chris Koger has a quick list of tips for bank officers. They’re based on the most common errors that risk assessors come across
Sometimes a Breach is as Simple as Walking in the Front Door Chris Koger is not an actual identity thief, but he may play one soon at a bank branch near you. An Atlanta-based “ethical hacker” and information risk assessor, Koger specializes in human, operational and physical weaknesses of small- to medium-sized banks. In short, Koger’s job is to expose potential breaches before an actual thief does. Oftentimes, it’s too late.
Spending on security technology, training, assessments and certification now accounts for 20 percent of total technology budgets, according to new research from the Computing Technology Industry Association (CompTIA).
RICHARD SWART: Hi. This is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we will be speaking with Dan Manley, who is a Senior Manager at KPMG’s Risk Advisory Services Information Protection Practice. He has over 19 years of experience, and has both a CISSP and a CISM. Good morning, Dan. DAN MANLEY: Good morning, Richard.
RICHARD SWART: Hi. This is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’re speaking with Kenneth Newman. He joined the American Savings Bank as the Vice President of Security in March of 2005, and is responsible for managing their business continuity, information security and records management programs. He has extensive experience in information security for over 15 years, and has previously worked at Deutsche Bank, and also with Citigroup. Good afternoon, Ken.
It’s About Protecting the Network Endpoints Last week’s announcement of yet another unencrypted laptop being stolen – this time it is retailer The Gap’s recruiting vendor and its gaping lack of security (the vendor laptop was stolen with personal information of 800,000 applicants Gap Press Release ) opens another line of questions for financial institutions. Is the increased productivity of portable devices, (laptops, USB drives, etc.) worth the risk of infection or data theft? More importantly, are you able to defend your networks from the invasion of the external threats that seemingly pile up at your firewall due to the use of these endpoints?
Too Much Data, Too Little Security -- a Recipe for Disaster The risk of a breach of sensitive personal information held by TJX Companies Inc. was foreseeable, but the company failed to put in place adequate security safeguards, according to the report released this week by Canada’s Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of Alberta (AB OIPC).
Bad Guys Getting Better, Aiming Higher
CA Bill Would Make Bad Security Costly To Retailers Move over data breach notification laws: There’s a tough new bill in town, under which banks and credit unions could get money back from breached retailers that didn’t do right in protecting credit or debit card information. This new data breach reimbursement bill is sitting on the desk of California governor Arnold Schwarzenegger, awaiting his signature.
Breach is a Warning to All Financial Institutions The announcement by online brokerage TD Ameritrade that a database had been breached reinforces an important lesson to other financial institutions: Know your systems and who’s accessing them. On Sept. 14, Ameritrade went public with the news that it had “discovered and eliminated unauthorized code from its systems that allowed access to an internal database
Richard Swart: Hi, this is Richard Swart with Information Security Media Group. Today I’ll be speaking with Debbie Wheeler, CISO of Fifth Third Bank. How are you doing this morning, Debbie? Debbie Wheeler: I’m doing well. Thank you. Swart: I appreciate you taking time to talk to us today. I’d like talk about some of your experience. I know you have an extensive background in information security, and you’ve also spent quite a bit of time there at Fifth Third Bank working on issues around identity access management. I was wondering if you would tell our listeners, what are the critical success factors for an identity and access management program. Wheeler: I’d have to start with understanding what roles the organization uses or needs. That’s probably first and foremost. And some of the conversations that Fifth Third has had with some other financial organizations that are attempting to implement identity and access management programs, specifically around provisioning; roles are the number one concern that’s raised over and over again. Fifth Third started about four years ago defining the roles that they were going to use to provision access, and having that structure in place has allowed us to very rapidly deploy over 200 applications to a centralized provisioning product from which we delegate and administer access and entitlement. I think the biggest challenges in trying to obtain or administer an access and identity management program are really selling the value to senior management.
Whether you know where the sensitive, personally identifiable information is on your networks isn’t at question, nor is anyone asking if you have secured it. But what about the data on the devices that disconnect from your network (think of laptops, external drives, USBs)?Are they secured, or the data on them encrypted? The results from a recent study by the Ponemon Institute show that the majority of businesses don’t manage the protection of these devices very well.
Incident Response Resources Here are several recommended agencies that institutions will want to check in with when bulking up incident response plans
Incident Response Starts With a Comprehensive – and Tested – Plan of Action It’s 3 a.m., and your cell phone is buzzing off the bedroom dresser. Your boss is calling to tell you that the network servers that support your institution’s online banking site have been offline for the last two hours, and it is suspected that the region’s severe weather overnight may have knocked out the Internet connection. When the IT hits the fan, you don’t want to be without a plan of action. What can you do to prepare for the unexpected?
Forensic Analysis Helps Solve the Crime In the event of a data break-in, forensic analysis -- the use of scientific techniques to investigate crimes -- is needed for various tasks, including: - investigating crimes and inappropriate behavior,- reconstructing computer security incidents, - troubleshooting operational problems, - supporting due diligence for audit record maintenance - recovering from accidental system damage.
Richard Swart: Hi, this is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’ll be speaking with Mark Lobel, an internationally recognized security and internals control professional who is a partner in information security practice at Price Waterhouse Coopers. Good afternoon, Mark. Mark Lobel: Good afternoon. How are you? Swart: I’m doing well. I was hoping you’d talk to our listeners and tell us about, from your position as a Price Waterhouse Coopers partner in the security practice area, what is your assessment of the state of the information security war? How are institutions responding to the increasingly sophisticated threat picture?
Richard Swart: Hi, this is Richard Swart with Information Security Media Group, publishers of bankinfosecurity.com and cuinforsecurity.com. Today we’ll be speaking with William Henley. He is the Director of IT and Risk Management for the Office of Thrift Supervision. Now William, what specific guidance and advice can the OTS give thrifts and financial institutions in the development, implementation and maintenance of policies, procedures and guidelines regarding technology risk management?
Richard Swart: Hi. This is Richard Swart with Information Security & Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we will be speaking with Mr. Nathan Johns. Nathan is an executive with Crowe Chizek and Company, LLC risk services delivery unit, with over 15 years experience in a variety of internal audit risk management leadership and regulatory positions. He has a comprehensive internal audit and risk management background in large financial services institutions, working closely with senior management to address risks and evaluate and implement controls. Before joining Crowe Chizek, Mr. Johns was the chief of the information technology section for the FDIC.
Research reveals that despite the importance internal auditors and corporate compliance professionals put on making sure the right controls are in place for access to systems and data, 70 percent of respondents in a recent survey of auditors said it is critical to IT compliance, the majority said there are inadequacies in current practice. A majority (82 percent) said a risk-based approach would be more effective, this from the Ponemon Institute survey “Audit & Compliance Professionals: Survey on Identity Compliance.”
RICHARD SWART: Could you tell us a little bit more about your role in the FDIC and could you explain how the FDIC is tracking cyberfraud? DAVID NELSON: Sure. Recently, I have become more of an analyst. Before, I was an examiner, as you well know, but now, I’ve turned into more of an analyst, where I review a lot of information, information that comes from the FINCEN, in the form of FINCEN’s SARs that financial institutions submit.
RICHARD SWART: Well, could you please explain for our listeners your responsibilities as the Deputy Director for Outreach and Awareness for the National Cyber Security Division, and also, how do you interact with the banking and finance community? ROB PATE: Our job at NCSD is to help government agencies, federal, state and local, and the private sector, as well as our international partners, to better defend themselves against cyber attacks and disruptions. Also, if you want, I’ll touch briefly, a little bit on US-CERT, and then we can touch on the financial sector things that we were talking about. If you’re not familiar with US-CERT, the United States Computer Emergency Response Team, that is the focal point for cyber incident response for the nation.
When your regulator comes to your institution during your next examination, will your incident response plan be your Achille’s heel? Ensuring your institution is ready to respond to any breach begins with the development of a response team. Under the interpretive authority granted by the Gramm-Leach-Bliley Act (GLBA), federal banking regulators finalized guidance establishing standards financial organizations must follow to safeguard customer information. The Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice Guidance requires banks to establish a security breach response program and, in general, to notify affected customers when a breach occurs.
The latest report by the IT Policy Compliance Group finds that nine of ten companies are exposed to financial risk from data losses and thefts that can be cost-effectively avoided. The report, “Why Compliance Pays – Reputations and Revenues at Risk,” finds the majority of the 475 firms surveyed must contend with six to 17 business disruptions and five to 22 instances of losses or thefts of sensitive information each year. Those firms with the best IT compliance results have, at most, two disruptions annually. “There are two real key findings from this ongoing report for financial institutions. We are finally able to quantify publicly reported data losses, (this data was also checked from historical databases as well). Financial risk for losing data is absolutely huge, compared to the amount of money being spent on compliance and data protection,” said Jim Hurley, a senior research manager for Symantec and senior director of the IT Policy Compliance Group.
The results of a Ponemon Institute survey underscore the serious challenges organizations face in securing sensitive data.
The recent announcement by Fidelity National Information Services, a financial processing company, that one of its employees at a subsidiary stole 2.3 million consumer records containing credit card, bank account and other personal information is yet another drop in the bucket of data leakage.
Sensitive financial information is leaking from financial institutions, vendors and customers according to a recent study on the risks from inadvertent disclosures of sensitive information on the Internet.
The best passwords are easy to remember, but hard to guess. So why are employees (including yourself) forgetting them at times?
As with any information security threat, your institution needs to plan for them, and social engineering from outside of your institution needs to be expected.
Like comic book super villains, spam kingpins always seem to find new ways to thwart the technology heroes that fight against junk mail. Just as it seems that they’ve finally been vanquished, they manage to elude the traps laid by anti-spam technology vendors in order to flood the inboxes of innocent users.
To create an effective information security incident response capability, banks need to first understand where they are in terms of security readiness. Benchmarking the information security program is one of the most difficult and important tasks a chief information security officer will face. That task has gotten easier now with the publication of a set of incident management capability metrics by the Software Engineering Institute of Carnegie Mellon University.
Financial institutions receive email from a wide variety of sources, and like other companies they’re facing the unwanted solicitation emails that range from replica watches to penny stock offerings. The employees at financial institutions are also faced with these emails that make it past filters and into their inboxes.
Financial institutions need intrusion detection systems that incorporate wireless The biggest credit-card hacking incident in history exploited a weakness in wireless network security that could have easily been fixed. The lesson for financial institutions is to plug all such weaknesses before wrongdoers discover them.
If you ever thought that when you file a Suspicious Activity Report (SAR) that it is filed away with the other SARs, think again. SARs are an important and valuable part of the Bank Secrecy Act (BSA) data that law enforcement uses to build criminal cases. Financial institutions can read more on the enforcement actions taken by law enforcement in the latest edition of the SAR Activity Review.
Any good information security professional knows good passwords should be very easy to remember but hard to guess, and that’s because there are constant attempts to crack your passwords. A recent study by the University of Maryland's Clark School of Engineering is one of the first to quantify the near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average—and the non-secure usernames and passwords used that give attackers more chance of success.
The receptionist at ABC Financial Institution headquarters glanced up from her work and saw the phone man standing there.
I’m a social engineer. And no, you won’t recognize me or be able to spot me when I come into your bank or credit union. My job is to scope a target (it could be your institution) and probe potential weaknesses in the security, both physical and cyber. I’m paid to find the holes and potential places where we could launch an attack on your branch or even your entire institution.
Ever since there have been banks, there have been bad guys trying to get the money out of them. With the rapid growth of technology, we need to not only look at our physical risks, but all of the technology we have come to live with, or that we can’t live without at our institutions.
Financial institutions need intrusion detection systems that incorporate wireless The biggest credit-card hacking incident in history exploited a weakness in wireless network security that could have easily been fixed. The lesson for financial institutions is to plug all such weaknesses before wrongdoers discover them. TJX Companies, owner of T.J. Maxx and other retail brands, says that at least 45.7 million credit and debit cards were compromised over several years. Intruders gained access to TJX’s computer systems beginning in 2005 and continuing until January 2007. Although debit card PINs weren’t compromised, unencrypted magnetic stripe data, also known as “track 2 data,” was stolen on transactions that occurred before September 2003, the company said. Investigators believe hackers used handheld de
At your financial institution, what would you consider as your worst threat for data loss? Hackers? Let’s face it, everyone who is trying to breach your defenses really just wants to join those insiders who are already running amuck on your network. If you’re not cognizant of the insider threat in your institution you will need to rethink your security strategy.
Knowing where and when your employees are accessing data means watching your endpoints. Endpoint controls can play a key role in preventing or reducing the insider threat, says Ari Tammamm, an information security company executive. Financial institutions are doing a better job than many other companies because of the regulatory compliance that goes along with being a financial institution, but the threat is still
In spite of doom-and-gloom predictions following the FFIEC’s guidance announcements, financial institutions are able to balance convenience with security As many U.S. banks and credit unions turn a corner on two-factor authentication deployments precipitated by last year’s Federal Financial Institutions Examination Council (FFIEC) guidance on the matter, they are still finding that they must balance customer satisfaction with customer security. However, online banking consumers are proving to be far more accepting of strong authentication than industry pessimists predicted—in spite of the fact that most of them are unaware of the new regulation.
It’s always sitting there like the 800-pound gorilla in the room – the upcoming IT Audit at the institution. No one asks if it’s still there, because we all know it is. We’ve all gone through at least one IT audit, some successfully, others of us have been handed a list of recommendations from our auditors. One of the drivers behind an IT audit is the list of 114,000 new regulations (according to the OMB) passed in the U.S. since 1981, and these regulations include the Sarbanes Oxley Act (SOX). SOX is more than just 404 documentation. From proper retention, retrieval and disposition of audit data to corporate responsibility for financial reports to real-time disclosure, SOX places a comprehensive compliance burden on a financial instit
We’re all guilty of it. The conversation at the table next to you in the fancy restaurant is sounding interesting and as you’re sitting nearby, you can overhear the people as they talk. Sometimes it’s innocuous tidbits of family life, other times it’s more important information, like say, two bank employees discussing network IP addresses, or what type of configuration they’re going to propose for the new firewall. If you were not the upstanding citizen and information security professional with a high ethical standard, you could possibly share that information with your friends in a chat room, or post it on your blog. As we all continue to blur the lines between work and personal life, dragging home laptops and blackberries and doing business as we commute back and forth each day, it’s almost surprising that more of us are not ending up in the blogosphere or on Internet chat forums or on MySpace, and then are known as “the employee who talked in public,” says one information security exp
One of the best ways financial institutions have of protecting critical infrastructure is to monitor system logs, which contain a gold mine of information about the health of the network.
Common sense is something all bank directors are expected to possess, bank directors with years of experience seem to be brimming with it. But if you’re a new, or relatively new appointment to a board of directors at a bank,
As an information security professional at your institution, would you know what signs and indicators to monitor for an insider attack? Dr. Eric Cole, a noted information security expert who has studied insider threats and investigated them at financial institutions describes the problems aren’t only in identifying potential insider attacks, but how much attention is being focused on this continuing threat.
The line forms on the left, as state banking associations representing banks from three New England states have filed a class action lawsuit against TJX Companies Inc., in response to the company’s credit and debit card breach in which more than 45 million cards may have been compromised. More banks are expected to join the lawsuit.
One of the recommendations from the President’s Identity Theft Task Force: Decrease the unnecessary use of social security numbers in the public sector by developing alternative strategies for identity management.
Deborah Platt Majoras, Chairman of the Federal Trade Commission and co-chair of the Identity Theft Task Force gave this example why this recommendation is at the top of the list of 31 recommendations from the Task Force.
The release of the President’s Identity Theft Task Force report on April 23 with its 31 recommendations has implications for financial institutions. While the report also focuses on increased law enforcement crackdowns on identity theft and the prosecution of the criminals who perpetrate this crime, the need for increasing the education of the consumer about the perils of identity theft near the top of the list of recommended actions.
Identity theft can strike anyone. Unfortunately, even BankInfoSecurity.com’s staff have been past victims of identity theft. Luckily, the two stories have been resolved. Read on to hear first-hand, the pain of identity theft, and what lengths victims have to take to resolve the crime and restore their identity. Both of the staffer’s names have been withheld to prevent further harm. These stories are good examples of why financial institutions must increase customer education on identity theft and continue their vigilance in verifying customer information.
The banking industry is one of the most highly regulated and closely supervised among those handling sensitive consumer information. Besides being subject to security breach disclosure laws at the state and federal levels, it must comply with industry-specific laws and regulations related to information security and privacy.
The Check Clearing for the 21st Century Act (Check 21) has created new opportunities for financial institutions and customers. By eliminating the need to transport paper checks, remote check capture can provide significant cost savings for financial institutions. Customers benefit as well: retail customers can receive image proof-of-deposit at an ATM or other remote capture site, and commercial customers can deposit imaged checks directly at their own premises.
The revelation by TJX Companies, owner of T.J. Maxx and other retail brands, that at least 45.7 million credit and debit cards were compromised over several years highlights anew the risks associated with processing card transactions and the need to protect the information they contain.
A recent survey of banking executives showed the overwhelming majority plan to increase spending on automated Anti-Money Laundering (AML) transaction monitoring and on staff to help strengthen their compliance programs. Darren Donovan, head of KPMG’s Forensic Services said the survey, administered by KPMG during the Florida International Bankers Association Annual AML Compliance Conference,
What are some of the constants - - and you’ve obviously, with your years of experience, seen many of them, but what are we still dealing with, the problems you had back in the early days, in terms of information, security and risk? And is the TJX data breach that just recently hit the headlines a glimpse of what we can expect to happen when security and operational risk management doesn’t occur? RHONDA MACLEAN: Well, I’d like to say it’d be nice if we didn’t see those kinds of things occur. But I think we will continue to see them, and I think this is where the challenge lies. And TJ Maxx is just one of the companies that have had it - - we’ve had recent headlines over this last year. You can go back and look at the Department of Veterans Affairs and the big data loss that occurred there.
While most financial institutions guard against the external threat of hackers, malware, and network intrusions, there is an insidious insider threat that lies hidden inside the walls of financial institutions. According to Dr. Eric Cole, a noted information security expert who has studied insider threats and investigated them at financial institutions, much more can be done to mitigate this unseen threat.
Knowing what’s important to banking professionals is key to providing the information and news coverage needed in the financial services industry. Having a “finger on the pulse” is the best way to describe the formation of BankInfoSecurity.com’s inaugural Advisory Board. The new members of BankInfoSecurity.com’s Advisory Board are from every region of the country, and represent a wide range of asset sizes of national banks, community banks and savings and loan nstitutions. “Knowing what your peers are thinking, and how they’re approaching a certain issue helps you find what works at your bank,” said Linda McGlasson, Managing Editor of BankInfoSecurity.com.
Manual processes leave financial institutions open to insider threats, said a study showing that nearly 60 percent of U.S. businesses and government agencies report they don't have the information or the technology to deal with insider threats to their network. This is according to a new study done by the Ponemon Institute. “For the financial services industry there are some important implications in terms of account takeover, authentication credential and a very big risk of a harmful event if someone gains control of part of a financial institution’s network,” said Larry Ponemon, President of the Ponemon Institute.
The Gramm Leach Bliley Act may not appear to have anything to link it to the Voice Over IP technology being implemented in financial institutions, but IT departments and Information Security officers should look closely at how the new phone systems may be audited under GLBA regulations. GLBA audits would focus more on data privacy, and specifically under Section 501 Subtitle A that requires companies ensure the security and confidentiality of customer records and information. They also need to protect against any anticipated threats or hazards to the security and integrity of these records, and protect t against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
Banks are attracted to Voice over Internet protocol (VoIP) as an alternative to traditional telephone networks because of the potential cost savings, including elimination of long distance charges and the need for only one network to manage both voice and data. However, VoIP entails increased data security risks, which must be addressed before implementing a solution. According to the FDIC, VoIP is susceptible to the same risks as data networks that use the Internet, such as exposure to viruses, worms, Trojans and man-in-the-middle attacks. Configuration weaknesses in VoIP devices and underlying operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking) and toll fraud (theft of service), all of which can result in the loss of privacy and integrity.
Being an information security officer at a financial institution isn’t an easy job, but imagine being the first Chief Information Security Officer at your institution, and the first one, period. Steve Katz shared his thoughts on information security from his unique perspective of being just that—the first CISO of a major financial institution. What many of us take for granted in our programs was hewn out of thin air by Steve since the mid 1980s. Steve Katz is a true luminary among the information security community. Known as the world’s first chief information security officer, Katz is widely regarded as one of the discipline’s thought leaders. In addition to his role since 1985 as a senior security executive for J.P. Morgan, Citibank/Citigroup and most recently Merrill Lynch, he has been a force at both industry and government levels in raising the visibility and shaping the direction of the security industry.
LINDA MCGLASSON: Are we in information security becoming too complacent? I mean, we have a lot of zero-day threats, hundred thousand node botnet sending us virus threats and all things like that, and those of us in information security, you know, look at the situation and think that this is normal operation procedure, are we too complacent? WYATT STARNES: I think we are too complacent, and I actually think we’ve been overly, sort of, complacent and self-secure, self-assured for actually quite some time. When you kind of zoom back and look at some of the physical threats in our world, specifically, the tragic events of September 11th, 2001, where we found we were dramatically exposed to physical harm within our own boundaries, I think in the cyber-security world, we haven’t really seen our September 11th, 2001 yet. We are exposed. We continue to be exposed, and information technology is prospectively an important new attack vector for us in our industry and in our economy, and frankly, in our political system as well.
The FDIC’s Information Technology Risk Management Program (IT-RMP), used by FDIC examiners in the examination process of financial institutions, will be looking more closely at the way financial institutions choose, oversee, and document their technology service providers and how those technology service providers protect sensitive customer information, according to a new audit report from the FDIC’s Office of Inspector General (OIG). Last year more than half of the 213 information security breaches reported by financial institutions to the FDIC involved technology service providers (TSP). These breaches included TSPs providing services to institutions for Internet banking, debit and credit cards, ATMs and network operating systems.
The alert from OCC about a 419 scam appearing to come from the US House of Representatives’ Financial Services Committee isn’t something new -- this type of scam is just a new twist to something that has been around for many years. As long as there are people who believe they can get something from little or nothing without a great deal of effort, the 419 scams will continue to wreck havoc on the American public. As financial institutions, we must help educate those who could fall under the 419 spell of easy money.
Comptroller of the Currency John Dugan told an audience of bank risk managers earlier this week because their goals are so closely aligned to those of the regulators, the regulations and guidance issued by the agencies can support them in meeting their institutions’ objectives. Dugan said regulators can highlight concerns that are important to risk managers, but which others in the bank might prefer to ignore for competitive reasons. An example is the interagency guidance on non-traditional mortgages, which establishes expectations for prudent underwriting, taking into account some of the unique features and risks these products present. A joint release seeking comment from federal agencies was issued on a proposed Statement on Subprime Mortgage Lending on Friday.
The Office of Thrift Supervision (OTS) issued guidance this week on gift cards offered by OTS-regulated thrift institutions. The guidance assists institutions in ensuring adequate account administration, marketing, and sound consumer disclosure practices for gift card programs. The guidance encourages more uniform practices among thrifts that offer gift card programs, and supports institution efforts to improve consumers’ understanding of gift card features. The OTS also has an educational brochure for consumers http://www.ots.treas.gov/docs/4/480923.pdf.
Unless you’ve been on extended vacation since last year, you know it's coming - the change to Daylight Savings Time (DST). The changes required in financial institutions’ computer networks and software in the timing of the beginning (and end) of Daylight Savings Time has been viewed as mostly a thankless task, reminiscent of work done on Y2K. Daylight Savings Time will be extended by four weeks in the U.S., Canada, Bermuda and the Bahamas. This came about when Congress passed the Energy Policy Act of 2005. It will begin the second Sunday of March (March 11 this year) instead of the first Sunday in April, and will be extended until the first Sunday in November (November 4 this year) instead of the last Sunday in October.
Authors of a proof of concept paper called "Drive By Pharming" say that by viewing a malicious web page users can set off changes in a broadband router or wireless access point, making the computer connected to it susceptible to attack. The paper, authored by researchers Zulfikar Ramzan, from Symantec, and Markus Jakobsson and Sid Stamm of the Indiana University School of Informatics, shows the dangers of not changing a default password in this important part of connecting to the Internet.
The small bank market depends on its leading vendors for its latest technologies, including remote capture, and fraud and security applications, according to a report completed last month. In the new report, Evaluating the Vendors of Small Banks' Core Banking Systems, Aite Group evaluated and compared the small-bank core systems, cross-selling strategies, and successes of eight of the leading technology providers in the U.S. small-bank market.
Prior to joining the American Bankers Association, Doug spent ten years as Assistant Director of the Florida Division of banking where he oversaw the supervision and regulation of Florida’s domestic and international banking industry. During that time, Doug served as an advisor to the US Congressional Office of Technology Assessment, assisting in their study of the use of information technologies for the control of money laundering. He also spent time in Miami as a planning analysis for Royal Trust Bank Group as a bank consultant for First Research Corporation. He has a bachelor’s degree in Economics from the University of Florida and masters in finance from the Florida State University. The ABA was founded in 1875 and represents banks of all sizes on issues of national importance for financial institutions and their customers. The ABA, on behalf of the more than two million who work in the nation’s banks, brings together all categories of banking institutions to best represent the interest of this rapidly changing industry. And Doug, we’re going to go right into the questions. First, hello.
The Office of the Comptroller of Currency (OCC) issued a bulletin on February 21 about the changes in Daylight Savings Time. All financial institutions should be aware that Daylight Savings Time begins earlier and ends later this year. The OCC bulletin reminds institutions and their technology service providers of the upcoming change in the schedule for Daylight Savings Time. Institutions may be exposed to a variety of risks if they do not prepare their systems to reflect this change. The Credit Union National Association (CUNA) also noted DST change to its membership earlier in February. Daylight Savings Time (DST) in the United States will begin earlier and end later in 2007. The Energy Policy Act of 2005, signed into law August 2005, moves the beginning of DST from the first Sunday in April to the second Sunday in March (March 11). DST will now end the first Sunday in November (November 4) instead of the last Sunday in October.
The need to store and manage mushrooming quantities of unstructured content such as e-mails, instant messages, voice messages, and images is a major pain point for financial institutions of all sizes. An estimated 60 billion e-mails are sent across the globe each day and almost 80% of companies accept e-mail as confirmation of business transactions. With the recent amendments to the Federal Rules of Civil Procedure (FRCP), which bring e-mail and other electronically stored information squarely into the discovery process in court proceedings, it's imperative that electronic communications be rigorously managed throughout its lifecycle.
A world authority on software and application security, Gary McGraw, PhD and CTO of Cigital, carries the software security torch. Over the past 11 years his six books on the subject of software security seem to have touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and antivirus mechanisms came to understand and embrace the necessity of better software. Author of more than 90 peer reviewed technical publications, he is a principal investigator working with the Air Force Research Labs, DARPA, National Science Foundation and NIST's Advanced Technology Program. He also is an advisor to top U.S. university computer science departments, and sits on the IEEE Board of Governors. In this interview McGraw discusses with BankInfoSecurity.com the state of information security in the financial services industry, pervasive computing, the trusted computing initiative, cyber threats on the horizon for financial institutions, software security, information security for mid and smaller institutions; Vista - Microsoft's new OS, and Google's code search capabilities.
With the deadline passed for compliance with the Federal Financial Institutions Examination Council (FFIEC) guidelines, financial institutions are seeking cost-effective strategies that meet or exceed meeting regulatory and customer expectations. According to the FFIEC, any system that permits the movement of funds to other parties or access to customer information is deemed high-risk, necessitating stronger authentication or additional controls. At a minimum, this means two-factor or layered single-factor authentication. In two-factor authentication, the user presents both something he knows, such as a password or PIN, and something he owns, such as a PC, phone, or one-time password. In layered single-factor authentication, the user presents two of the same factors (e.g., two separate passwords). This is as far as most banks go in authenticating customers.
During Howard Schmidt's remarkable career in public and corporate service, he has seen it all from the inside. He began his information security career in government in the U.S. Air Force and helped establish it's groundbreaking computer forensics lab. He then moved into law enforcement. Later he left public service to head information security at software giant Microsoft, and then also at online auction site e-bay. After 9/11, he was appointed Vice Chair of the President's Critical Infrastructure Protection Board and was Special Advisor for Cyberspace Security or the White House. Schmidt is currently the International President of the Information System Security Association, ISSA. He has also served as the first President of the Information Technology Information Sharing and Analysis Center, and as the Co-Chair of the Federal Computer Investigations Committee. He is a member of the American Academy of Forensic Scientists, and an Advisory Board member for the Technical Research Institute of the National White Collar Crime Center.
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
In December, a milestone of sorts was reached when Boeing Co. disclosed that a laptop containing names, SSNs, home addresses, phone numbers and dates of birth of 382,000 current and former employees had been stolen from an employee's car. The theft pushed the number of records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. The number of individuals affected isn't known, because some individuals may be the victim of more than one breach.
The arms race against phishers, strengthening firewalls, FFIEC authentication deadline issues and the constantly evolving risk management model were among the many topics covered by the FINSEC 2006 conference speakers last week in New York. The security strategies and tools and techniques presentations covered in the two-day conference were led by eleven information security experts from national banks and financial firms. The most highly-sought after seat was in the FFIEC Authentication Guidance talk led by Diana Kelley, VP and Service Director from the Burton Group. It was standing room only within five minutes of the start, showing many of the FIN SEC 2006 attendees wanted to know how the authentication guidelines will apply to their institutions. The Tower Group has estimated that only 20 percent of institutions will have security systems implemented by the end of the year.
Wish List from Financial Institutions to Our Customers As the weather outside gets colder and the year draws to an end, we're thinking of what would be some of the things we'd like to give and receive as gifts during the holidays. While your personal list may be longer than this, here's the 12 things we wish all of our customers and employees would do - loosely based on "The Twelve Days of Christmas". Hum along if you don't sing.
If your financial institution is facing an IT regulatory exam soon, you'll want to be ready for it. Despite the best efforts of your team, will your institution be ready? BankInfoSecurity.com's webinar will prepare your team for this arduous task. In the meantime, we interviewed Susan Orr, an ex-FDIC examiner, who will lead the webinar, to illuminate your path to prepare for an IT regulatory exam. BIS: If you were to narrow down to the top items that institutions should focus on in preparing for an IT regulatory exam, what should the number one concern be?
The recent announcement from Microsoft of the long-anticipated ship to manufacturers of the Vista operating system brings visions of patches and problems to the dreams of veteran infosec practitioners. Those companies large enough to hold corporate licenses will have it made available by November 30 for bulk download or via CD. The question for us in the financial industry is - when to upgrade to Vista? A wise CEO once noted when his IT department was clamoring to upgrade to a new OS, "Let's let the dust settle, let others shake the bugs out, then we'll wait until it's a robust product before we move over." That was back in the day of Windows 95 when customers came to your bank to transact business, or they picked up their land line telephone to call in.
When planning for an internal IT risk assessment, it is a good idea to have a solid understanding of risk management first. The finance and accounting departments in most organizations now have a firm grasp on risk management from a business perspective, thanks to Sarbanes-Oxley. However, when the IT Security department takes responsibility for an internal IT risk assessment, some things are lost in translation. An effective risk management program protects the company and its ability to perform their mission. Sarbanes-Oxley, Section 404, requires public companies to annually assess and report on the effectiveness of internal controls over financial reporting. A component of risk management is information technology (IT) risk management and should be part of any IT security program.
Financial institutions are subject to a slew of laws and regulations aimed at information security. There's Gramm-Leach-Bliley (privacy), Federal Financial Institutions Examination Council (authentication and online banking), and Payment Card Industry (card security). There's also California's and other states' data breach disclosure laws, and the Sarbanes-Oxley Act, which requires IT to test the effectiveness of controls over financial-reporting systems. And the European Union's privacy laws, etc. While these laws and regulations do a good job of defining the scope of information security and spelling out the role of information security in risk management, they have little to say about what constitutes effective information security or how to achieve it. Fortunately, the International Standards Organization has developed two standards that do precisely that, and by adhering to them banks can go a long way toward satisfying regulatory compliance requirements.
The Interagency Guidelines Establishing Information Security Standards as per Gramm-Leach-Bliley Act (GLBA) of 2001 require each bank to have a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. The following publications from the NIST (National Institute of Standards and Technology) outline a model for information security training and awareness programs. While published several years ago, they remain a standard for all programs.
Visa is mounting a full-scale blitz to encourage merchants to use payment software that doesn't compromise consumer passwords. The card company has asked merchants to ensure that the software they use to process card transactions doesn't store the full contents of "track data", which contains passwords and other sensitive information. Last year, a breach at CardSystems, a processor of card transactions, led to the exposure of 40 million payment records, setting off a firestorm that's led to a crackdown on data security vulnerabilities by regulators and lawmakers. Visa's Cardholder Information Security Program prohibits the storing of full track data by merchants. Account numbers, expiration dates, and names are the only elements of track data that may be retained once a transaction has been authorized. In addition, Visa requires compliance with the Payment Card Industry Data Security Standard (PCI DSS) by all merchants and any entity that stores, transmits or processes cardholder data.
The results are in, and BankInfoSecurity.com would like to present the Top 10 financial information security articles on this website from 2006. All articles have been posted since January, and include any articles through the last week in July. Not surprisingly, the number one article referred to actual financial services workers being fooled by a harmless, yet planned CD scam. This can only underly the importance many banks and financial institutions put on educating employees as a starting point to a strong information security program. Rounding off the top 10 are two articles related to phishing, a trend which indicates the problem will continue to be a nuisance to any institution offering online money account access.
Computing Technology Industry Association (CompTIA) released results of a study earlier this year that cites human error was responsible for nearly 60 percent of information security breaches experienced by organizations over the last year. Additionally the results of the study show that most companies don't require security awareness training and only 36% of companies surveyed offered end user security awareness training. Why is the security awareness training landscape so dismal? While we have installed firewalls, intrusion detection systems, robust anti-virus and anti-spyware solutions, and strengthened authentication methods, we have still largely ignored security awareness training. And when I say ignored, I mean that most companies now have an Acceptable Use Policy in place that employees have to sign upon employment, but that's where the effort stops.
Deloitte Security Survey The world's largest financial institutions have faced a surge in the number of security attacks over the past year, particularly from external sources, according to the 2006 Global Security Survey released by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT). More than three-quarters (78 percent, up from 26 percent in 2005) of respondents confirmed a security breach from outside the organization and almost half (49 percent, up from 35 percent in 2005) experienced at least one internal breach. The fourth annual survey consisted of interviews with senior security officers from the world's top 100 global financial institutions and acts as a global benchmark for the state of IT security in the financial sector.
NSI An experiment carried out within London's financial district has demonstrated what security experts have been saying for years: employees - even those working with ultra-sensitive financial data - are unaware of or don't care about basic security practices.
In the experiment, CDs were handed out to commuters as they entered the city. Recipients were told the disks contained a special Valentine's Day promotion. In reality, though, the CDs contained nothing more than code that informed the company performing the experiment how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail bank and two global insurers.
No, "pod slurping" is not something that happens in a sci-fi movie (although that's not a bad idea...); it's the practice of using an iPod or other small, portable memory device to illicitly download corporate data. Here are three things you need to know about this alarming new security threat, also called "bluesnarfing." 1: It's a growing risk. In two minutes, analysts say, it's possible for an iPod to extract about 100 megabytes of Word or Excel data from a corporate network. Experts agree that as iPods, memory sticks, and digital cameras proliferate in the workplace, more employees are bluesnarfing critical information at an alarming rate. To prove the point, one security guru wrote a program that searched the corporate network for business-critical data, which he then downloaded to his music player - looking for all the world like any worker listening to tunes.
In this article, I talk briefly about security incident investigators, their training and their role within an organization. Some regulations and standards require proper training of security incident investigators. ISO/IEC 17799 clarifies the need for trained security investigators when it states "When an information security event is first detected, it may not be obvious whether or not the event will result in court action." Let's talk for a moment about the initial detection of a possible security event. Who normally suspects or discovers it? Nearly always, the breach will be noticed either by an end user or a member of the Information Technology (IT) staff. I'll not spend time talking about end user training except to say that end users must be trained to notify a member of the IT staff immediately any time that something doesn't appear "right" with their machine - and take no other action. We do not want or need well-meaning but inept end users "assisting" us in gathering evidence. The IT staff should respond immediately to reports of suspected breaches and should be able to determine quickly if a possible security incident has occurred. Once confirmed, the matter is turned over to security investigators for further action.
Preparing for security incident investigations Preparation is the most important phase of security incident investigations since most of the requirements previously discussed can't be addressed at the time the investigation is being conducted. Preparations shall therefore address these requirements (what the investigation must provide) and also the needs of the investigation process itself (i.e. all that is required by the investigation process from other sources). To increase speed, we need to perform as many tasks as possible before any investigation starts. These tasks include: - Gathering contact information
The way security investigations are performed in banks is receiving more attention nowadays. In the past, general procedures and practices for incident response were acceptable. However, due to security trends and regulations that affect banks specifically, these institutions require slightly different approaches to their security investigation progrmas in order to account for these new regulations and security trends. This article provides a general overview of the security investigation process, how it fits within the incident response process, the required preparation process, specific issues in banks that need to be considered and the relationship between this process and security intelligence activities.
About a year ago I was in process of trying to find an information security professional to augment existing staff. Our company used a personnel firm who specialized in placing contract IT and security professionals. It occurred to me that we weren't very circumspect about requiring background investigations before hiring contractors. That needed to change. I didn't know enough about how background checks were performed and I wasn't sure that our HR organization was requiring them for contractors, so I took it upon myself to ask the personnel firm to perform one. I never received any kind of report, just an email stating the check had been performed and the person checked out fine. We contracted the young man to work for us, but it bothered me that I didn't really understand what had been done and what "checked out fine" really meant. I did a little research on the net and found very little helpful information. I did notice a variety of websites promising quick background checks for a small fee. I contacted a well known company in San Francisco and talked to the one the HR persons there and found out that they used a company called Inquest. I contacted a company representative to find out more.
Security-naive machines are about to swarm onto your precious networks. Brace yourself. Brian McKenna is the editor of Infosecurity Today (www.infosecurity-magazine.com) McKENNA: We know from surveying our readers that they are very focused on the medium term. In other words, what the security threats are going to be over the next two or three years. They are not too concerned about theoretical risks, or vulnerabilities that may or may not prove troublesome. And they know all about fire fighting the day to day problems. But they are worried about how the threat environment will change over the next two to three years.
Cyber-criminals are targeting the most vulnerable access points within businesses - employees - to execute their attacks, a new study finds. In its annual closely watched security report, IBM warns that although widespread virus outbreaks are on the decline, on the whole online attacks are expected to rise in 2006. The culprit: highly targeted attacks that rely on naive users. According to IBM's 2005 Global Business Security Index Report, e-mail-borne viruses dropped sharply in 2005. In 2004, 6.1% of e-mails contained a virus; in 2005, that declined to only 2.8%. "What we're seeing is more directed targeted attacks, and we really think that's because of the financial motivation and the underground economy driving those things," an IBM security expert said.
New Trojans Target Bank Accounts
There are many unpleasant tasks in life and work. Monitoring employee behavior is one of those unpleasant tasks. Management has to take a strong role in insuring that liability does not come the company's way, i.e., Risk Management. New regulations hold management responsible for employee behavior which can cause the company to be subject to monetary loss, criminal charges, and civil lawsuits. The buck stops here. Most of us don't want to be Big Brother. We don't like the idea of "spying" on our employees. We don't like the taste of infringing on someone's privacy because we value our own. However, what you don't know will hurt you and may hurt you in a court of law. Fortunately technology has made our job a lot easier.
Nearly four out of five technology professionals believe employees are putting their companies at risk by failing to act safely online, according to new research. In a study by anti-virus firm Sophos, 79% of the IT workers polled said that in spite of their group’s instructions, many employees continue to open unsolicited e-mail messages and attachments, and to inadvertently download spyware from Web sites.
Recent and current pressures on IT security managers in publicly quoted companies to tick regulation boxes have about five more years to run. NetIQ security strategist Chris Pick believes that the discipline of risk management, taking companies beyond mere compliance, is "not there yet” as a driver of IT security spending, but that it will be soon.
According to a Harris Interactive survey of U.S. office workers, 68% of employees have sent or received e-mails that could pose a risk to their company. The survey shows that even if you think you’re e-mailing out a harmless joke, gossip, or innocent information about your company, you could be putting yourself – and your employer – at risk. Although the poll found that 68% of U.S. employees who use e-mail at work have sent or received risky messages, 92% fail to see that the e-mails could harm their company. That means there’s a substantial discrepancy between employees’ perceived and actual risks. The survey examined the e-mail habits of over 1,000 individuals and uncovered a number of issues that raise concerns for businesses – both in the way employees are using and storing their corporate e-mail.
Some security practitioners react to new technologies with panic and the issuance of stern edicts against using USB drives/PDAs/EVDO cards/wireless LANs, etc. Stop and take a deep breath. In most cases, users have a legitimate need to fill. It is your job to find a way for them to fill that need safely, not to keep them from being efficient. Besides, issuing stern edicts typically serves only to increase awareness of the "forbidden" (and thus much more interesting) technology and tends to drive users underground, making your job more difficult and adversarial. Work with your users, not against them Make sure that your users feel comfortable talking to you about new technologies. You want them to come and tell you about the neat new gizmo or software they just bought (or better yet, are thinking of buying). They will not do this if they perceive that you are going to arbitrarily stop them from using anything new. A better approach is to sit down with the user, understand what they are trying to accomplish with the new technology, and try and get them to raise the security questions themselves.
Omar Herrera Information security personnel in Banks Banks have specific requirements for the experience and abilities of their information security personnel. However, it is becoming harder for qualified professionals to satisfy requirements from these institutions. While information security personnel can be trained in specialized areas of information security, they still need to have relevant general information security background and a minimum number of years of experience in the industry.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
