BAI Publications
 
Monday, October 13, 2008   
 E-mail This Page   
 Contents
COVER STORY
What Banks Can Learn from the Geek Squad
.......................................
FEATURE ARTICLES
Making Complexity Manageable
Improving—and Systematizing —the Customer Experience
Where is the Threat? Two Views on Security
DEPARTMENTS
On Retail Banking - Taking a Broom to Paper Documents
Guest Spot - Guerilla Tactics for CRM
.......................................
BAI Online
About Banking Strategies
Index of Advertisers
March/April 2007 Table of Contents
 
ACCESS PAST ISSUES

Search archived issues of BAI Banking Strategies.
Search now. >>

 

 

Where is the Threat? Two Views on Security

BY KENNETH CLINE

A banker and a solutions provider say increasingly sophisticated security threats in banking must be fought on an institution-wide basis.

| SYNOPSIS | Harvey Koeppel, chief information officer at Citigroup, and Bryan Sartin, managing principal at Cybertrust, assess the security threats in banking from different perspectives. Koeppel sees more danger from external threats; Sartin highlights the vulnerability when financial institutions lose track of their own data. They both agree, however, that criminal elements have become increasingly sophisticated in their capabilities, requiring an institution-wide commitment to data security.

Since they must store and protect so much confidential financial information on their customers, banks understandably are preoccupied with fraud threats. And as transactions increasingly move to the electronic and paperless realm, these threats seem to multiply exponentially.

Related charts
Banking’s Phishing Vulnerability
Related Sidebars
Harvey Koeppel Bio
Bryan Sartin Bio

To provide deeper insights into the security issues that are top-of-mind for financial institutions, BAI's Banking Strategies conducted interviews with two experts in banking security: a banker and a solutions provider's forensic investigator. The two approached the issue from different perspectives, but also covered some common ground.

Harvey Koeppel, senior vice president and chief information officer for the global consumer group at New York-based Citigroup Inc., focused on external threats and detailed the relentless efforts his bank has made to shore up its defenses. Bryan Sartin, a managing principal for Cybertrust, a Herndon, Va.-based provider of security solutions, warned about vulnerability in internal data controls.

Both experts agreed, however, that criminal elements are becoming increasingly sophisticated and robust in their capabilities and that combating data security threats requires an institution-wide commitment. As Koeppel says, "Security is something that has to be owned by the entire organization, starting with the CEO."

Or as Sartin put it, "Everybody who has the keys to the castle needs to be responsible for securing the castle."

Q | What are the major security challenges facing banks today?

Koeppel: The biggest challenge is that, as technology changes, so do the threats. People tend to view information protection as a deliverable that is static in nature when, in fact, it is an ongoing and continuing process that needs to be constantly reviewed and updated as the technology changes.

Probably the easiest way to look at it is on a channel-by-channel basis. It used to be that somebody would walk into a branch with a note, a gun and a brown paper bag. That "manual method," if you will, has been very significantly replaced by electronic means.


On the Internet, there remain significant issues around phishing, pharming and spoofing (see chart "Banking's Phishing Vulnerability"). Those are areas around which we deploy constant monitoring and surveillance. A big part of our mitigation strategy is to educate customers about what a Citibank or Citigroup e-mail looks like so they can identify bogus e-mails.

The same issues apply to the funds transfer channel. Typically, what will happen is the bad guys will invade a client machine, generally over the Internet or through an e-mail channel, and steal credentials. Once the credentials are stolen, they're used either to move money or to execute purchase transactions. The stolen goods are then re-sold.

We have application programs that are continuously reviewed and updated to look for patterns that are suggestive of fraudulent behavior, in our Internet and online space, as well as in our credit card channel. For example, every time you use a Citibank MasterCard, about 2,200 different business rules are applied against that transaction in real time, looking for the possibility of a misuse of that card.

There's also a significant amount of after-the-fact analysis, which we call "Fraud Early Warning System," or FEWS. When we see suspicious activity, we'll actually call the customer and verify whether the activity is legitimate or not.

We're also heavily involved, both on our own initiative and with regulatory input, in what is called "multifactor authentication." In simple terms, that means employing more than one way of demonstrating identity before we will allow you access to personal or sensitive information.

Those programs vary by line of business or by product, but they may take the form of things like security tokens, which generate one-time passwords. Or they may take the form of what I lovingly refer to as "scratch and sniff." There are cards with blocked-out areas. You scratch off the coating and reveal the password that's good for just one use. So even if there is spyware or malware on a client's personal computer and bad guys can access our system and get hold of someone's user ID and password, that password is only good for that one session.

In many cases, we are implementing a multiple password scenario. If you sign on to the system to check your balance, at the point where you actually go to pay a bill or move money in any way, the system will ask you for your password again to make sure it's still you.

We also make heavy use of encryption techniques. If we are moving disk or tape or CD ROM from one location to another, it must be encrypted. Even if the package is lost, which happens from time to time, unfortunately, whoever may find the package can't make use of the information that is contained on the physical media. The same applies to any information that is transmitted across communication lines.

We've also greatly strengthened our Web vulnerability assessments, which are formal ethical hack processes. We do these internally and with external third parties to attempt to break into our system under controlled situations. We do this on a regular basis as we bring new applications online or perform enhancements to existing applications. Very intensive certification and testing takes place before any of those changes are made public.

Q: | Are the threats that banks face primarily external or internal?

Koeppel: It's both. Certainly, you hear about the external ones more often. And it's certainly a great motivation for us to continue the vigilance that we have created because the hackers, in many cases, are no longer kids in a garage that are trying to break in to see if they can break in. There is a very well-funded contingent of organized crime—the "new wave criminal," if you will—with extremely sophisticated techniques.

We measure, on a regular basis, the frequency of unique attacks. In other words, how often do we see a new attack? By that I mean a unique instance of a particular e-mail that may be a spoof, for example, and go to a million customers. That counts as one attack.

I would say as recently as two years ago, the number of those unique attacks was somewhere in the neighborhood of four or five a month. That number has probably quintupled in the last two years, to four or five a week.

Another thing we track is the time between when a vulnerability is made public by a vendor and when the first attack is actually encountered. Going back a couple of years ago, Microsoft Corp. would publicize a vulnerability with the Windows operating system and we would see an exploit or an attempted exploit of that particular vulnerability three or four months later. That's a very critical window, of course, because that's typically the time we have to prepare ourselves against the attack.

Today, that time frame has been reduced to hours or minutes. And in some cases, actually, we've been hit by an exploit before the vulnerability is even publicly announced.

This provides an indication of the level of sophistication and funding of the bad guys. In some cases, they're actually finding these holes in either operating systems or applications before the vendors. That gives you some feel for the seriousness and the velocity of the external threat.

Internal threats are probably less frequent, but can be more severe when they occur because the internal perpetrator has access to a much more specific and a higher volume of information. Also, it's painful to think that somebody within our own family is attacking us.

We had an incident about a year ago where some customer service representatives had memorized customer account numbers and phone numbers. They didn't have passwords, but after they left the firm, they called the customers back, pretended to be still employed, and essentially conned the customers into revealing their passwords, which gave them access to the system.

To guard against such occurrences, we have made enormous investments in screening employees and in employee education. We have "clean desk" policies, where anybody who has access to customer information is physically disallowed from keeping stacks of reports out in the open on their desks where somebody could casually walk by and pick up a report or copy down information. In many of our call centers, we're literally in a paperless environment, where we prohibit any of our operatives from having pencil or paper or anything that could be used to write down sensitive information.

We also have lots of call monitoring technology, where we're taping and listening to calls. And we're using software to look for suspicious conversational activities.    

Q | When there is a breach, can you tell investigators what data has been stolen and where it's located on your system? In other words, do you keep track of your own sensitive data?

Koeppel: That's less of an issue for us. We have very excellent controls around what data is where. And if a breach does occur, we generally have very good information about what has been breached and where.

We do have situations—there have been some well-publicized occurrences—where a merchant data center has been breached and information about credit card holders has been stolen. Often, that will include account numbers, names and addresses, enough information certainly to make illicit use of credit cards.

Q | And that data is easily re-sellable by criminals, correct?

Koeppel: Yes. In fact, if you know where to look on the Internet, there are price lists for usable identity information, including credit card numbers and passwords.

That information, incidentally, is only good for a certain amount of time before the customer realizes that their account has either been compromised or they've lost their card. There is a kind of price elasticity curve. So, 15,000 account numbers may be worth x but 100,000 numbers may be worth less than x because it's understood those numbers may be stale or blocked before someone would have an opportunity to execute transactions.

It's a highly structured economy with its own pricing, very much like that supporting any other commodity.

Q | Is the banking industry doing a pretty good job of staying on top of these threats, or are the bad guys getting ahead of the game?

Koeppel: My characterization would be that the industry in general is doing a pretty good job. Institutions are getting much more proficient and mature around how to protect their information and how to deal with situations where information is compromised.

Clearly, the situation is not perfect, nor will it ever be. But I think there is a maturation cycle or curve where most financial institutions have made lots of progress, partly on their own motivation and partly with lots of regulatory support, both at the state and federal levels. This has compelled many institutions to build the walls higher and thicker.

I do think there's a certain amount of hype in the air, which is created by people selling security solutions, as in any product sale.

That's not to say these threats aren't real; they certainly are. But I do believe this is part of the new electronic world order. Like many other aspects of commerce, there will be opportunities and risks. Those people who are more competent in managing the risks will do well.

Q | What's your chief takeaway for handling these risks?

Koeppel: Security is something that has to be owned by the entire organization, starting with the CEO. It's got to be an enterprise-wide commitment and owned by the business as well as technology areas.

It's very easy to say, "Oh that's an operational problem," and let the techies deal with it. That's absolutely the wrong attitude and a definite path to a suboptimal solution. Business heads need to understand the threat is there and it's real. There needs to be education, appropriate funding and appropriate prioritization. There needs to be compliance and audit systems put in place to support the program at an enterprise-wide level. There need to be standards or metrics so that one can appropriately manage the risk, just like any other risk.

Q |    What are the major security issues on the horizon for banks? And what's the current state of the industry's preparedness to handle those issues?

Sartin: There are a lot of areas where banks handle sensitive data from a consumer or identity perspective. In general, I think that banking, especially in this country, has done quite a bit to mitigate the risk of data compromise around those sources of sensitive data. Banks are a lot farther ahead than, say, retail companies, colleges and universities. You can see that by looking at the public disclosures on ID Theft Center at  www.idtheftcenter.org.

When we do hear about security breaches at banks, it very seldom involves an external source, such as a network-based intrusion that originates from outside the company, like through their Web site. Those are few and far between.

When you do find a data compromise in or around a banking institution, it typically involves backup tapes that are lost by a third party on the journey from point A to point B. In addition to that, you have cases of stolen laptops. These incidents underscored some weaknesses that had long existed, but have now really come to the forefront.

But we have seen a lot of organizations, particularly in the banking community, contacting third parties such as ourselves to help them identify where all their sensitive data resides in efforts to mitigate the risks of some security breach around that data. They tell us which data elements absolutely can't leak out and ask us to find where on their network that data is stored or transmitted and tell them all the systems, whether it's end user systems, desktops, laptops or even servers, that have some quantity of that data on them.  

Q | So in that sense, the data security issue in banking is not so much guarding against external threats as it is managing how your data is stored and transmitted outside the organization?

Sartin: No question. Banks do a good job of defining within the company from an informational perspective what they can't afford to have leaked out. And they do a better job of quantifying those buckets of information, compared to most other types of companies. Then it's a function of outlining a data retention plan that defines very clearly, from a documented procedure process, what individual systems, based on function, absolutely have to store that data on the network. And what are the types and quantities of that information that we absolutely have to store for our business purposes? And what are the legal requirements for how long we must retain that information?

Obviously, from a data security perspective, your greatest liability is the sensitive data you're hanging on to.

We're working on a case now where a large number of employees of a bank in the U.S. have been complaining of identity fraud, ranging from illegi-timate loans to credit accounts being opened in their names to purchases being made using those fraudulent credit accounts. Preliminary in-vestigations into the matter, conducted by the bank's fraud control personnel, showed that the data necessary to lead to the instances of identity fraud being alleged by each employee was actually stored in at least several points on the network. Based on this finding, the bank retained us for the purposes of proving or disproving whether or not these sources of information had in fact been the subject of a security breach occurring within the confines of the bank's network.

Initial analysis into this matter showed that this employee-sensitive information could be found in dozens of places in the bank's back office. Some of those places were very well protected databases and applications. However, others were end user and developer personal computers as well as old backup tapes. In a case like this, there are too many possibilities—the data could have been stolen from almost anywhere.  

If you look back to 2005, organizations that lost backup tapes were a very small number of the total breaches that were reported. In 2006, they constituted half or more of all the names reported. I'd expect this year it would be 75%, particularly of all the U.S. situations reported.

Q | What's behind this surge?

Sartin: For one thing, the market for that data is becoming so large. In the cases we respond to, we often see situations where a hard drive or set of backup tapes have been thrown out or lost and the data on them could have led to fraud. The next thing you know, two weeks later, the police have arrested somebody near the area where the system was lost or stolen and that person has on them a large quantity of counterfeit cards, checks, etc. that clearly tie back to that lost device.

In other words, I think the black market is huge and growing very fast. People who steal the data now have various outlets to sell that information, which they can quickly and easily convert into cash. That's a driver for people to look in garbage cans for backup tapes that organizations don't keep track of.    

Q | So data management is the key issue?

Sartin: That's the one thing in common for every situation we respond to, regardless of whether it's a physical security breach or a network-based intrusion. The one thing always in common is that the organization had some soft spot around the extent to which they handle sensitive data. Or more importantly, they didn't have a firm handle on the concept of data retention—where on their network that sensitive data was stored.

Q | What do you find to be the most common mistakes companies make in protecting that data?

Sartin: You always hear when these breaches occur about the type of data affected, the consumers affected, the company name, etc. But what you never hear about is the one or two things they did wrong that ultimately contributed to this happening.

The first piece is not having a firm handle on the data they consider sensitive and where on the network it's located. When we go onsite on one of our investigations, say an identity fraud complaint, there's some circumstantial evidence that this company's been hacked into. The purpose of our analysis is to prove or disprove.

The first thing we're going to ask is, "If we have all of these fraud patterns or customer complaints of identity fraud that tie back to your organization as the possible source, show us the handful of systems on your network that had to be hacked into in the process."

We get one of two answers from companies in every case we work. They either tell you, "We absolutely do not store that kind of information; it had to come from someplace else," or alternatively, about 25% of the time, they'll say they have no idea. In both cases, they're doing their best to tell the truth, but the reality is they just don't have a firm handle on where that data is located.

So we have to build a map. Whatever data has been potentially lost, we have to decide for ourselves where that data could have come from. And that usually means finding the inputs and outputs for that data, who they exchanged that data with and where are the computer systems that store, handle or transmit that data.

Q | Would you recommend that financial institutions create such a map before they have a breach?

Sartin: I definitely would. Getting a handle on where all sensitive data might be stored and whether or not you need it for a legitimate business purpose is the first proactive step.

We've done that many times in the banking community. That's become a very popular request for us recently. And what you find, across the board in these types of cases, is they realize they have a potential issue with data storage and retention.

When we build the actual map, we find that for their actual business requirements, they're storing huge quantities of data that could be dangerous, huge quantities of it that they don't really need to satisfy their business requirements.

We also find they can minimize that danger by moving that data to one or two areas for redundancy purposes. They can consolidate sensitive data to fewer places on the network where it's more easily secured. It gives them a better foundation for securing that information if they can limit the places where it's located.

Q | How long does it take to create one of these data maps?

Sartin: It depends on the complexity of the target environment, but you're generally looking at a one-week engagement.

Q | What's the next step after completing the data map?

Sartin: Once the map is completed and you know where your data storage points are located, the next step is to minimize those storage points and formulate a proper data retention plan. Once that is out of the way, you can worry more about limiting access to that data. Interestingly, data control policies are seldom in place inside companies that we work with in security breach or data compromise situations.

A data control policy will say exactly how a company will go about limiting access to their sensitive data that's accessible to end users—the people in call centers, management, human resources, finance, operations etc.

Q | Final takeaways on data security?

Sartin: We mentioned the importance of communication and awareness of security internally. There are two pieces to that. One would be the idea of having effective information security policies in place, like data retention and data control policies that are customized for the business. Then there's the concept of communicating those mandated policies and processes throughout the organization. Everybody who has the keys to the castle needs to be responsible for securing the castle. Employees need to be aware of the importance of the data they may have access to and precisely how they should go about securing it.

The few times where we have seen security breaches relative to internal employees, situations where they've skimmed data off the network or made efforts to steal laptops or misuse their level of access, they only did that because they were relatively sure no one was really watching. Those banks learned the hard way to institute oversight controls after the fact.

If you can learn something from institutions that have been hit in the past, it's the fact that you need to communicate awareness of the importance of the security policy and the importance of the information that you're handling. But you also need to communicate to employees the extent to which there is accountability over their level of access. If they misuse that, it's likely to be found out.

Mr. Cline is senior editor of BAI's Banking Strategies.

back to top 

 
© 2008 BAI. All Rights Reserved. Contact Us  |  Site Map  |  Our Terms and Conditions  |  Web Site Specifications  |  Home