News

04:18 PM
Lisa Valentine
Lisa Valentine
News
Connect Directly
RSS
E-Mail
50%
50%

Could a Major Security Breach Be on the Horizon?

Although financial institutions have to date largely escaped the fate of the U.S. government and other industries, security experts warn that it's only a matter of time until a bank suffers a major breach from a cyber attack.

A Look at Technology

One technology that is become increasingly popular among banks hoping to minimize the risk of data leaving the institution is data leakage-prevention (DLP) tools. According to "Borderless Security: Ernst & Young's 2010 Global Information Security Survey," 50% of financial institutions plan to increase spending on data leakage prevention technologies and processes, an increase of 7% over the prior year.

These tools seek to keep sensitive information inside the organization rather than protect against external entry, explains David Barton, a principal with consultancy UHY Advisors (Atlanta). Barton notes that USB devices are a particular concern for inadvertent data leakage. For example, a 2010 survey of 500 dry cleaners and laundromats in the U.K. by CREDANT Technologies (London and Addison, Texas) reported that more than 17,000 USB sticks were left in clothes to be dry cleaned.

DLP products have limitations, says Perimeter's Jacquith. While they can effectively block data such as account or social security numbers from being transmitted to removable media, they are less effective at controlling leakage of competitive or intellectual data.

While DLPs can identify sensitive information leaving the organization, banks must first classify what constitutes sensitive data and where it resides, which in today's environment can be anywhere. With so much data to account for, banks must strategically approach data classification, says Deloitte's Powers, since classifying all data may be impossible. "We're seeing financial institutions focus on targeted data classification and mapping for high-risk data," he notes. "Although tools can automate parts of the classification process, it still comes down to manually assessing the risk of data."

Those banks currently using DLP tools are changing how they use them. "Incidents that used to be noted as a warning are now being blocked," explains George (Chip) K. Tsantes, principal, financial services, for Ernst & Young (New York). "We're also seeing more financial institutions reviewing unusual volumes that could indicate that malware has been installed and is scanning the network."

In a somewhat ironic twist, mobile devices and smartphones--the very devices causing security headaches for banks--are also capable of providing a stronger security platform than what's available on personal computers, says Mercator's Peabody. In addition to holding promise for contactless payments, near-field communications (NFC) chips embedded in mobile devices can be used for multifactor authentication.

Although NFC is not yet ubiquitous--and Apple recently announced that this summer's release of the iPhone 5 would not include NFC--Mercator is predicting that 40 million NFC chip sets will be shipped in the North American market in 2011. "Rather than buying a token generator, the chip is already in the hands of the user," says Peabody. "Banks just have to figure out how to get access to the chip and use it for authentication."

Another technology increasingly used by banks is Security Information and Event Management. SIEM solutions provide the same features as event log management tools but go further with event-reduction, alerting and real-time analysis and typically allow users to import non-event information such as vulnerability scanning reports.

SIEM can help find the needle in the haystack, says Chuck Daye, MIS administrator and senior vice president, First National Bank and Trust Company in Chickasha, Okla. ($350 million in assets). The community bank creates more than one million log records per day. Reviewing those records required Daye to log onto many different platforms to monitor the bank's servers, network switches and firewalls.

First National Bank and Trust uses LogRhythm's (Boulder, Colo.) SIEM technology to consolidate those records onto a single console and to search across platforms, enabling Daye to find the root cause of a problem much more quickly than ever. For example, Daye can correlate seemingly unrelated events such as an outside login attempting to gain access to a server with data leaving the server that could signify a possible breach.

In addition, banks are moving beyond encrypting data in use and in motion and encrypting data at rest as well, notes Greg Rattray, senior vice president for security at the BITS technology policy division of the Financial Services Roundtable (Washington, D.C.).

Implementing Risk Management Disciplines

Although technology can be an invaluable tool in the fight to protect data, technology will fall short unless banks apply rigorous risk management, says Craig Spiezle, executive director and president of the non-profit Online Trust Alliance in Bellevue, Wash. Spiezle cites a Verizon/USSS statistic that organizations could prevent 95% of data breaches simply by following risk management best practices.

Unfortunately, risk management at many financial firms falls short. Although 42% of financial organizations have an IT risk management program in place, only 30% have a program that addresses risks from new technologies, according to Ernst & Young.

UHY's Barton concurs. "At many organizations, there is no difference between highly confidential information or fairly innocuous public information," he says.

It's impossible to protect everything, agrees Prism Microsystems' Ananth, so he and other experts advocate taking an approach that strikes a balance between draconian and laissez faire. "You use the Tower of London to lock up the crown jewels, but it would be ridiculous to lock up loose change," he quips.

Ultimately, this is a challenge for banks' top executives. To paraphrase Spider-Man's Uncle Ben, "With great power comes great responsibility." While mobile devices have empowered employees, employees must be taught to use those devices responsibly, says Prism Microsystem's Ananth.

Yet Ernst & Young's security survey found that an overwhelming majority (92%) of financial institutions consider employee awareness of security to be a challenge. Less than half (45%) of respondents said their firms provide training on the risks of mobile devices and only 34% said their companies provide training on social networking risks.

"Ten years ago, the institution was secure, but all of that is out the window today," notes Ernst & Young's Tsantes. "Financial institutions must step up and educate employees continuously. The biggest department in any institution is the security department because all employees belong to it. Everyone can either enhance or erode security through their actions."

Deloitte's Powers makes the case for deploying good technology such as DLP, but also beefing up employee awareness programs and instituting smart policies that recognize the realities of mobile devices. "You need technology to protect data and minimize the incidence of data loss," he says. "But the reality is that those tools must work in concert with good policies and increased awareness of security throughout the organization."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Here is what the client expects us to develop...
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.