The New York Times reports that hackers from around the globe systematically pilfer credit card numbers and other personal consumer data from online merchants, which they then sell to the highest bidder at membership-only Internet cyberbazaars.
The Wall Street Journal describes those arrested in a crackdown on identity theft, including a person who allegedly sold Social Security numbers on eBay and a man who's said to have exercised almost 200,000 of an executive's stock options. The article also describes instances of identity data stolen from organizations ranging from hospitals to health clubs.
The Computer Security Institute and the FBI conducted a survey of businesses, revealing that 90% suffered Web security breaches during the prior 12 months despite the presence of firewalls and other protective measures.
These are just a few manifestations of the growing pandemic of identity and information theft-a category of crime that has grown in size and sophistication along with the Internet age.
Banks, lacking immunity to these threats, are continuing to draw upon the best-available information security resources to fortify the global financial system. For many, it is a three-pronged improvement strategy that includes the hiring and training of Web security personnel, upgrading internal Internet policies and procedures, and implementing effective intruder detection and customer authentication techniques.
Better information security practices help to mitigate the relative dearth of immediate help the industry is likely to receive from the government. Although the USA PATRIOT Act has expanded wiretap powers to include mobile phones and Internet connections, the law enforcement community still lacks many of the resources it needs to follow up on, track down and prosecute Internet-age crime.
"Most of the crimes, be they cybercrimes or violent crimes, are actually enforced by local and state governments, and they don't have the expertise that they need to have," said Representative Marty Meehan of Massachusetts at a venture capital conference. "Attorney General's offices from around the country are trying to keep up."
In fact, it's the financial industry that has put its expertise at the disposal of the law. For example, the Securities Industry Automation Corp., which handles data processing for the NYSE and the AMEX, has become a member of the N.Y. Electronic Crimes Task Force, an organization established by the Secret Service to elicit advice from the experts.
"If there's something that comes up, whether it be a question, a technical issue or an implementation issue on a certain thing, they'll send out an e-mail to the task force and ask for their input," said Kevin Connell, CISSP, director of information security for SIAC. "We get about five to 10 e-mails per day from these guys."
The benefit to collaboration runs both ways. By raising issues through the task force, its members can ask for help without triggering a criminal investigation and its attendant headlines. "Companies are hesitant to report break-ins to their systems because it hurts their brand name," said Connell. "You can give the task force a 'hypothetical' situation, and they'd say, 'Hypothetically speaking, this is what we'd recommend.'"
Larger organizations maintain their own response teams staffed by information security experts. Connell advocates hiring Certified Information Systems Security Professionals (CISSPs), which he describes as the InfoSec world's equivalent to the CPA. The vendor-neutral certification from the International Information Systems Security Certification Consortium, Inc., Framingham, Mass., calls for three years of relevant work experience, general proficiency in all areas of information security, and ongoing training.
Financial institutions also rely upon outside auditors to assess their information security programs. One such audit is the SAS 70, performed in two phases: first, making sure that management controls are in place to handle situations that may arise; and second, verifying that documented procedures are actually implemented as written.
But calling for an outside audit isn't an easy choice for everyone. A BS&T reader, in charge of internal audit for a sizable Middle Eastern bank, had traditionally brought in external consultants for network security reviews. "Our IT department now claims that exposing our network configuration to external parties would put the organization in a greater level of danger than the assurance obtained from the review itself," he writes.
Probing For Vulnerabilities
Clearly, shunning the locksmith won't get the doors fixed. However, emerging enterprise-level vulnerability assessment tools promise to place more information at the fingertips of IT organizations of all sizes, helping to prevent intrusions through known points of weakness.
Security experts and computer criminals regularly discover new vulnerabilities in operating systems, servers and applications. "The fundamental basis for security within an organization is protecting your hosts and your servers-getting down to that operating system, maintaining your patch levels and mitigating those vulnerabilities," said David Thomason, director of systems engineering at SecureInfo, San Antonio, Texas.
SecureInfo, staffed with former intelligence analysts from the U.S. Air Force Information Warfare Center, scours hundreds of sources, including "black chat rooms," for information on new vulnerabilities, which it then compiles and sells through a subscription service. Subscribers map vulnerability updates against a digital blueprint of the organization's IT networks, helping them to quickly detect and manage potential threats. "So if I'm the CIO of a big bank, I can look down and see that the people in San Antonio have done a good job of fixing their vulnerabilities, but the people in San Diego have not," said Thomason.
Patelco, a $2.7 billion credit union in San Francisco, manages its exposures using a similar system from nCircle, also based in San Francisco. "We operate on pretty lean staffing," said John Shields, senior VP of e-business at Patelco. "For us, exposure management was hard to do and keep it updated all the time."
Getting periodic evaluations wasn't doing the trick. "With a one-off vendor that does an external penetration test, you get a snapshot," said Shields. "But if something changes a month or a day later, they don't catch that."
Using nCircle helps the bank to stay ahead of the criminal element. "It's telling us ahead of time what that system might be vulnerable for," said Shields. "It helps us to maintain our patches much better, and in not exposing those vulnerabilities to the outside, or even to the inside."
The nCircle system also provides guidance on which vulnerabilities to address first. "It'll basically list out the IP address of the system, what vulnerabilities there are, and assign a weighted score," said Shields. "The higher the score, the more vulnerable it is."
Security management systems help bankers get a handle on their security risk exposure, aiding in executive decisions on appropriate defenses. "Exposure management is a business problem, not a technology problem," said Ridgely Evers, CEO of nCircle. "Yet the vendors in the security industry have really approached customers with technology solutions that customers then try to assemble into business solutions."
However, security involves more than just getting from Point A to Point B. True security requires an all-encompassing picture of the entire operating environment. That's why Evers quotes one of nCircle's banking customers as saying, "All these guys are selling car parts and I'm here looking for transportation."
"Network exposure management requires that you have continuous, detailed, objective knowledge of everything that's happening in traffic, and everything on the network," said Evers. "You have to manage on the basis of that knowledge in light of your business requirements, specific policies, and general best practices."
"If you're not doing that, then you cannot be secure," added Evers. "You can be lucky, but you cannot be secure."