Articles

Information security, and really security of any kind, always starts with a risk assessment. This may not be a formal process – you probably didn't bust out an excel spreadsheet prior to installing an alarm system at your house, but I'd be willing to bet that you've informally assessed the risk of someone robbing your home. If you're me, you decided the secondhand furniture you own didn't warrant paying an alarm fee every month. Someone living in a city with a high-rate who owns nice things, however, would assess the risk differently and probably come to a different conclusion. Assessing risk is an integral part of decision making. As an information security consultant, I see many banks who don't think of a risk assessment that way. They think of it as a chore that must be done annually so they won't get in trouble with an examiner – compliance for compliance sake. I'm on a mission to change that perception, so I wanted to highlight a few options or items you can add to your risk assessment to make it your own…to give it meaning and value for your bank.

Winter is coming and this year, it seems like there is a lot of uncertainty about what it will bring. It may bring tidings of good cheer, or it may bring something akin to my idea of figgy pudding. We just don't know. This is called a "blind spot."

According to Oxford Dictionaries, one definition of a blind spot is "an area in which a person lacks understanding or impartiality." Often, people use the term in reference to unseen drivers, but there are many kinds of blind spots. For example, I'm not a climatologist by any stretch of the imagination, but I am a Texan. As such, I look at things like winter weather forecasts and say, "That's nice. It likely won't happen." Poor weather conditions are a blind spot for me because I lack impartiality about the event. If the event happens, I'll still be surprised and maybe even frustrated because I didn't prepare. Is that illogical? I was warned, I chose to do nothing about it, and I'm now disappointed by the results, so yes. As illogical as it sounds though, this is human nature.

At this point, you've all heard of – and probably read – the FFIEC's Cybersecurity Guidance. In the FFIEC Cybersecurity Assessment General Observations, one of the items the FFIEC wants you to consider is the, "process for determining and implementing preventative, detective, and corrective controls." I must admit, at first glance, I did not see the value in classifying controls. My opinion was that a control is a control, and all are good to have. I argued that classifying controls was a waste of time. After a few discussions, however, I began to see the error of my ways. I am now on Team Classify. Why? Well, I'm glad you asked! First let's look at the differences in these controls:

We have all heard the phrases "up to snuff," "hit the mark," "cut the mustard," and "make the cut." These idioms are similar in definition, indicating some process or procedure has proven to be effective. Many organizations spend a great deal of time and effort in the development stage of their business continuity plan, but too often fail to provide an appropriate avenue for testing or validating the plan. The Responsibilities section of the FFIEC's IT Examination Handbook, Business Continuity Planning (a.k.a. FFIEC BCP Booklet) states Board and Senior Management responsibilities include, "ensuring the BCP is regularly tested on an enterprise-wide basis and reviewing the BCP testing program and test results on a regular basis."

For some, holiday shopping is like Christmas every day. For others, it's like a never-ending Black Friday.

For hackers, it's a dream come true.

"Cyber Monday" is a magical day that occurs the Monday following Thanksgiving. It's a day for people who like to find great deals while shopping from the comfort of their own home, via smartphones, tablets, laptops, etc. The IBM 2013 Holiday Benchmark Reports show that for Cyber Monday 2013, retail sales grew 20.6% from the previous year and projections for 2014 follow a similar trend.

Are you familiar with the term harvesting? User credentials can be gathered from sites with, likely, weak security. This gathering process has been named harvesting and has been a recent issue in the security world.

We all remember the Target breach of 2013 when 40 million credit card numbers and 70 million addresses, phone numbers, and other personally identifiable information were stolen by Eastern European hackers. I personally barely missed the breach window, buying a pair of socks two days after the attack was discovered and addressed. Phew! Some other large-scale events you may know less about include the theft of tens of millions of records from Adobe Systems, 360 million records from multiple companies found for sale on the black market, and an identity theft service in Vietnam with 200 million personal records including Social Security numbers, credit card data, and bank account information. All of these breaches have occurred in the last year! A helpful U.S. firm, Hold Security, uncovered each of these incidents.

Fifteen years ago some of the hot topics in the information security community were the implementation of smart cards and biometrics for authentication. The purpose of these security tools (at least partially) was to replace passwords with something we don't have to remember. Over time, neither of these solutions have proven to pan out for the majority of us as methods to replace passwords. Granted, both methods saw limited implementations, but the masses likely have never used these technologies or use them in limited fashion.

Phishing attacks are a part of everyday life, and according the "Global Phishing Survey 2H2013: Trends and Domain Name Use" by Anti-Phishing Working Group (APWG), the banking industry is the primary target of these types of attacks. So, what are phishing attacks and how can we protect our banks against these attacks?

What is a phishing attack?

A phishing scam is a type of social engineering attack that typically uses fraudulent electronic messages (email, text, etc.) appearing to come from legitimate sources. These messages usually attempt to acquire sensitive information or install malicious software by directing the recipient to click a link or open an attachment. Some common types of phishing include:

Most banks have been through multiple examination and audit cycles since the much anticipated and discussed FFIEC Supplement to Authentication in an Internet Banking Environment (the Supplement) released June 28, 2011 (http://www.ffiec.gov/pdf/Auth-ITS-Final 6-22-11 (FFIEC Formated).pdf). Significant attention has been focused on three major areas. Initial examinations focused on Internet banking-specific risk assessment(s) to identify threats particular to Internet banking. These risk assessments likely revealed your controls needed to be strengthened. As the Supplement addressed in detail, weaknesses have developed in many traditional Internet banking technical controls due to the persistence and creativity of fraudsters. The third area of emphasis, customer awareness and education, has probably led to an expansion of your customer education initiatives. However, an area with serious information security implications may have slipped under your radar for years.