BankSecurely.com

Hilary Machinery, a customer of Lubbock, Texas’ PlainsCapital bank was sued by their bank and is now counter-suing. Comical as it may seem, it is happening today.

Case 1 – Bank vs. Customer:

In November of last year, individuals from Romania and Italy initiated over $800,000 in wire transfers from Hilary’s accounts with PlainsCapital using valid credentials. Although PlainsCapital was able to recoup approximately $600,000 of that money, the remaining $200,000 was a loss. The initial legal motion was the bank approaching the U.S. District Court for the Eastern District of Texas asking them to certify their security measures, claiming that their security measures were “commercially reasonable.” This was a move to absolve themselves of situation and the obligation to pay Hilary the remaining $200,000. These “commercially reasonable” security measures involved linking the customer account to an IP address. The bank has internal documents which show how an attacker circumvented this measure and used a different IP address – a foreign one.

For some time now the concept of using multi-factor authentication or stronger authentication methods for internet banking has been thrown around. From what I’ve seen, banks and credit unions are slow to adopt these technologies and won’t do it for some time. Why is that? Well:

1. It has a sizable cost associated with it.
2. It is complex to implement for the institution’s staff.
3. It is complex to implement for the consumer.
4. There is nothing really forcing them to do it.

It is a sad state of affairs, but maybe one for consideration. Yes, I’m looking at you FFIEC and additional regulatory bodies — when was the Information Security Handbook last revised? When was the last time that you came in and determined that PlainsCapital was secure enough? Maybe those work papers can be used as evidence in this case! If it is found that the security measures in place at PlainsCapital were insufficient yet compliant with your standards, where does that leave you?

Community banks – When was the last time that you did overseas business? Seriously? Have you considered blocking foreign IP addresses? Hulu does it. I can’t watch the BBC shows I want from the US. Why can’t you limit your transactions by geo-location? You have a firewall (or perhaps only an edge router), apply some ACLs. If you need help or want to automate it, ask me.

Specific to PlainsCapital and potentially anyone else who had a penetration test done in the past and did nothing about the findings – if you have evidence that your security measures can be circumvented, they are insufficient. End of story. Hear that, U.S. District Court for the Eastern District of Texas? Case #1 closed.

Case 2 – Customer vs. Bank:

In response to Case #1, Hilary is suing the bank for the $200,000 lost plus legal costs claiming that the security measures in place at the bank are insufficient.

To the “victim” – yes, I commiserate more with your loss here than I do the bank’s in case #1. That being said, perhaps this is not the time to be throwing stones from your glass house. The credentials for that online banking account were compromised somehow – until you find out how and have evidence, a lawsuit might not be your best option. Furthermore, when was the last time your security measures were tested? Case #2 looks like it might be a draw to me.

[via HackInTheBox, ComputerWorld, KrebsOnSecurity, Forbes, FoxNews ]

I couldn’t resist bringing this article to everyone’s attention.

BCP to me isn’t the most sexy topic. A lot of organizations HAVE to have one as a result of compliance mandates and the financial industry falls into that category.

How do you imagine the potential plans and procedures you will need for an emergency? How do you test your BCP? I think the “zombie message” Buffy Rojas has brought to us in this article not only brings some light to a serious subject, I think it will also free some stuck gears which have been working on BCP for years.

Maybe it’s just me, but I think everyone has seen a zombie movie. In fact, many jokes in my hometown of Pittsburgh stem from the fact that the Night of the Living Dead was filmed there – including Monroeville Mall. Everyone has seen what could happen. I believe that relating the BCP process to something so commonplace as a zombie movie will help organizations along with the process.

If nothing else, perhaps it will get some fresh interest in becoming a BCP professional, or potentially ZCP professional.

[via Continuity Insights]

Recently, I had the opportunity to give several talks on the security trends we faced in early 2009. One of the trends I noted was the situation we are now facing in identity theft – commoditization.

Yes, it’s a tough economy and rough market for many goods and services. The once booming identity trade, which raked in more last year than the international drug trade, is facing a bad patch as well. The prices associated with personally identifiable information (PII) are falling and have entered a pure supply/demand market with very little differentiation based on quality.

I thought it was just me, but Jim Giles found the same issues in his research. This excerpt is from his New Scientist article, How much is your identity worth? where Giles comments on the prices he is quoted.

“That seems ridiculously cheap for details that could potentially be “cashed out” for thousands of dollars. A few months back, loopz [the criminal at hand] might have been asking several times that. But supply and demand shape this market, just like any other, and recently prices have slumped. It is impossible to say why, though the economic slowdown is probably not the cause: credit card fraud, says Turner, is a recession-proof business. Santorelli’s guess is that the market has been flooded with information stolen from Heartland.”

I concur with Santorelli’s assessment in this case.  Heartland, RBS WorldPay, and many other warehouses of PII have inadequately defended the information they were charged with protecting, resulting in the current market conditions for identities.  It has also resulted in an overall numbing toward identity theft.  So many people have been personally affected by this issue, that they all but ignore additional mailings from banks, healthcare providers, and other trusted agents who lost their information.

On the other hand, I see this as an opportunity for these trusted agents to differentiate themselves.  Recently, I came upon the sign outside a local bank here in Colorado.  The sign reads, “Looking for a new bank?  We’re safe, sound, and secure!”  Think about that – the bank is differentiating itself through security!

I personally feel that this is an amazing time for financial institutions to make that next step for their business.  A next step that sets them apart from others as well known as RBS (or others).  That step is one towards security.  Not just compliance, but a risk based approach to secure the PII of their customer or member base.

[via NewScientist]

Every year, cadets from Annapolis, West Point, Coast Guard Academy, Merchant Marine Academy, and the Air Force Academy compete in a Cyber Defense Exercise. The exercise involves setting up a small business network which meets certain requirements and then locking it down as much as possible.
Once the network is up and secure, the cadets are attacked by the NSA’s best as well as the Information Warfare Aggressors from the various branches of the military. The network fielded which best survives the onslaught, wins.
I’ve commented before that this exercise was one of the major life-changing experiences that I had and the one that fueled my passion for information security.

Today’s world is one which has even more call for exercises like this because of the recent talk of a Cyber Command or Cyber Warfighter. All too often the curricula of academies and colleges alike skirt around the idea of security and practical experiences like this. In fact, I was recently listening to a podcast which was discussing the CCDC.  One of the speakers on the podcast was a part of the Red Team, or aggressors, at CCDC.  Students from the competing colleges asked where he went to college and he explained that he did not, he obtained his experience though work and independent study.  To me, this goes a long way in showing that there is opportunity for colleges and academies alike to step up their level of education and field a program in information security.  I’d be even more interested to look at the job forecast for 2008 and 2009, specifically looking at the need for INFOSEC professionals vice architects.  Sure, we need architects, but they have their own program and degree in most colleges while I expect the demand for architects was lower last year compared to INFOSEC professionals.

Nonetheless, congratulations to West Point!  I charge the Air Force Academy personally to step up their game and bring the trophy back next year.

[via New York Times]

The New York Times as well as the Internet Storm Center are reporting on a new data breach – this time, it may be worse than customer information!  Almost 1,300 computers in over 103 countries have been infected with a sort of malware which has been used for espionage.  The vast spy network of malware, dubbed GhostNet, has spread across the world in a very targeted fashion.  Unlike the rapid growth of malware such as Conficker, which has no specific target in mind, this malware was extremely focuses – aiming at national and international organizations.  Some of the infected include NATO, the office of the Dalai Lama, and the governments of several South Asian countries.

The original document, entitled “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network,” was written by a group of Canadian academic researchers and can be found here.

What concerns me about this is the tactics used – infect target PCs with malware, use them to grab the information you need, control them as you need.  Sound familiar?  This is the same concept that was used to breach customer information at Heartland processing!

The weaknesses that are being exploited in these attacks are host based, not network based.  They are attacks which are circumventing the perimeter and our established defenses – attacking the weaker, less reinforced defenses of the endpoint.

In my research, I found that NIST just published another revision to SP800-53 (REV3) for commentary.  SP800-53 is a common control framework, adopted throughout the federal space and referenced by the financial industry as a set of best control practices.

[via NIST]

SANS just published a document outlining the top 20 controls and corresponding metrics for cyber defense.  Although these are intended for FISMA compliance, we’re all in the business of cyber-defense.

In fact, I think that there are two major targets in today’s cyber-defense world: the defense industry and the financial industry.  The defense industry is under attack from other governments, spies, NGOs, etc.  The financial industry is under attack right now from anyone trying to make a profit – which is a pretty broad category.

I’m excited to see this type of document, and I look forward to more like it.

[via BankInfoSecurity]

FBI Investigates $9 Million ATM Scam

David Stelzl, author of The House and the Cloud, comments on the compromise of systems at RBS WorldPay which subsequently led to the loss of nine million dollars.

This type of attack makes a strong case for real-time detection response, a program that is delivered to your customers through a managed security offering. Logging data is of no use if no one is there to watch it.

In my opinion, security monitoring is lacking — even in the financial industry.  CIO Magazine conducted a study in October of 2008 which showed the Financial Services industry as the leader in information security.  This was based on adoption rates of select best practices.  That being said, the same study showed that almost half of the respondents could not attribute their security incidents to a specific issue or vulnerability.  If there were sufficient monitoring in place, as outlined by the FFIEC Information Security Handbook (see Security Monitoring), I think more respondents would be able to tell you where they were breached.

To go beyond that, I feel that a proper security monitoring solution would have detected the breach and contained it.

[via ProfitProgram's Blog]

In a recent survey, public CIOs were queried regarding the skills that they are looking for.  The top two skills that they are looking for are Project Management and Information Security.

Top five skill sets needed in the coming year:
Project management: 81%
Security: 71%
Database management: 50%
Web services: 62%
Networking: 49%

[via Public CIO]

Who said recession?  Wasn’t me!  It was CIO/CSO Magazine!  Recently I had a partner refer to it as a “period of contraction.”  I think that is an excellent description!

Nonetheless, Bill Brenner wrote an amazing series of articles last year entitled How to Manage Security in a Recession. The articles were extremely good, and I’ve captured several of them here.  Here are some highlights:

• Watch out for the insider threat.  In a bad economy this risk increases.
• Utilize your personnel as internal, human IDS systems
• Keep on the training – build your staff up.  With more knowledge, you can use their skills and reduce costs.
• Pay attention to the morale of your unit.  Cuts are okay, but be careful about cutting professional development programs.

Thanks, Bill!  This is a great series.

Making Security Work When Staffing is Tight

Cost-Cutting Through Green IT Security: Real or Myth?

Recession Woes: What People Steal

Cheap IT Security? The Tools Were There All Along

[via CIO Magazine, 15 Oct 08 p.50]