BANKS VAULT into Online Risk.A BANK EMPLOYEE with access to the bank's computer network figures out how to gain access to the accounts payable system. In other forays through the bank's computer network, the employee finds the file containing the passwords of most of his coworkers. No one notes his online activity. He is also able to review the list of suppliers the bank has used over the past five years. After locating several vendors on the list that have not worked for the bank for some time, he changes the addresses for half of these companies to several different post office boxes in a neighboring neigh·bor n. 1. One who lives near or next to another. 2. A person, place, or thing adjacent to or located near another. 3. A fellow human. 4. Used as a form of familiar address. v. state. He then creates fictitious Based upon a fabrication or pretense. A fictitious name is an assumed name that differs from an individual's actual name. A fictitious action is a lawsuit brought not for the adjudication of an actual controversy between the parties but merely for the purpose of invoices and payments to these companies using other employees' log-in passwords. The invoices are paid, and checks are mailed to the post office boxes. Neither the bank nor the companies listed on the invoices are aware of the fraud. The case is fictitious, but the type of electronic crime it illustrates is very real. It represents but one of the many faces of cybercrime cybercrime also known as computer crime Any use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy. , which is changing the risk profile of the financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. industry. Bank security got its start in the days when gangs of robbers would hold up the town bank and then flee on horseback on the back of a horse; mounted or riding on a horse or horses; in the saddle. See also: Horseback . While physical robberies might not be so different today, the potential loss they can cause is insignificant compared to what can be done by an intruder An attacker that gains, or tries to gain, unauthorized access to a system. See attacker, intrusion and IDS. who hacks into a computer system and moves "e-money" across four continents at lightning speed. Clearly, this new stealth bandit bandit: see brigandage. must be fended off with a targeted set of defensive strategies. Whichever department takes the lead in this fight, techno-security should be a top priority. Security, information technology, human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. , risk management, and maintenance all play a role in protecting company assets. The following overview looks at the emerging nature of the electronic threats to financial institutions and how banks can counter the risks. THREATS Misuse of technology by hackers as well as employees has presented a threat to financial institutions from the earliest days of computers. In his 1989 book The Cuckoo's Egg Cuckoo's Egg - The Cuckoo's Egg , Cliff Stoll, formerly an astrophysicist/systems manager at the Lawrence Berkeley Laboratory in California, describes how, in tracking down a 75-cent irregularity A defect, failure, or mistake in a legal proceeding or lawsuit; a departure from a prescribed rule or regulation. An irregularity is not an unlawful act, however, in certain instances, it is sufficiently serious to render a lawsuit invalid. in an accounting program, he ended up fighting an international group of spies who were cracking computer systems across the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. . (The group exploited the program s system of rounding dollars to deposit small amounts from numerous accounts into a private account, which over time added up to big money in the account set up to receive the rounded cents.) This case represents the beginning of this type of financial crime. Since then, banks have increased their exposure because they are more connected both internally in company offices and externally through online banking services and vendors. At the same time, the technology and expertise of computer criminals has advanced considerably. Today's hackers can quickly distribute software designed for criminal purposes, with each user adapting the program to his or her needs. Both insiders and outsiders run such programs to accomplish their objectives--or they may simply take advantage of lax security. The types of problems that result include unauthorized use, data manipulation Processing data. , Web hacking, spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing. (2) Creating fake responses or signals in order to keep a session active and prevent timeouts. , distributed denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DDoS) attacks, viruses, and cyberextortion. UNAUTHORIZED USE. Most cybercrimes begin with the unauthorized use of a computer. In some cases, the perpetrator A term commonly used by law enforcement officers to designate a person who actually commits a crime. (for example, a bank employee) has the right to operate the computer or access the network, but does so for unauthorized purposes. Unauthorized use is not always malicious. Nonetheless, it should never be permitted because it creates the opportunity for a crime to occur. The detection of unauthorized use should be seen as the front line of defense, just as motion sensors on a perimeter of a physical building might be. DATA MANIPULATION. Modification of information and data is of concern to any enterprise, but it is especially dangerous to a financial institution, where the changes are most likely to concern the movement of money, such as by alterations in loan amounts, credit lines, or account balances. For instance, an employee could simply delete all records of a friend's loan from the system. Or, as in the case mentioned at the beginning of this article, an employee could use outdated records to create false invoices. WEB HACKING. The Web sites of numerous financial institutions have been hacked. In some cases, content has been altered to provide false information or slander slander: see libel and slander. Slander See also Gossip. Slaughter (See MASSACRE.) Basile calumniating, niggardly bigot. [Fr. Lit. the reputation of the company. In other cases, confidential customer information, such as account balances, has been stolen through redirections of data entry to other sites. A prime avenue for this type of practice is Web spoofing: In such a scenario, rather than hack into a legitimate bank site to steal customer data, a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. will create look-alike Web sites that trick customers by "spoofing" the address of the legitimate page. When the bank's customers are unknowingly directed to the false site, they may provide confidential account and personal information, which the hacker can then exploit or sell for a profit. DDoS ATTACKS. Another threat to banks comes in the form of distributed denial of service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. , which occur when a hacker hijacks other computers to electronically flood an institution's computer with e-mail or other system tasks, shutting down the system. A customer's or employee's inability to access a Web page or do their online banking due to a denial of service attack may be disastrous for a financial institution. VIRUSES. Viruses are another concern for financial institutions. The threat comes not so much from the direct data destruction a virus may cause--as formerly was the case--but rather from the type of "payload (1) Refers to the "actual data" in a packet or file minus all headers attached for transport and minus all descriptive meta-data. In a network packet, headers are appended to the payload for transport and then discarded at their destination. " the virus may deliver. Through these hidden payloads, viruses can place stealth programs in a network that allow hackers to access a bank's entire computer system, retrieve any password used on the system, locate personal information, find all dialup information concerning Internet service providers Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISPs) or company access information, or access any connected device. CYBER-EXTORTION. When hackers use any of the above methods to gain access to a bank's critical systems, they can obtain confidential financial information and then use, sell, or disclose that information. But knowing how important it is to a bank to protect its information and reputation, some hackers are instead offering to sell the information back to the institution itself--in effect, creating the new crime of cyber-extortion. Alternatively, a hacker may plant a "bomb" in the bank's system, which the hacker then offers to defuse de·fuse tr.v. de·fused, de·fus·ing, de·fus·es 1. To remove the fuse from (an explosive device). 2. To make less dangerous, tense, or hostile: for a fee. One institution that recently experienced this type of threat received a note stating that the hacker had entered its computer system and placed a "cyber-bomb" that would destroy its vital customer data at a predetermined pre·de·ter·mine v. pre·de·ter·mined, pre·de·ter·min·ing, pre·de·ter·mines v.tr. 1. To determine, decide, or establish in advance: time unless money was paid to the hacker. Because this mid-size institution had no internal staff to counter threats to its computer systems, it decided the safest course was to pay the ransom. It is impossible to know how many unreported incidents of this nature have occurred. SAFEGUARDS New risks require new responses. Large organizations have taken up the challenge, creating teams to help protect systems and ensure the ongoing integrity and security of electronic records. Mid-size and smaller institutions need to learn from their larger peers and find ways to fit the strategies to their own budgets. If not, they will become the soft targets of the next wave of cybercriminals. What should they do? Here's a look at some of the elements of a protection program, including the human factor, technology tools, and information handling procedures that need to be addressed. HUMAN FACTOR. To minimize the risk from insiders, banks must adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. proven business practices, such as thorough preemployment screening. Once staff is brought on board, these new hires and contract workers should receive security-awareness training that clearly explains what is and is not permitted with regard to computer use. Employees should also be trained to follow company procedures designed to ensure password protection and data confidentiality. An increasing number of institutions test employees after training on their knowledge of the policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental that they will be following, before giving the employees access to the system. This approach is highly recommended. In general, employees should not be given carte blanche CARTE BLANCHE. The signature of an individual or more, on a while. paper, with a sufficient space left above it to write a note or other writing. 2. In the course of business, it not unfrequently occurs that for the sake of convenience, signatures in blank are to enter the entire network. They should be told that they have the right to access only the specified information on the bank's network necessary for their day-to-day jobs. For example, the programmer who wrote the bank's accounting program should not have regular access to the system. (If the program must be tested, the programmer can generate sample data, rather than using actual account information and financial figures.) When employees resign or are terminated, their computer access privileges should be terminated immediately and any building key or access card should be retrieved or deactivated. A security guard should watch them clean out their desks and then escort them out of the building. Although this may seem harsh, allowing them to stay for the typical two weeks gives them time to sabotage data or copy information that can be sold to a competitor. Security staff, receptionists, helpdesk personnel, and others responsible for physical as well as computer access should be kept up to date on personnel changes. These people become used to seeing the same faces every day, and if not alerted to terminations, they might inadvertently let a former employee into an unauthorized area in a building or onto a computer. Outsourcing. Another personnel-related concern is the use of contract staff. Financial institutions are increasingly using contract personnel for various services. These workers have access to the company's internal network and therefore represent a potential vulnerability if not properly managed. The same security principles must be applied to these workers. For example, institutions should require that contractors properly screen any employees who will work at the bank; these contract employees should go through the same series of background checks that the bank's own employees do. Institutions should also write into the service or supply contract a provision holding the contractor liable if one of its employees causes damage to data or networks or the bank's reputation. The service contract should spell out both the bank's and the contractor's responsibilities for protecting the bank's information assets. Similarly, technicians who must enter the premises to work on equipment could pose a risk. These workers should be escorted and should be supervised at all times while on company property. The contract personnel who pose the greatest security risk to the company are those providing computer security because they must have high-level access to the network by the nature of their work, and they know enough about the security protections to subvert them. Institutions must carefully assess the firms they hire as well as the backgrounds of the individuals who will handle the job. As with accounting systems, there should be some system of checks and balances to protect against hacker attacks from the very experts creating the hacker defenses. For instance, banks could use a dual control system similar to the one they use in money handling, teaming up a contractor with an internal employee. They would work together, but the company employee would be responsible for reviewing and remaining aware of what the contractor was doing. TECHNOLOGIES. A number of products are available to protect a bank's cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. . For instance, a bank should employ, at a minimum, firewall, intrusion detection See IDS and IPS. , and virus protection software. But no perfect suite of security programs exists, and no institution can simply install a few programs and consider the job done. The institution must have someone--whether a proprietary employee or outside contractor--actively administering and monitoring the network to ensure that operating or application software is properly installed and that all security patches A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. are added as they are issued by manufacturers. (Most hackers exploit known vulnerabilities A bug in software that has been identified. It typically refers to bugs that have been used for malicious purposes. For example, bugs in Web server, Web browser and e-mail client software are widely exploited by attackers. that companies could have easily closed off.) This person--usually the system administrator--must also maintain proper audit trails and review daily logs. The information in system logs offers early warning signs of a potential attack, as well as the evidence needed to reconstruct an event in an investigation. Traffic-monitoring software should be used to detect any activity that is out of the ordinary. With some software programs, an institution can set up profiles of standard traffic as well as exception traffic, so that system administrators will be notified of suspicious activity. Without these safeguards, early indicators of a hacker attack or attempted penetration may be missed. In addition, profiling software of the type originally designed to guard against credit card fraud Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. can be used to detect suspicious computer activity. The program reviews the accounts of individuals using the bank's online or home banking services to check for irregularities. Tricking intruders. Some banks have taken creative approaches to protect their networks against intruders. For example, one financial institution created a bogus database. With this program, as individuals enter the computer network for online banking, the system checks for indicators that the user may not actually have an account, such as someone who does not type the correct password within a certain number of attempts. If these indications are present, the user is diverted to a false database. The bogus database looks and works just like the authentic one, but it also traces an intruder's identity and location. Trace information can then be followed up by the bank's security department or given to the local FBI office for follow-up. Password protection. Reusable, or static, passwords offer weak security. To address that problem, banks are turning to dynamic passwords, which are created by a user token and verified using an algorithm synchronized syn·chro·nize v. syn·chro·nized, syn·chro·niz·ing, syn·chro·niz·es v.intr. 1. To occur at the same time; be simultaneous. 2. To operate in unison. v.tr. 1. with a central computer server. The user's token generates a password that can only be used in a one-minute span. If this password were stolen by someone looking over a coworker's shoulder or monitoring the system electronically, the network would not be at risk, because the password's usefulness would expire before it could be used by the thief. This technology, which is available from a number of suppliers, is expensive, costing an institution anywhere from $40,000 to $500,000 and up, depending on complexity and amount of installation required. But, considering the level of protection it provides, the cost can be justified. The liability of not using this sort of safeguard is even more dramatic because it is fast becoming an industry standard for financial institutions. Most large banks are using it already, though for smaller banks the problem of cost is compounded by the fact that they may not have someone on the staff who is technologically knowledgeable enough to manage the system. Encryption. Data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign is another essential weapon in security's arsenal. Encryption programs allow systems to communicate securely by converting information into a form that cannot be easily deciphered de·ci·pher tr.v. de·ci·phered, de·ci·pher·ing, de·ci·phers 1. To read or interpret (ambiguous, obscure, or illegible matter). See Synonyms at solve. 2. To convert from a code or cipher to plain text; decode. if intercepted by an unauthorized user. Banks are now using encryption programs for in-house protection as well as for online banking services. Not only financial information but also account information should be encrypted while being stored and in transit. INFORMATION HANDLING. Financial institutions are now implementing systems for classifying information similar to those the military uses. After properly classifying information, a bank can assign different levels of security requirements depending on the sensitivity or threat level assigned to that category of information. Several methods are being used. One approach requires that a computer system housing a certain classification of information meet specified security criteria. Another method protects specific information by compartmentalizing it within the computer network and establishing security requirements regarding how the information is stored and accessed. The information segment may be a file or group of files with embedded Inserted into. See embedded system. security parameters In cryptography, the security parameter is a variable that measures the input size of the problem. Both the resource requirements of the cryptographic algorithm or protocol as well as the adversary's probability of breaking security are expressed in terms of the security parameter. , so that if someone attempts to move it, the security parameters will automatically determine whether the files can reside on the other system or be moved using the requested type of transmission. For example, a set of files with a high level of security would require a computer system with a high security profile, which might include dynamic encryption and passwords, intrusion detection, and a firewall. The package will not allow itself to reside on a system with less security. Currently, however, this type of software is only available as a custom designed program and is quite expensive. THE FUTURE. Banks must continue to develop new methods for fighting cybercrime as the threat evolves. For instance, cooperation between Internet service providers (ISPs) and financial institutions needs to increase. Also, e-commerce products created by financial institutions are not typically thoroughly tested for security hazards within the institution's computer environment, a situation that will change as financial losses, as well as blows to banks' reputations, encourage them to strengthen security systems worldwide. In addition, institutions are beginning to combine their mechanisms for detecting intrusions of their IT systems with their electronic physical alarm systems; for instance, the same group monitoring alarms for a building will also be monitoring intrusions into the institution's cyberspace. If an intrusion is found, they alert the IT staff or respond with a prescribed safeguard, such as starting a software program that would limit the intrusion but help identify the intruder. More personnel may be needed, but combining the security functions would save money in the long run. In addition, cross-border regulations for financial institutions are now varied--what may be against the law in the United States may be perfectly legal in Russia, for instance--but national governments and the international law enforcement community are developing treaties related to cybercrimes, including procedures for obtaining search warrants to assist in the identification and prosecution of cybercriminals. Eventually, these efforts will result in the United States and other technologically advanced countries creating cooperative cyber-task forces that may help banks reduce their losses worldwide. Over the past 10 years, the Years, The the seven decades of Eleanor Pargiter’s life. [Br. Lit.: Benét, 1109] See : Time public and private sectors have advanced cooperative efforts to deal with technological security risks. One example is the High Technology Crime Investigation Association (HTCIA (High Technology Crime Investigation Association, Inc., Roseville, CA, www.htcia.org) A membership organization devoted to digital forensics. Members of HTCIA Inc. are investigators, prosecutors and security professionals. ), which was created to help law enforcement develop a better understanding of the technical security issues they now face, and to allow private industry experts to share their technical expertise with other members. More recently, the National Infrastructure Protection Center (NIPC (U.S. National Infrastructure Protection Center) Originally organized in response to Presidential Decision Directive 63 (PDD-63), functions of the NIPC were moved to the U.S. Department of Homeland Security (DHS) Information Analysis and Infrastructure Protection (IAIP) Directorate. ), a program of the FBI, has begun to conduct outreach and information sharing See data conferencing. with the public- and private-sector owners and operators of critical infrastructures. NIPC's mission is to serve as the U.S. government's focal point focal point n. See focus. for threat assessment, warning, investigation, and response to threats or attacks against the nation's critical infrastructures, including telecommunications, energy, banking and financial, water, government, and emergency services emergency services Emergency care '…services …necessary to prevent death or serious impairment of health and, because of the danger to life or health, require the use of the most accessible hospital available and equipped to furnish those services' systems. The program provides a forum for collaborative information sharing about computer intrusion An incident of unauthorized access to data or an automated information system. incidents and vulnerabilities as well as a conduit for the NIPC to disseminate information to the private sector. As more security professionals, as well as those who provide services to a particular segment of the critical infrastructure, realize the value in collaboration and information sharing with colleagues, HTCIA, NIPC, and other groups will continue to grow, and professionals will benefit not only from the direct information discussed but also from the networking that occurs among these organizations. On the new frontier New Frontier President John F. Kennedy’s legislative program, encompassing such areas as civil rights, the economy, and foreign relations. [Am. Hist.: WB, K:212] See : Aid, Governmental of banking security, it is imperative that security professionals understand the risks that technology, and those who would misuse it, pose to a financial institution. To do otherwise would be akin to the banks of yesteryear yes·ter·year n. 1. The year before the present year. 2. Time past; yore. yes leaving their vaults wide open for masked bandits. Jeffrey Spivey, CPP cpp - C preprocessor. , is the president of Security Risk Management Inc. in Charlotte, North Carolina “Charlotte” redirects here. For other uses, see Charlotte (disambiguation). Charlotte is the largest city in the state of North Carolina and the 20th largest city in the United States. . He is a member of ASIS 1. ASIS - Application Software Installation Server. 2. (language) ASIS - Ada Semantic Interface Specification. and currently serves as regional vice president at large, coordinating with the regional vice presidents and the standing committees. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion