1 / 56

Critical Data Protection Strategies for Financial Institutions

korbin
Download Presentation

Critical Data Protection Strategies for Financial Institutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Critical Data Protection Strategies for Financial Institutions Moderator: Shelley Leonard Director, Business Architecture Fidelity National Information Services Panelists: John Simon VP, Client Services Technology Initiatives Land America Financial Group Doug Woods EVP, Technology EverBank

    2. Protecting your Customers from Identity Theft Presented by: Shelley Leonard Director, Business Architecture Fidelity National Information Services

    5. The Challenge Protecting customer and company data that we: Acquire Consume Publish Pertinent Legislation: U.S. FCRA CA Senate Bill (SB) 1386 Identity Theft Penalty Enhancement Act CA Assembly Bill (AB) 1950 FFIEC Guidance on risk management controls and authentication of customers accessing Web-based financial services Protecting customer data is much less expensive than dealing with a security breach in which records are exposed and potentially misused. U.S. FCRA – Provisions added to combat identity theft, including giving consumers annual free copies of their credit reports, barring merchants from printing complete credit card numbers on receipts and placing an automatic "fraud alert" on at-risk credit files. CA Senate Bill (SB) 1386 – Requires businesses to immediately notify CA residents of a breach or suspected compromise of the residents' unencrypted personal information. Identity Theft Penalty Enhancement Act – Adds two years to prison sentences for criminals convicted of using stolen credit card numbers and other personal data to commit crimes CA Assembly Bill (AB) 1950 – Requires any business that holds information about CA residents to maintain "reasonable security procedures and practices appropriate to the nature of the information" to protect this information from unauthorized use or disclosure. FFIEC – Updated its guidance on risk management controls and authentication of customers accessing Web-based financial services. The guidance supports a risk-based approach to managing transactions and recommends banks implement authentication technologies that match the risk of their applications. U.S. FCRA – Provisions added to combat identity theft, including giving consumers annual free copies of their credit reports, barring merchants from printing complete credit card numbers on receipts and placing an automatic "fraud alert" on at-risk credit files. CA Senate Bill (SB) 1386 – Requires businesses to immediately notify CA residents of a breach or suspected compromise of the residents' unencrypted personal information. Identity Theft Penalty Enhancement Act – Adds two years to prison sentences for criminals convicted of using stolen credit card numbers and other personal data to commit crimes CA Assembly Bill (AB) 1950 – Requires any business that holds information about CA residents to maintain "reasonable security procedures and practices appropriate to the nature of the information" to protect this information from unauthorized use or disclosure. FFIEC – Updated its guidance on risk management controls and authentication of customers accessing Web-based financial services. The guidance supports a risk-based approach to managing transactions and recommends banks implement authentication technologies that match the risk of their applications.

    6. Multifaceted, Multichannel Crimes Just as thieves use multiple online and offline methods to steal information, they also use multiple channels to access consumer bank and credit card accounts to rob the money. According to Gartner clients, fraudsters are increasingly combining online and offline techniques and channels to accomplish their goals. For example, they may "phish" for online bank account user IDs and passwords, log on to a consumer's online bank account, look at the check images, and record the check numbering scheme and signature, then use these in check forgery schemes. Or they may steal ATM card and PIN numbers through keyboard logging spyware planted on a consumer's PC, then use the numbers to counterfeit ATM cards that are used to illegally withdraw money from consumer bank accounts. A key problem is that there are many "doors" to consumer bank and credit accounts, and many online and offline methods for stealing data to gain access to them. The consumer's financial institutions are not directly responsible for keeping all these doors properly locked. Therefore, the responsibility for theft prevention is diffused among many service providers, including Internet service providers, e-mail providers, banks, card companies, merchants, billers, payment processors, auction sites and other companies. In the electronic information and shopping age, bank and card account numbers are stored in many places. Measures for securing one site, such as an online banking site, will do nothing to secure a bank account number stored by a utility company and used to automatically pay a consumer's monthly electric bill.Just as thieves use multiple online and offline methods to steal information, they also use multiple channels to access consumer bank and credit card accounts to rob the money. According to Gartner clients, fraudsters are increasingly combining online and offline techniques and channels to accomplish their goals. For example, they may "phish" for online bank account user IDs and passwords, log on to a consumer's online bank account, look at the check images, and record the check numbering scheme and signature, then use these in check forgery schemes. Or they may steal ATM card and PIN numbers through keyboard logging spyware planted on a consumer's PC, then use the numbers to counterfeit ATM cards that are used to illegally withdraw money from consumer bank accounts. A key problem is that there are many "doors" to consumer bank and credit accounts, and many online and offline methods for stealing data to gain access to them. The consumer's financial institutions are not directly responsible for keeping all these doors properly locked. Therefore, the responsibility for theft prevention is diffused among many service providers, including Internet service providers, e-mail providers, banks, card companies, merchants, billers, payment processors, auction sites and other companies. In the electronic information and shopping age, bank and card account numbers are stored in many places. Measures for securing one site, such as an online banking site, will do nothing to secure a bank account number stored by a utility company and used to automatically pay a consumer's monthly electric bill.

    7. Escalation of Online Fraud Will Lead to a Solution Revolution 9.4 million online U.S. adults were victimized by identity theft in year ending April 2004 Losses amounted to $11.7 billion Online theft is escalating The solution revolution: ISPs and others will provide automated desktop protection tools Holistic back-end fraud-detection systems will roll out to U.S. FIs By YE07, up to 75 percent of U.S. banks and up to 70 percent worldwide will use authentication methods stronger than passwords and less expensive than hardware tokens (0.7 probability). According to a Gartner survey of 5,000 online U.S. adults in April 2004, more than $11.7 billion was lost to fraud among online U.S. adults from May 2003 to April 2004. (Approximately 70 percent of U.S. adults are online.) Although information stolen over the Internet leads to the most-prevalent types of fraud, the crimes are perpetrated using multiple online and offline methods and channels, which makes them more difficult to prevent and catch. An estimated 9.4 million online adults were victimized by financial fraud in the past year. (Yearly estimates refer to the 12-month period ending April 2004.) Usually, the criminals get away. According to the consumers surveyed by Gartner, the category with the most arrests was check forgery, probably because the police are experienced at pursuing stolen-check paper trails. These phenomena will lead to a solution revolution. By year-end 2007, up to 75 percent of U.S. banks and up to 70 percent worldwide will use authentication methods stronger than passwords and less expensive than hardware tokens (0.7 probability). By year-end 2007, up to 7 percent of banks in the U.S. and 50 percent to 70 percent worldwide will have forced their customers to authenticate using hardware tokens (0.7 probability). Multichannel, multi-account, back-end fraud detection systems will roll out to 30 percent of U.S. financial institutions by the end of 2007 (0.7 probability).According to a Gartner survey of 5,000 online U.S. adults in April 2004, more than $11.7 billion was lost to fraud among online U.S. adults from May 2003 to April 2004. (Approximately 70 percent of U.S. adults are online.) Although information stolen over the Internet leads to the most-prevalent types of fraud, the crimes are perpetrated using multiple online and offline methods and channels, which makes them more difficult to prevent and catch. An estimated 9.4 million online adults were victimized by financial fraud in the past year. (Yearly estimates refer to the 12-month period ending April 2004.) Usually, the criminals get away. According to the consumers surveyed by Gartner, the category with the most arrests was check forgery, probably because the police are experienced at pursuing stolen-check paper trails. These phenomena will lead to a solution revolution. By year-end 2007, up to 75 percent of U.S. banks and up to 70 percent worldwide will use authentication methods stronger than passwords and less expensive than hardware tokens (0.7 probability). By year-end 2007, up to 7 percent of banks in the U.S. and 50 percent to 70 percent worldwide will have forced their customers to authenticate using hardware tokens (0.7 probability). Multichannel, multi-account, back-end fraud detection systems will roll out to 30 percent of U.S. financial institutions by the end of 2007 (0.7 probability).

    9. Areas of Focus

    10. Option 1 – Do Nothing Assumes status quo is “good enough” protection for your customers and the probability of data being compromised is low Data in Flight is left in the clear and media being transported is entrusted to the carriers At best, Data at Rest is monitored and reported if accessed improperly What is at Stake for Lenders and Service Providers? Reputation Media Exposure Cost of Remediation Shareholder Value Compliance Penalties Board of Directors, Officers and Managers Liability Customer Retention Customer Satisfaction Revenue Market Share

    11. Option 2 – Risk Based Solutions Secure+ is a Sterling product used to encrypt NDM transmissions Secure FTP can either be SFTP (over SSH) or FTPS PGP - Pretty Good Privacy (PGP) is a computer program which provides cryptographic privacy and authentication. File level encryption requiring the exchange of keys by sender and receiver. SecureZip – PKWare product for compressing and encrypting files on mainframe or PCs Laptop encryption products all support full disk encryption including swap file and boot sectorsSecure+ is a Sterling product used to encrypt NDM transmissions Secure FTP can either be SFTP (over SSH) or FTPS PGP - Pretty Good Privacy (PGP) is a computer program which provides cryptographic privacy and authentication. File level encryption requiring the exchange of keys by sender and receiver. SecureZip – PKWare product for compressing and encrypting files on mainframe or PCs Laptop encryption products all support full disk encryption including swap file and boot sectors

    12. Option 3 – Encrypt All Data

    13. Industry perspective on information security shifting…

    14. A Multipronged Approach Is Needed Back-end fraud detection systems make sense when the volume is too high to check transactions manually, or when actual or potential fraud losses are higher than the costs of a detection system. There are several packaged solutions for online retail transactions, but most large merchants find that their homegrown systems are more effective as stand-alone solutions or when used in conjunction with purchased solutions. For new-account applications at financial services companies or other creditors, such as wireless service providers, scoring systems that detect patterns of suspicious behavior across industries are most effective. For credit card and checking account transactions, banks and card issuers have a range of rule-based and scoring solutions to choose from, but systems that protect checking accounts are less effective than those that protect card transactions, partly because there are not as many data elements on check transactions to work with automatically. There is a need for more-effective fraud detection that looks at customer accounts and behavior holistically — that is, across channels, industries and accounts. Strong authentication makes sense where a strong feeling of community exists and is desirable for commerce, or where regulatory environments demand authentication beyond passwords. Defining how transactions occur is the first decision point for choosing the appropriate strong authentication approach. For online transactions, the availability of input devices at all locations where commerce will be conducted is the key decision point. The last decision point is a straightforward return on investment analysis.Back-end fraud detection systems make sense when the volume is too high to check transactions manually, or when actual or potential fraud losses are higher than the costs of a detection system. There are several packaged solutions for online retail transactions, but most large merchants find that their homegrown systems are more effective as stand-alone solutions or when used in conjunction with purchased solutions. For new-account applications at financial services companies or other creditors, such as wireless service providers, scoring systems that detect patterns of suspicious behavior across industries are most effective. For credit card and checking account transactions, banks and card issuers have a range of rule-based and scoring solutions to choose from, but systems that protect checking accounts are less effective than those that protect card transactions, partly because there are not as many data elements on check transactions to work with automatically. There is a need for more-effective fraud detection that looks at customer accounts and behavior holistically — that is, across channels, industries and accounts. Strong authentication makes sense where a strong feeling of community exists and is desirable for commerce, or where regulatory environments demand authentication beyond passwords. Defining how transactions occur is the first decision point for choosing the appropriate strong authentication approach. For online transactions, the availability of input devices at all locations where commerce will be conducted is the key decision point. The last decision point is a straightforward return on investment analysis.

    15. Working to Secure the Future MBA, MISMO and SISAC John D. Simon Vice President, Client Services Technology Initiatives Chair, MISMO Information Security Workgroup

    16. Disclaimers & Credits Disclaimers The information in this presentation is educational in nature. General information about legal developments is included, but it is not legal advice. Consult an attorney for any specific legal questions. Credits To Nancee Gorenstein, Mike Fleck, Dick Taylor and the other ISWG members that contributed so much time and effort to the year-long effort to develop the ISWG White Paper, Identifying and Safeguarding Personal Information: Recommended Guidelines and Practices. To Yuriy Dzambasow and his employer, A&N Associates, Inc., who contributed to MISMO their methodology for developing a comprehensive and complete information assurance solution. To Robert Schlecht, the MBA staff liaison to the ISWG, who has provided essential insight, support and guidance.

    17. Historical Perspective MBA Board of Directors Technology Steering Committee – www.MBAA.org October, 2005 Protecting Personal Information: The Good, the Bad, the Ugly http://www.MortgageBankers.org/documents/NewsLink/Misc/102705security.pdf MISMO: Information Security Work Group – www.MISMO.org MBA wholly-owned, nonprofit subsidiary February, 2006 Identifying and Safeguarding Personal Information: Recommended Guidelines and Practices http://www.MISMO.org/files/mismo/InformationSecurityWhitepaper.pdf SISAC (Secure Identity Services Accreditation Corporation) – www.SISAC.org MBA wholly-owned, nonprofit subsidiary Establishing a mortgage industry PKI “federation” December, 2003 KPMG: first accredited auditor for identity management compliance January, 2004 VeriSign: first accredited issuer of digital credentials

    18. State Privacy Breach Notification Legislation

    19. Federal Privacy Breach Notification Legislation H.R. 3997 - Financial Data Protection Act of 2005 Key Provisions Preempts state legislation. Standardizes data protection standards. Requires policies and procedures to protect personal information. Requires immediate investigation of any reasonable potential breach. If consumers may be harmed or inconvenienced by breach, law enforcement, regulator(s), and other businesses in transaction chain must be notified. If financial fraud against consumers may result from breach, consumers must be notified via mail and must be offered free credit monitoring. Consumers who have been a victim of identity theft may freeze their credit reports. FTC to maintain a public list of breaches that resulted in consumer notification within last twelve months. FTC to provide voluntarily supplied information on race and ethnicity of victims of data theft and account fraud. Credit monitoring activities are exempted from the Credit Repair Organization Act.

    20. Federal Privacy Breach Notification Legislation (continued) H.R. 3997 - Financial Data Protection Act of 2005 Current Status Approved by House Financial Services Committee on March 16, 2006. Strongly opposed by consumer groups and privacy advocates. Would preempt stronger state laws already in place. Would give companies too much discretion in disclosing breaches. Would not regulate activities of data aggregators such as ChoicePoint. Would prevent consumers from freezing their credit reports prior to identity theft (consumers would first have to be victims of identity theft). Next Steps Full House must vote. Companion Senate bill required.

    21. Implementing a Phased-in Security Program

    22. MISMO Five Step Model in Practice

    23. Best-In-Class Approaches to Data Security Adhere to Authoritative Guidelines and Practices ANSI (American National Standards Institute) BITS (fka Banking Industry Technology Secretariat) CIO Executive Council COPP (California Office of Privacy Protection) IEC (International Electrotechnical Commission) IETF (Internet Engineering Task Force) ISACA (Information Systems Audit and Control Association) ISO (International Standards Organization) NIST (National Institute of Science and Technology) SEI (Software Engineering Institute) SISAC (Secure Identity Services Accreditation Corporation)

    24. Best-In-Class Approaches to Data Security Incident Response Plan Recommendations and are based on: California Office of Privacy Protection (COPP) NIST SP 800-61 At a minimum, incident response plans should include: Monitoring and notification Impact assessment of the security incident Internal notification procedures External notification procedures Follow-up assessment to mitigate the security incident from recurring Updates to incident response plans

    25. Best-In-Class Approaches to Data Security Incident Response Plan (continued) Should also identify specific individuals responsible for plan execution and management Central Incident Response Team (one team) Handles incidents throughout an organization Effective for small organizations and for large organizations with centralized IT Distributed Incident Response Teams (multiple teams) Each handles incidents for a particular logical or physical segment of the organization Effective for large organizations or organizations with major distributed computing resources Teams should be part of a centralized entity so that response is consistent across the organization Coordinating Team Provides guidance and advice to distributed teams without authority over them Improves consistency and information sharing among teams

    26. Mortgage Industry PKI Federation Business Drivers Sarbanes–Oxley (SOX) Strengthen Corporate financial governance; restore investor confidence Applies to public companies; adhered to by an increasing number of private companies Gramm-Leach-Bliley Act (GLBA) Protect privacy rights of customers; ensure security of non-public personal information Applies to Financial Services industry and many of their service providers State Privacy Breach Notification Legislation (Enacted and Pending) Define non-public personal information (PI); stipulate conditions for notifications Applies to most public, private and governmental organizations Federal Privacy Breach Notification Legislation (Pending) Preempts state legislation Applies to most public, private and governmental organizations

    27. A Look Toward the Future Labeling of Personal Information in MISMO Logical Data Dictionary Security and Privacy sections in MISMO Implementation Guides Standard security practices for Web Services and AS2 Periodic updates to ISWG White Paper and State Legislation Matrix Drive to establish mortgage industry PKI federation via SISAC

    28. EverBank Security Presentation Doug Woods March 31, 2006

    29. Mission Safeguard Customer Information and promote secure and reliable operations of information systems

    30. Objectives Ensure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security and integrity of the information and systems Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer or system

    31. What Are We Protecting? EverBank’s Customers & Business Partners

    34. Security Considerations – Third-Parties Vulnerabilities Security program Financial condition BR/DR plan Controls Third-party reviews

    35. Security Considerations – Physical Vulnerabilities Facility access High security area access Visitors “Clean desk” Power Controls Access controls Visitor pass & registration Security guards Locked files, offices, desks Cameras Generators

    36. Security Considerations – Users Vulnerabilities Accidents Dishonesty Controls Interviews Background checks Authentication Termination management Forensic software

    37. Security Considerations – Network Vulnerabilities Viruses Denial of service Packet sniffing Email spoofing Controls OSI 7-Layer controls Intrusion detection Penetration testing

    38. Security Considerations – Applications Vulnerabilities Application vulnerabilities Unauthorized access Weak design Poor coding Backdoor Controls Patch management Authentication Testing Code reviews

    39. Security Considerations – Operating Systems Vulnerabilities OS vulnerabilities Controls Patch management Antivirus software Identification and authorization

    40. Security Considerations – Data Vulnerabilities Personally Identifiable Information Static In-transit Controls Education and training Encryption Databases Backups Laptops

    41. OSI 7-Layer Framework Open System Interconnection Established in 1983, OSI is a "reference model" that explains how two points in a telecommunication network transmit messages. OSI defines seven layers of functionality that take place at each end of a communication. Control is passed from one layer to the next, starting at the Application Layer in one system; proceeding to the bottom layer of that system; passing over a channel to the next system; and moving backup the hierarchy.

    43. http://www.pdaconsulting.com/csaudit.htm Application Layer: where user authentication and privacy are considered, and where communication partners, quality of service and constraints on data syntax are identified.http://www.pdaconsulting.com/csaudit.htm Application Layer: where user authentication and privacy are considered, and where communication partners, quality of service and constraints on data syntax are identified.

    44. http://www.pdaconsulting.com/csaudit.htm http://www.pdaconsulting.com/csaudit.htm

    45. http://www.pdaconsulting.com/csaudit.htm Session Layer: sets up, coordinates and terminates conversations, exchanges and dialogs between the applications at each end. It deals with session and connection coordination.http://www.pdaconsulting.com/csaudit.htm Session Layer: sets up, coordinates and terminates conversations, exchanges and dialogs between the applications at each end. It deals with session and connection coordination.

    46. http://www.pdaconsulting.com/csaudit.htm Transport Layer: manages end-to-end control--determining, for example, whether all packets have arrived--as well as performs error checking. It ensures complete data transfer. This layer provides process-to-process communication, and may add other end-to-end services like reliability http://www.pdaconsulting.com/csaudit.htm Transport Layer: manages end-to-end control--determining, for example, whether all packets have arrived--as well as performs error checking. It ensures complete data transfer. This layer provides process-to-process communication, and may add other end-to-end services like reliability

    47. http://www.pdaconsulting.com/csaudit.htm Network Layer: handles the routing or forwarding of the data. Layer 3 provides host-to-host communication and defines the basic unit of transfer or packet, network level addressing and possibly routing.http://www.pdaconsulting.com/csaudit.htm Network Layer: handles the routing or forwarding of the data. Layer 3 provides host-to-host communication and defines the basic unit of transfer or packet, network level addressing and possibly routing.

    48. http://www.pdaconsulting.com/csaudit.htm Data Link Layer: ensures that everything physically sent was physically received. It provides error control and synchronization for the physical layer, and is responsible for grouping bits into frames and moving them from one node to another. The data link layer may define hardware addresses http://www.pdaconsulting.com/csaudit.htm Data Link Layer: ensures that everything physically sent was physically received. It provides error control and synchronization for the physical layer, and is responsible for grouping bits into frames and moving them from one node to another. The data link layer may define hardware addresses

    49. http://www.pdaconsulting.com/csaudit.htm Physical Layer: is responsible for moving raw bits from one node to another, transporting the bit stream through the network at the electrical and mechanical level. At this layer, are such devices as repeaters and hubs. Cabling media and topology present key considerations for review.http://www.pdaconsulting.com/csaudit.htm Physical Layer: is responsible for moving raw bits from one node to another, transporting the bit stream through the network at the electrical and mechanical level. At this layer, are such devices as repeaters and hubs. Cabling media and topology present key considerations for review.

    51. Policies and Procedures Security Program Policy Security Policy Third-Party Regulation Policy Computer Attack Response Procedure Termination Access Control Procedures (both physical and system)

    52. Secure Email Mail gateway / content encryption Lexicon – key word search with actions Email encryption Mail encryption Client delivery Web-based Software client-based Multi-domain encryption delivery VMWare

    53. Encryption Backup (tape) encryption issues Performance Key recovery Laptop encryption Lost or stolen computer equipment Database encryption Inline encryption – on the wire Field, table, and scheme Encryption is a “must have” to prevent data theft from lost or stolen media

    54. Forensic Software A forensic system acts as a security camera and motion detector system for our network. It is continuously capturing and storing information in a database warehouse for future reports and analysis. Advantages of Forensics Playback of security incident Evidence in a court of law Strong deterrent for individuals inside the company to commit fraud

More Related