Wst digital issue_2012_04
Upcoming SlideShare
Loading in...5

Wst digital issue_2012_04






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Wst digital issue_2012_04 Wst digital issue_2012_04 Presentation Transcript

  • April 2012 Business Innovation Powered By Technology PLUS: Breaking Down the Threat Landscape p.4 Damage Control: 9 Steps to Containing UNDER The Fallout From a Breach p.5 10 Best Practices for Stopping The Insider Threat p.7 SIEGE Pocket Protectors: How to Secure Mobile Devices p.12 Security Vendors’ Dirty Little Secret p.15 Wall Street firms are under Balancing Security and Access Is the Key to Protecting Data p.18 the constant threat of cyber attacks. But in today’s age of mobility, locking away data to keep it safe from hackers no longer is an option. p.10 Table of Contents p.2
  • contents April 2012 HP VIRTUALSYSTEM FOR VMWARE SOLUTIONS ACCELERATE YOUR COVER STORY CLOUD READINESS. 10 Threat Assessment As cyber attacks grow increasingly sophisticated and Plan your path from server to virtualization the consumerization of IT introduces new enterprise to the cloud with preconfigured solutions from HP, Intel®, and VMware®. vulnerabilities, Wall Street organizations must reassess their threat readiness and strengthening their defenses, starting with real-time monitoring. Learn more about proven virtualization solutions from the desktop to the data PLUS: center, and into the cloud. 12 The Mobile Dilemma Mobile devices have boosted productivity — and risk. UPFRONT 7 The Insider Attack argues Voltage Security’s 4 By the Numbers The CERT Insider Threat Mark Bower. A review of Verizon Center and the U.S. Secret Business’s data breach Service offer 10 tips to stop PERSPECTIVES cases reveals a growing insider attacks. 18 Delicate Balance global threat. The key to protecting data INDUSTRY VOICE is balancing security and 5 Breach Containment 15 Data On the Move access, according to Alex A breach can happen to As data proliferates outside Tabb, Tabb Group. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without any company. Here are nine the enterprise, encryption is notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as ways to limit the damage. the best way to secure it, 3 EDIT MEMO constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other April 2012 2 VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.
  • fromtheeditor Mobile: Data Security’s New Frontier D ata security certainly isn’t a new altered them so an unlimited amount of cash respond quickly to a breach. But, while the cost concern for financial services firms. could be withdrawn with each. The cards were of a single breach might be on the decline, the Security always ranks near the top promptly shipped overseas, and a total of $13 rate of malicious attacks from malware, insider of priorities for CIOs, CTOs, CSOs and CROs. , million was withdrawn over just 24 hours. threats and phishing attacks increased by 31 The data security landscape, however, is This one incident highlights how damaging percent, says the study. changing at a faster pace, and the stakes are a data breach can be. In addition to the direct Couple the growing complexity of attacks higher, than ever before. monetary loss, other costs — such as customer with users’ demands for greater access to data, Since the beginning of 2011, there have churn, reputation damage and regulatory fines and technology executives have their handsGreg MacSweeney, been more than 598,000 personal financial — add to the costs. full. Not only do firms have to protect dataEditorial Director records exposed to potential fraud in 58 Other incidents, while not leading to direct from traditional hacks and insider threats, they @gmacsweeney separate incidents involving financial services monetary losses, can be just as damaging. also have to protect data that is going outside companies, according to the Privacy Rights Nasdaq’s Director Desk, a cloud-based system of their own firewalls. Internal users, including Clearinghouse. While the total number of designed to facilitate boardroom-level com- traders, portfolio managers and business incidents and exposed records is down sub- munications for 10,000 senior executives and executives, as well as external customers stantially from the 12.3 million records that company directors, was hacked last year; the increasingly are demanding mobile access to were exposed by 604 breaches in 2010, the criminals may have had access to insider proprietary data on tablets and smartphones. complexity of the attacks and the amount of information, which they could have sold or The demand for greater access to data will money that has been lost is staggering. used to make profitable stock trades. not slow any time soon — users increasingly For instance, in one attack against Fidelity While the types of data breaches are numer- will expect to be able to trade, transfer funds National Information Services, a global ous, there is some good news: The average cost and do almost anything else they can do on a provider of banking and payments technolo- of data breaches has dropped by 24 percent, PC from their mobile device. Firms that can’t gies, millions of dollars literally went missing according to a study from the Ponemon Insti- offer mobile functionality because of security overnight. A group of criminals obtained 22 tute. This could partially be attributed to better limitations will be at a serious disadvantage to legitimate ATM cards and then duplicated and security and an improved ability for firms to competitors that can. April 2012 3
  • upfront Outside Threats Dominated 2011 Breaches A preview of Verizon Business’s data breach cases shows that malware and hacking are the top breach methods, and threats from outside the U.S. are growing. By Kelly Jackson Higgins, Dark Reading M ore than 85 percent of the data Near the top of the list of compromised malware (26 percent), use of stolen credentials breach incident response cases industries again was financial services, which (24 percent), exploiting backdoor or command investigated by Verizon Business, trailed only the retail sector and was followed and control channels (23 percent), and keylog- the telecom provider’s enterprise solutions by the hospitality industry. A big factor in this gers and spyware (18 percent). “There were a group, in 2011 originated from a hack, and year’s breach cases was the rise in hacktivist- lot of authentication-type attacks,” Baker says. more than 90 percent came from the outside based attacks, Baker reports. Outside attacks As for the targets, 90 percent of the breaches rather than via a malicious insider or business jumped from 88 percent of breaches in 2010 to Verizon investigated went after servers. Nearly partner. Verizon published at the end 92 percent in 2011, and breaches due to internal 50 percent targeted user devices such as desk- 92% of attacks of February a snapshot of data from its in 2011 originated outside upcoming 2012 Data Breach Investiga- tions Report, using data from its own threats continued to decline, from just more than 10 percent in 2010 to less than 5 percent in 2011, according to Verizon’s data. “We can tops, laptops and POS terminals as a point of entry. “The user device serves as a foothold into the environment,” Baker explains. the enterprise. caseload of approximately 90 cases expect this trend to continue,” Baker says. Perhaps most alarming, most organizations from among 855 breach cases last year. As for breach methods, hacking and mal- found out that they’d been hit from an exter- “This is the first year that we worked more ware, which both showed increases, were the nal source, usually law enforcement, according cases outside the U.S. than inside,” says Wade top threats, while social engineering, misuse, to Baker. And for nearly 60 percent of the cases, Baker, director of research and intelligence at physical threats, errors and environmental it took months before the organization learned Verizon Enterprise Solutions. “That ratio has factors all dropped. The most commonly used that it had been hacked. I been building, and it makes the case that this venue for breaches was exploiting default or is not a U.S.-specific problem. All regions are easily guessed passwords, which represented This article originally appeared on, having data breaches.” 29 percent of the cases, followed by backdoor a UBM TechWeb April 2012 4
  • upfront 9 Ways to Contain the Fallout From a Data Breach Companies can take an array of approaches to owning up to data breaches, ranging from secrecy at all costs to total transparency. What’s the best way to mitigate the fallout? By Mathew J. Schwartz, InformationWeek D ata breaches are a fact of business the recent credit card wealth-redistribution that just two weeks later, Symantec came life. But beyond keeping a data scheme known as Operation Robin Hood — clean and admitted that the code to its flag- breach response plan at the ready, called out the apparent password non-variety. ship Norton product had been stolen back how can IT departments best prevent and “Look at the passwords, epic fail. All the pass- in 2006, Reuters reported. That raises the mitigate data breaches? Start here: words are manually given to staff via an admin possibility that anyone in possession of the 1. Put a good information security pro- who uses the same set of passwords.” source code back then may have found ways gram in place. According to a recent study 3. Hide breaches at your peril. Symantec to use Symantec’s security software to com- from the Identity Theft Resource Center, the in January confirmed that Norton source promise users’ machines. greatest number of 2011 data breaches were code leaked earlier in the month by hackers 4. Gauge breach-notification speed care- triggered by hackers, and in the first month of was genuine. But Symantec downplayed the fully. After discovering a breach, businesses 2012, new breaches appear to be following suit. must balance the need to gather as much in- 2. Enforce strong passwords. In January, “Transparency is key to maintain- formation as possible with issuing a timely and shadowy hacktivist group TeaMp0isoN up- ing relationships with customers clear notification. “Transparency is key to main- loaded to Pastebin a list of about 80 T-Mobile and regulators.” taining relationships with customers and reg- employees’ usernames, passwords, email —Ted Kobus, Baker Hostetler ulators,” Ted Kobus, national co-leader of the addresses and phone numbers. Interestingly, privacy, security and social media team at law many of the T-Mobile passwords, if they were incident, saying the code, from two of its firm Baker Hostetler, said in a blog post. “Be actual passwords, were simply “112112” or older products, had been stolen from a third certain you understand the scope of the “pass.” In its Pastebin post, TeaMp0isoN — party. In other words: It was old code, there’s breach before making an announcement.” which reportedly worked with Anonymous on nothing to see, everyone move along. Except 5. Expect data to be breached. Plan for April 2012 5
  • upfront worst-case scenario: all data stored by your offering credit monitoring after these data attack. “Social engineering tools are being business gets exposed. So what should breaches, but most of these only last a year or used creatively to gain access to personal happen next, and how can that scenario be two — and who’s to say the data will be gone information,” said Kobus. Accordingly, keep best prevented? “There is no silver bullet for in a year or two?” training all employees who handle sensitive security, so you need to plan for the eventu- 6. Encrypt all sensitive data. Data breach information in the art of detecting and resist- ality of a data breach, and it’s going to be crit- notification laws exempt businesses from hav- ing scam phone calls and emails. ical how you respond to it afterwards — and ing to issue notifications if the exposed data 9. Demand data discovery services. not just with legal indemnifications and credit was encrypted. Accordingly, whenever possi- Breached data has a habit of ending up every- monitoring,” says Lawrence Pingree, research ble, encrypt all data in transit, as well as at rest. where, from black market carding sites to peer- director at Gartner. “Most companies are “Encryption is not only a safe harbor, it is to-peer networks. While the data could theo- expected by customers and regulators,” said retically be expunged, first it must be found. Fallout Baker Hostetler’s Kobus. 7. Expire your own data. If stolen data has Accordingly, expect related, commoditized services to follow soon. “The strategy moving Containment no expiration date, then it’s up to businesses forward ... is to have services that will go after to delete their own data. Both Honda Canada that data and provide insight into where the 1. Put a good information security and Sony were caught last year after hackers data is located,” says Gartner’s Pingree. “Even program in place. stole outdated customer information that each Google could get into this sort of technology. 2. Enforce strong passwords. company had failed to delete. The breach at They have the search capability; they just need 3. Hide breaches at your peril. Honda appeared to put the company in viola- to start looking at data and indexing data with 4. Gauge breach-notification tion of Canadian privacy law, which requires the ability to compare host data and web data, speed carefully. companies to delete any personal information and include P2P networks in their indexing.” 5. Expect data to be breached. that’s no longer required. Arguably, however, While such services aren’t yet available, with 6. Encrypt all sensitive data. all businesses should follow that practice. data breaches showing no signs of abating, 7. Expire your own data. 8. Beware social engineering. When it expect to see such services emerge soon. I 8. Beware social engineering. comes to low-cost, high-impact strategies for 9. Demand data discovery services. stealing sensitive data, attackers have become This article originally appeared on Information- well-versed in the art of the social engineering, a UBM TechWeb April 2012 6
  • upfront The 10 Best Ways to Stop Insider Attacks The threat of insider attacks is real. The CERT Insider Threat Center and the U.S. Secret Service offer tips on the smartest ways to detect, block and investigate insiders with malicious motives. By Mathew J. Schwartz, InformationWeek W hat’s the best way to spot and information in your company? “We’ve worked another employee who was trying to copy the block insider attacks? Start by with a number of organizations, and they tell algorithms to his personal email account and putting an insider attack preven- us everything is important,” said Cappelli. “So an external hard drive. tion program in place, according to Dawn Cap- we say, what’s the one thing that if someone 3. Mitigate trusted business partner pelli, technical manager at Carnegie Mellon took it to a competitor, or out of the United threats. Who has access to your business’s University’s CERT Insider Threat Center, who States, would be worth millions — or billions sensitive information? Although that list will spoke in February at the RSA conference in San — of dollars?” Then secure it, preferably not include employees, other “insiders” will be Francisco. Cappelli is co-author, with Andrew just with encryption, but also by restricting trusted business partners, who might enjoy Moore and Randall Trzeciak, of the recently access, as well as logging and monitoring who equal levels of access with less accountability released “The Cert Guide to Insider Threats.” touches that data. — and opt to take sensitive information with Working with the U.S. Secret Service, Cappelli 2. Learn from past attacks. Don’t let insider and company have reviewed hundreds of attacks — successful or otherwise — go to One of the biggest insider-theft- hacking cases to deduce how businesses can waste. “If you experience an attack, you’re not prevention lessons to learn is better block a greater number of malicious in- alone, but learn from it,” said Cappelli. She that technology alone often siders. Here are their top 10 recommendations cited a case of a financial firm that happened won’t block attacks. for spotting and stopping insider attacks to catch an employee trying to steal its trading before they get out of hand: algorithms. Seeing a weak point, the security them when they switch to a new employer. 1. Protect crown jewels first. To put an team put new controls in place to explicitly “The good news is, if they take it to a competi- effective insider-threat program in place, first watch for similar types of attacks. Thanks to tor in the U.S., there’s a good chance that they ask: What’s the single most important piece of the improved security, the firm later caught may report them to law enforcement April 2012 7
  • upfront signs. Indeed, in reviewing numerous cases malicious insiders are most likely to strike 30 Stopping the of insider theft, Cappelli said, concerning be- days before or after they leave. Accordingly, haviors were the fourth most likely sign that keep a close eye on departing or departed Threat Within there was an inside-theft issue. “We usually employees, and what they viewed. “If someone call these people as being ‘on the HR radar,’ resigns who had access to your crown jewels, 1. Protect crown jewels first. ” she said. Accordingly, watch for warning you need to go back and proactively investi- 2. Learn from past attacks. signs, and have a response plan in place for gate that,” Cappelli advised. 3. Mitigate trusted business partner when such signs are spotted. 7. Apply current technology. How can busi- threats. 5. Train employees to resist recruiters. nesses take their current technology and use 4. Make suspect behavior cause “Many employees who commit fraud are re- it to spot suspected insider theft? “A lot of peo- for concern. cruited from outside,” said Cappelli, and insid- ple spend a lot of money on tools, on technolo- 5. Train employees to resist recruiters. ers often say they’re not committing a crime, gies, and most of those tools are focused on 6. Beware resignations, terminations. but rather just giving data to someone else, keeping people outside of your network,” said 7. Apply current technology. who then commits a crime. Alter such thinking Cappelli. “What we’ve found is that you can use 8. Beware employee privacy issues. by creating clear, related security policies and those same tools, but differently,” to watch for 9. Marshall forces. broadcasting the fact that all data access is au- information that may be exiting your network. 10. Get started. dited. Cappelli offered this sample boilerplate: Centralized logging tools can be used to spot “We log everything that everyone does here, signs of data exfiltration — for example, if a they’ll get it back,” Cappelli said, since most and the evidence is going to point to you.” “departing insider” has sent an email in the will want nothing to do with trade secrets. The 6. Beware resignations, terminations. Most past 30 days to someone outside the corporate bad news is that one-third of all intellectual insider attacks occur within a narrow window. domain that exceeds a specified file size. property theft cases result in the information “The good news about [insider] crime, theft of 8. Beware employee privacy issues. When being taken outside of the United States, at intellectual property, is that most people who creating an insider-theft-prevention program, which point recovering the data becomes steal it do [so] within 30 days of resignation,” always work with your company’s general unlikely, if not impossible. said Cappelli. (The exception is fraud, which — counsel, because privacy laws vary by state and 4. Make suspect behavior cause for as long as the attacker is making money — country. “There are a number of issues regard- concern. Watch for human-behavior warning can continue indefinitely.) In other words, ing employee privacy — I know they can April 2012 8
  • upfront Be Prepared... Data-centric security: the best protection against overcome, but it has to be done very carefully,” said Cappelli. emerging forms of advanced security threats 9. Marshall forces. As with many aspects of security — including data breaches — businesses that prepare for attacks Back in the good old days, when information in advance tend to better manage the aftermath. When it security was largely an IT issue, the tech folks mainly concerned themselves with keeping comes to combating cases of suspected insider threats, include boundaries around business data. Not anymore! Today, as even the least tech-savvy “HR, management, upper management, security, legal, software CEOs will attest, the rapid adoption of cloud engineering — you need to involve all of those organizations and mobile computing, along with the overall consumerization of IT, has caused traditional — and of course IT and information security,” Cappelli asserted. data boundaries to become fluid, even nonexistent. The data that hackers target is 10. Get started. Perhaps the most important insider-threat tip everywhere, from a server to an iPhone. is simply to get a program in place as soon as possible. Creating This is why we here at Voltage talk so much such a program takes time, according to Cappelli. Perhaps the about data security - its a world away from the traditional layered approach of putting one best place to start, she said, is to get buy-in from senior managers. barrier after another on the basic data One business with which she recently worked gathered all 23 containers. In todays business world, the data doesnt remain in the containers very long; it is of its c-level managers in a room for two days, during which time in constant movement, and the bad guys are now smart enough to follow it. they created an insider-threat program from the ground up. One of the biggest insider-theft-prevention lessons to learn, Protecting private and sensitive data in a cloud-driven and mobile world requires Cappelli noted, is that technology alone often won’t block dedicated resources and has become a vital part of corporate strategies. Not just to comply such attacks. A corollary to that, meanwhile, is that by with country and industry regulations, but also combining proper policies and procedures with awareness to protect the brand and the business. and having an insider-theft reaction plan already in place, Essentially, business now need to think about data protection from a data-centric point businesses can more quickly combat suspected attacks. of view. Because whether it’s a question of preventing IP from leaving the building or spotting fraudulent activity, “Our goal is to Let us help you with your data-centric stop an insider as soon as possible,” Cappelli said. I encryption needs. Learn more » This article originally appeared on, a UBM TechWeb property. April 2012 9
  • coverstory D ata security has long been a priority for financial services firms. But a wave of very public cyber attacks by international hacker groups such as Anonymous, combined with an already distrust- ful public following the financial crisis, has forced The growing financial services firms to step up their network security to sophistication of cyber prevent data breaches and regain clients’ trust. While victims of some of the more notable attacks and data breaches of attacks and the prolifera- 2011 were large consumer companies and government tion of vulnerabilities agencies — including Sony, PBS, the U.S. Senate, and even resulting from the rise of the CIA and FBI — security experts say financial services mobile computing are forcing firms, traditionally a popular target of fraudsters, are financial institutions to increasingly a target of criminal hackers. rethink data security and Citibank, for example, discovered a data breach on embrace new fraud-fighting May 10, 2011, from a hack attack, the consumer fraud website reported. Two weeks later, techniques and technolo- Citigroup officials concluded that the data thieves had gies, including real-time captured included the names, account numbers and monitoring. email addresses of about 360,000 customers. “The reality is that the people who are looking to commit fraud are targeting anybody who has Internet access to applications to allow money to be moved,” comments Ben Knief, vice president at Nice Actimize, a provider of financial crime, risk and compliance solutions. Outside of the retail banking area, hackers could target asset managers, wealth managers, even investors who have access to online assets, relates Knief. >> April 2012 10
  • coverstory And, security professionals say, cyber attacks without the owner’s knowledge. They may crets. But preventing cybercrime has become have become relentless — and more sophisti- leverage social engineering (by making an more challenging for banks and Wall Street cated than ever. According to reports, hackers email appear to come from a friend or colleague firms as they increasingly offer new products can even purchase crime-ware kits on the to entice the user to open the document, for via mobile devices, including Apple’s iPad. Internet based on the number of machines example) to try to get users to reveal passwords. “The attack surface has gotten broader and they want to infect for as little as $400 to $700. Hackers also look to exploit weaknesses in more complex,” explains Steinberg, who points While five years ago financial services firms applications to steal clients’ credentials. out that hackers now can penetrate the mainly saw hackers using “relatively simplistic “We see an evolution of the malware so they perimeter via the web, mobile devices and methods to target customer accounts, attack can elude detection,” says Milletary. The top even voice-over-IP telephony networks. “As malware threat experienced by the 900 finan- banks and online brokers offer bill payment “Hackers are playing offense, and cial customers that use Dell Secure Works’ and more new products via mobile devices, we are playing defense.” intrusion prevention system, he reports, is that opens up new opportunities for a fraud- —Lou Steinberg, TD Ameritrade Black Hole, a type of crime-ware developed in ster to take advantage of,” he says. Russia to hack computers via malicious scripts To protect customer data, historically, IT and patterns have shifted,” says Lou Steinberg, planted on compromised websites. security departments looked at putting barri- CTO at TD Ameritrade. In addition, many “Now we see much more sophisticated or- ers around data, differentiating between what hackers, such as Anonymous, now have social ganized rings that profile us and the other fi- was inside the company versus what should agendas, he notes. nancial services institutions. They try to under- be kept outside. “If data was on laptops and Hackers, according to Jason Milletary, stand where we might have weaknesses,” TD portable devices, it had to be encrypted,” says technical director for malware analysis on the Ameritrade’s Steinberg says. “Hackers are play- Chet Wisniewski, senior security adviser for Dell SecureWorks’ Counter Threat Unit (CTU) ing offense, and we are playing defense.” security software firm Sophos. “And if it was research team, a provider of security informa- inside [the firewall], they didn’t need to encrypt tion services to financial firms, use a variety of Keeping Up With the Mobile Threat it because it was in a vault.” techniques to distribute malware — malicious As a result, financial services IT department are With the explosion of the mobile channel, code on computer systems designed to steal shoring up their defenses, using security tech- however, that is an artificial approach that no personal information and passwords or to take nology more proactively than ever before to longer works, Wisniewski contends. “As soon as control of the machine for distributing spam protect their clients’ assets and corporate se- we start carrying out these phones and tablets, April 2012 11
  • coverstory there is no inside and outside,” he says, noting that employees may be sitting in an airport or W a Starbucks while accessing data. Complicating ith millions of consumers carry- As a result, banks must monitor the appli- matters further, Wisniewski adds, companies ing iPhones and Androids in cations on the mobile device as well as on are looking at moving data into the cloud as a their pockets, smartphones al- the corporate server. “The piece that’s sit- cost savings measure, so data is freely moving ready are targets of cyber attackers. But now ting on the mobile app is making requests beyond the enterprise. (For more on mobile employees of Wall Street firms are getting back to an application server at the bank device security, see related sidebar, this page.) emails and viewing spreadsheets on the go, that is processing your requests,” Callahan Since the boundaries between what’s inside so corporate data is moving onto the smart explains. “You have to make sure that those the company and what’s outside the devices as well. “It’s a very challenging prob- applications are safe and secure.” company are blurred, financial services firms lem,” says Chet Wisniewski, senior security Another way to protect corporate data are shifting their approach, according to adviser at Sophos. Productivity has gone up on mobile devices is to educate employ- Wisniewski. Now they seek to determine by virtue of employees working on their ees to make sure that the built-in security which data is sensitive and to ensure that it’s smartphones and iPads into the evening protection mechanisms are not removed protected. “Regardless of whether the data is and on the weekend, he adds, so IT depart- from these devices. On Apple devices, IT on a PC desktop inside your building or on an ments need to find ways to enable a mobile departments need to instruct employees iPhone, the approach is, you classify the data workforce rather than simply say, “No.” to avoid “jailbreaking,” which removes the as to its importance and make sure it’s Mobile devices are a path into the enter- security measures built into the devices. protected, and that gives you the ability to prise, adds Michael Callahan, VP of enter- “They are there to prevent you from load- make it portable,” says Wisniewski. prise security products at HP, which offers a ing apps without going to the approved Not all data is the same, adds TD Ameri- real-time application monitoring solution. App Store,” explains Wisniewski, who trade’s Steinberg. With so much data, and so “If you have a mobile device and the bank’s notes that for Android devices the process many ways to attack it, TD Ameritrade classi- app is on there, if the app has a vulernability, is called “rooting.” “Removing that secu- fies data based on its sensitivity, he says. the attacker exploits the app,” he warns. rity mechanism allows you to load things “Knowing my favorite flavor of ice cream is “Once they have control over the device, on your phone away from what [the not the same as knowing my Social Security they now can gain access to your accounts.” (continued on next page) number, and so different levels of April 2012 12
  • coverstory get assigned to different levels of informa- venting breaches. While firewalls were the big tion,” illustrates Steinberg. “If you try to pro- thing in the 1990s, “Threat intelligence is the tect everything, you protect nothing. What biggest thing now,” he continues. Offered as manufacturers] have approved,” he we’d rather do is classify our information and software as a service, Vigilant’s CTI is used to says. But, “It does weaken the security.” assign our best controls — our best protec- create rules to help firms identify threats. Recently, financial services firms have tive measure — against the most important, The CTI feed, James explains, integrates with begun sending their customers text most sensitive data.” a company’s security event manager (SEM) — messages with a secondary authentica- also known as a security information and tion code when they wire funds, says The Real-Time Monitoring Imperative event manager (SIEM) — a tool that centralizes Jason Milletary, technical director for But even after classifying sensitive data, the storage and interpretation of all logs and malware analysis on the Dell Secure- protecting it requires more than firewalls and events from software running on the network. Works’ Counter Threat Unit (CTU) encryption, argues Lance James, director of While Vigilant offers its own centralized log research team. But hackers can place intelligence at Vigilant, which provides man- management console through which all malware on phones to try to access that aged security monitoring services. According devices are monitored, it also works with other code, he acknowledges. to James, firms need what he calls a “holistic SEMs, including Hewlett-Packard’s top-selling Some of the answers to preventing approach” to security, which means employing ArcSite SEM, according to James. mobile cyber attacks can be found in multiple technologies — not just firewalls, but Other vendors recommend real-time moni- the mobile devices themselves, argues monitoring. “You want to optimize and moni- toring of patterns to detect cyber attacks. TD Ben Knief, VP at Nice Actimize. For ex- tor because threats change,” says James, who Ameritrade’s Steinberg says behavioral solu- ample, mobile devices can be used as works on the company’s collective threat in- tions, such as device fingerprinting and profil- location sensors and many have cam- telligence (CTI) product. “We are focusing on ing how clients do business with the firm, have eras, “so you can use it as a facial sensor what the emerging threats are and building begun to mature. “We can look for patterns or as a biometric sensor,” says Knief. The rules and content to monitor all devices on that are not typical,” he explains. “If a client latest Android phone actually unlocks their network,” he explains. started wiring money to Kuala Lumpur, and your phone based on facial biometrics, “It’s definitely a big thing now to have visi- they never sent money before through the he notes. “If you hand the phone to bility into your network,” adds James, acknowl- wires, that would be unusual, and we would someone else, it stays locked.” —I.S. edging that “there is no silver bullet” for pre- want to do additional authentication April 2012 13
  • coverstory how they connect to us, what time of day and from where.” While Steinberg says TD Ameritrade has done quite a bit of work internally to develop fraud-fighting technology — where, he says, the company tends to be “a bit ahead of the curve” — he notes that TD Ameritrade also works with large network carriers and technology providers to improve real-time monitoring. Equally as important, the firm works closely with peers in the financial industry to share data about the threat landscape, Steinberg adds. “We probably trade data about real-time attacks about “You need many layers in a dozen times a day,” he place to stop the bad things says, noting that there before they happen.” are a number of groups —Chet Wisniewski, Sophos within financial services that are self organized via mailing lists and phone-call trees as well as various other mechanisms for informally sharing data. In addition, the federal government, namely the FBI, provides the industry with vulnerability and real-time data, Steinberg says. Given the sophistication of the malware and viruses that are out there, and the speed with which they are evolving, Sophos’s Wisniewski reiterates the need for a layered approach to protecting customer assets from cyber crime. “You need many layers in place to stop the bad things before they hap- pen,” he says. “By implementing all of these tools, the company has five, six or seven attempts to stop the bad virus from com- ing in or prevent the user from accessing the fake website.” April 2012 14
  • industryvoice Data Is the New Perimeter Data-centric security offers the best defense against advanced persistent threats, argues Voltage Security’s Mark Bower. T here’s no question that technologies risome. Sometimes referred to as “advanced a little effort, sensitive data can be breached. keep getting better. The trouble is, so persistent threats,” these assaults don’t just build Consider this in the context of a different do hackers. And regrettably, the bad on the growing sophistication of attacks in kind of criminal history. While bank robberies guys often get better faster than the good guys. general; they play specifically to the information have always fired up the public imagination, This is the reason data breaches have environment as it now exists. While often mas- the most effective thefts seldom occurred become an unfortunate reality of modern sive in scope, they lie dormant within the infra- inside the bank; Dillinger-like exploits aside, business. The sheer volume and reach of many structure until the target is most vulnerable. And the vaults were usually too secure. Instead, breaches bear testament to the fact that all what they target is not the technology but the smart criminals waited until the money was kinds of sensitive data have already been data — specific, high-value data, such as employ- out in the open, such as at tellers’ windows or compromised or stolen outright. ees’ personal information, customers’ addresses when being hauled to armored trucks. Out of this environment has come an emerg- and payment details, legal contracts, design ing breed of cybercrime that’s particularly wor- schematics, and operational plans pertaining to Perimeter Security intellectual property and trade secrets. Many companies still make the same mistake About the Author Most companies place a premium on IT — they focus security strategies on the vault security and believe they have ironclad pro- rather than the cash. As before, many favor the Mark Bower is VP of product management for security solu- tection. However, the toll from cyber attacks approach of building a perimeter around the tions provider Voltage Security. Bower has more than two continues to climb. That’s because there are data — on servers, desktops, laptops, pipes and decades of experience in the data protection area. His expert- gaping vulnerabilities in the way defenses are packets. However, as any CEO will attest, the ise spans electronic banking, smartcard payment systems, deployed — firewalls, endpoint security and rapid adoption of cloud and mobile comput- Public Key Infrastructure (PKI), identity management systems even protected storage can all be bypassed by ing, along with the overall consumerization of and cloud security both for the commercial and government sectors. attackers. The dirty little secret (that most ven- IT, has caused those perimeters to become dors never want you to know) is that with just fluid, even nonexistent. The data that the April 2012 15
  • industryvoice guys want is now all over the place, from the biggest servers to your iPhone. The 3 Tenets of Information Security But here’s another cinematic image: Many 1. Follow the data. While everyone acknowl- per se; they’re computed only as needed, so banks use dye packs that explode and stain the edges the value of encryption, not all encryp- they can’t be stolen. cash once it’s stolen, making it worthless. Imag- tion mechanisms are created equal. A 3. Take the target sign off your back. Cyber ine doing this to your data — basically, ensuring data-centric approach that renders stolen criminals look for the highest reward with that even if it gets breached, it will be worthless data useless to thieves, regardless of where it’s the lowest protections. If all they get from to the criminals. That’s the essential logic be- breached, should be the first line of defense. you is encrypted data, they’ll go elsewhere. hind a data-centric strategy. In this scenario, the 2. Keys to the kingdom. The best security Data-centric security ensures digital assets data is protected end to end using encryption, solutions have keys that are never stored, remain encrypted wherever they go. regardless of which channels it goes through or where it reaches. It can be accessed only by can add vulnerability, bring greater complexity be generated on the fly, derived only from the intended party and no one else. and increase costs without adding scalability. identity information that’s already available, This isn’t easy. Encryption techniques typi- such as your email address. Stateless key man- cally rely on long, randomly generated keys, Key Innovations in Encryption agement is transparent and easy to manage and the process is complex, time-consuming However, there are now alternatives that are because, from an IT operational standpoint, and expensive. However, not all encryption is accessible and affordable. Identity-based there’s no database to manage. It also works created equal. There are any number of en- encryption (IBE) takes a completely new ap- nicely with existing business processes, such cryption solutions available, but many bring proach by using any arbitrary string as a public as electronic discovery and recovery. It’s easily their own problems. For example, database en- key, enabling data to be protected without the compatible with business processes, retains cryption only protects data when it’s “at rest”; need for certificates. IBE is stateless and dy- the protection from mainframe to mobile, and network data encryption only protects the namic, as well as easy to use, scale and distrib- goes a long way toward ensuring compliance. data when it’s between two points of a ute. It’s also efficient at generating and man- Format-preserving encryption (FPE) offers a network. Methods using PKI, or Public Key aging keys to scale when sharing unstructured fundamentally new way to encrypt structured Infrastructure, require high operational costs data, without the cost of PKI. data, such as credit card numbers or Social in key management and are not easily sustain- The underlying principle here is stateless key Security numbers. Encrypted data retains its able. Putting in a mix of solutions, meanwhile, management, which effectively allows keys to original size/length and format, and, as a April 2012 16
  • What you need to know. Now. industryvoice The Wall Street & Technology iPad™ App sult, organizations don’t need to make time-consuming mod- ifications to applications or database schemas. This approach makes it possible to integrate data-level encryption every- where, even legacy business application frameworks, over- coming a hurdle that was previously insurmountable. (FPE is a mode of the advanced encryption standard [AES], recog- One-touch access to Wall Street & Technolgy. nized by the National Institute of Standards and Technology.) It’s essentially counterintuitive for The dirty little secret that vendors corporations to plan for a breach; the Hand-picked content never want you to know is that from the editors, thinking is always to prevent attacks including today’s with just a little effort, sensitive rather than prepare for the aftermath. top stories and breaking news. data can be breached. But it’s exactly the right philosophy in an environment where many financial serv- ices providers have data that, in the wrong hands, is worth Easy, fast navigation. more than all of history’s greatest bank robberies combined. Enterprises that have been at the receiving end of criminals’ attention know the difference this security strategy can pro- vide. “Every single breach I know of wouldn’t have happened 100% free. Try it today. if our end-to-end encryption solution had been there,” says Bob Carr, CEO of Heartland Payment Systems, which suffered a severe data breach a few years ago and has since trans- formed its security structure with a data-centric approach. Imagine a scenario in which cyber criminals deploy resources worldwide to penetrate a network and retrieve the data. Then they find the data is worthless, essentially gold turned into straw. That’s what end-to-end encryption within a data-centric Sponsored by: security strategy offers. April 2012 17
  • perspectives Financial Data Security: ‘Hey, Be Careful Out There’ The key to protecting financial data is to find the right balance between security and access. By Alexander C. Tabb, Tabb GroupAlexander C. Tabb is the Spractice leader and managing ecurity and accessibility are in- one direction, and you hamstring an organi- But both types of firms are subject to the samedirector for Tabb Group’s crisisand continuity services practice. versely proportional, which means zation with overly complex, time-consuming internal and external threats that characterizeAn expert in international affairs, that the more secure you make some- routines that drive down efficiency and in- today’s burgeoning data security concerns.he joined Tabb Group inOctober 2004 from Kroll Inc., thing, the more inaccessible it becomes — a crease customer dissatisfaction; go too far the Obviously, everyone in the global capitalthe international risk consulting maxim as true for office buildings, transit sys- other way, and you leave yourself and your markets industry lives and dies by their tems, banks and embassies as it is for net- customers vulnerable to all sorts of threats. Whether it’s golden source data that sets pric- works and data. After all, with sufficient time, Securing financial services data today has ing for fixed income assets, proprietary data enough money and considerable effort, you become a herculean task made more challeng- that drives algo creation or customer data that can turn any building into Fort Knox, but by ing by our never-ending drive to make things contains personally identifiable information, doing so you’re probably going to make it faster, more efficient, more integrated and all of it is important, and all of it is valuable. nearly impossible for anyone to enter the more accessible. To complicate matters, not all building to accomplish anything of value. The data or organizations are created equal. For ex- Beyond the Usual Suspects same holds true for the industry’s intercon- ample, some institutions, such as large sell-side Just like a modern-day “whodunit” novel, the nected world of financial data. brokers, may have the capacity to build out in- cast of characters outside your firm interested The key in terms of security, whether it’s ternal resources that drive information security in getting their hands on your data is exten- physical or for data, is to find the right balance infrastructures while some smaller, more agile sive — and growing. These characters are way between protection and access. Go too far in buy-side shops and private equity firms can’t. beyond the big bad wolf, things that go April 2012 18
  • perspectives in the night and Matthew Broderick’s teenage identifiable information for illegal purposes. — can increase data security. But these tech- hacker in “War Games.” But from a security perspective, insiders nologies, which are all effective, create com- Today, the list of ne’er-do-wells includes represent the most challenging vulnerability plexity, inefficiency and increased overhead. hackneyed villains, spies, disgruntled em- to data security. For example, there’s Bradley Remember, security and accessibility are in- ployees and careless personnel. Just over Manning, a nondescript intelligence analyst versely proportional. in the U.S. Army who used his authorized Remember, too, that in this business, there Everyone in the global capital access and a thumb drive to download and are few indicators of a problem before it hits. markets industry lives and dies illegally disseminate a half-million classified Normally, data breaches are uncovered after by their data. documents to WikiLeaks. Likewise, in a case the fact, and while your gut instinct may be to closer to home, former programmer Sergey close down access and increase scrutiny, that the past few years, we’ve seen a marked Aleynikov was convicted of stealing secret will become increasingly difficult because the increase in the number of threats, attacks high-speed trading algo code. Although his demands for data continue to grow. and careless mistakes that have targeted the conviction was recently overturned on tech- While there’s no single answer to solve your industry. They’re real, they’re damaging and nical grounds, the fact remains that Aleynikov, firm’s data security challenge, three truths exist: they need to be dealt with. an insider, snagged the code. 1. We need to rely on a balanced approach “Hactavists,” like the wildly conspiratorial to data security that is grounded in both tech- Anonymous, routinely target groups and or- Avoiding Lockdown nological innovation and strong human ganizations within the financial services indus- So what can be done? How can the financial resources practices. try. The latest example of this was reported in services business ensure the safety and secu- 2. We need access to our data. The Wall Street Journal: State-sponsored hack- rity of its most prized possession with success, 3. We have to find a way of granting access ers and government-run intelligence agencies without sacrificing the overall utility of what so that the access we grant does not bite us in allegedly have been linked to numerous it’s trying to protect? the backside in the future. I attacks against both high-tech and financial Sure, locking down the data improves secu- services industry leaders, including Google rity, but it can also greatly decrease its utility. Various Tabb Group analysts will write the “Per- and Morgan Stanley. And international crimi- Similarly, increasing data surveillance — in- spectives” column for Wall Street & Technology’s nal syndicates have been targeting the indus- cluding active monitoring of access privileges, digital issues in 2012. Founder and CEO Larry Tabb’s try for years, looking to harvest personally stronger user authentications and encryption byline will return in print editions of WS& April 2012 19
  • EXECUTIVE VICE PRESIDENT, UBM TECHWEB SALES CEO Tony L. Uphoff Martha Schwartz 212-600-3015 Chief Content Officer and Editor-in-Chief, David Berlind SALES CONTACTS— CIO David Michael INFORMATIONWEEK CFO John Dennehy FINANCIAL SERVICES CMO Scott Vaughan Advertising Sales Office EVP, InformationWeek BusinessREADER SERVICES 240 West 35th Street, 8th Floor Technology Network Ed Grossman New York, NY 10001Digital Subscription Package EDITORIAL INFORMATIONWEEK EVP, Sales, InformationWeek FINANCIAL SERVICES National Sales Director Ben Riggle Technology Network Martha Schwartz Editorial Director Greg MacSweeney 212-600-3171Electronic Newsletters Editorial Director EVP, Group General Manager, UBM Northeast David Broffman Web Events Network Lenny Heymann 212-600-3081 Greg MacSweeney 212-600-3118Issues Archive EVP, Sales, UBM Editor-at-Large Ivy Schmerken West Matt Kingham Events Network Marco PardiEditorial Calendar 212-600-3011 Group Content Manager 212-600-3084 EVP, UBM TechWeb Light Les Kovach Southeast and Midwest James Lloyd Senior Editor, Head of Video Communications Group Joseph BraueContact Us 212-600-3375 Melanie Rodier EVP, UBM 212-600-3041 Online Editor SALES CONTACTS—EVENTS Game Network Simon CarlessPrint Subscriptions Special Contributing Editor Larry Tabb EVP, Event Operations & Services Lori Cara Latham Senior Director, Events Robyn Duda 212-600-3046 SVP, People and Culture Beth RiveraReprintsWright’s Media Contributing Editor Howard A. Rubin Senior Event Manager Mitzi Trafton VP, Editorial Director, InformationWeekBrian Kolb Webmaster Business Technology Network Fritz Nelson1-877-652-5295 212-600-3137 mtrafton@techweb.comEmail: Vitali Zhulkovsky VP, Audience Marketing Dan Melore Senior Event Manager Joseph MarksWeb: ART 212-600-3058 VP, Brand and Product Development, Tony Vecchione Business Manager InformationWeek Business TechnologyList Rental ACCOUNT SERVICES Network John EckeSpecialists Marketing Services Kristen Terrana-Hollis Joe DonnellySarah Orlowicz AND PRODUCTION VP, Performance Marketing and Igor Jovicic jdonnelly@techweb.com201-865-5800 ext. 2124 Director, Program Management, Analytics Thomas SmithEmail: Yujin Chang Vertical Markets Michelle Somers VP, InformationWeek Reports Art WittmanBack Issues 516-562-7928Email: 212-375-9490 Account Coordinator Amanda Waller UNITED BUSINESS MEDIA LLChelp@customerservice.informationweek.comPhone (U.S.): 888–664–3332 516-562-5583 SVP, Strategic Development and Business(Outside U.S.): 847–763–9588 Publishing Services Manager Ruth Duggan Administration Pat Nohilly READER ADVISORY BOARD Scott Ignall, CTO, Prashant Sarode, VP, Lightspeed Trading Corporate & Investment Banking 516-562-5111 SVP, Manufacturing Marie Myers John A. Bottega, Chief Data Officer, Robert Palatnick, Managing Technology, Wachovia Bank of America Director/ Technology, DTCC Derek Stein, Head of Business AUDIENCE DEVELOPMENT Joseph Ferra, Chief Wireless Steve Rapp, Managing Director, Operations, BlackRock Assistant Manager Adrienne Farquharson Officer, Fidelity Allianz Global Investors Capital Timothy M. Tully Jr., SVP & COO, BNY Mellon Wealth Management Joe Gawronski, President, Steve Rubinow, EVP & CIO, Rosenblatt Securities NYSE April 2012 20