Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
As I write this note, five banks closed last weekend. Four of them were taken over by other institutions. The week before, three oth-er banks failed and were acquired. So far in 2009, 50 institutions – 45 banks, five credit unions – have failed, and most of them have been absorbed by others. In 2008, there were 40.
So, you think with all that merging and acquiring there might be a challenge with identity and access management (IAM)?
IAM, of course, is a huge issue for financial institutions – not just those involved in M&A activity, but for any bank or credit union that simply wants to manage and monitor information access by employees, contractors and customers.
And at a time when the threat of fraud – from both outside the institution and within – is heightened by the global recession, IAM is even more of a critical pursuit.
With this new handbook, we feature some of the best of our recent IAM content. We show-case additional content and features, too, all of them offering new insights and strategies for financial institutions to tackle their IAM challenges.
And if you have your own IAM solutions to share, please contact me. As we can see from the latest news, IAM isn’t a challenge that’s going to go away anytime soon.
Tom FieldEditorial Director, Information Security Media [email protected]
The ROI of IAMWhy it Pays to Invest in These Solutions Before the Challenges Really Cost You
Tom FieldEditorial Director
1
Letter from the Editor
Identity and Access Management Insights Interview with Mike Del Giudice, Crowe Horwarth
CovEr Story
IAM Trends: Financial Services is at the Leading Edge
the Future of Banking Enterprise Access Management & Authentication Paul Smocer of BItS on IAM: the Four Key Challenges
Case Study: People’s United Bank Saves time, Costs through Identity and Access Management
Countrywide and Solving the Insider threat
obama’s “Big Brother” vision of IAM
More resources
3
1
7
11
15
17
19
21
JULy 2009Table of Contents
SecurityStrategies
Mike Del Giudicep. 3
Poeople’s United Case Study. p. 15
the Future of IAMp. 11
2
Copyright © Information Security Media Group, Corp.
In these times of mergers and acquisitions in the banking industry, identity and access management (IAM) is a huge challenge.
Mike Del Giudice of Crowe Horwath LLP shares in-sights on:
IAM trends in financial services;•How banking institutions are tackling IAM •challenges;The ‘gotchas’ to avoid.•
TOM FIELD: So, IAM. We hear an awful lot about it, especially in the last year, with all the mergers and acquisitions that have happened in financial services. What do you see as the latest trends that really are relevant to financial institutions?
DEL GIUDICE: The financial institution space is one of the most heavily regulated industries, and when I look at the industry as a whole, I call them ahead of the majority when it comes to security; maybe not out of want, but out of necessity, because of the regulations that are forced on them. When they see or hear identity and access management, or IAM, they see it as an opportunity to address those ef-fectiveness concerns that they have around the controls while increasing operational efficiency.
When you hear IAM, you hear all the buzz words about how they can help the organization run more streamlined. For start purposes of the con-versation, I want to set a baseline of what IAM is. When I define identity and access management on a broad scale, it’s really the authentication and au-thorization of your users. It could be employees, it could be vendors, it could be consultants, etc. It could be your customers. Basically, how are you go-ing to manage passwords, provisioning and depro-
Identity and Access Management Insights Interview with Mike Del Giudice, Crowe Horwath
Senior Security ManagerCrowe Horwath
Mike Del Giudice
Specializing in Information Security and Security Strategy, including data privacy, network auditing, and compliance related to governmental regulations. Mike also has an extensive knowledge of policy and procedure development and has implemented effective information security solutions for a variety of clients.
3
Security Strategies
visioning access rights, etc., for those individuals across your organization? One of the big trends I’m seeing is historically, when organizations have heard or thought about the IAM buzzword, they traditionally thought there was benefit, but a very expensive solution, particularly due to tools and things that they would have to purchase and time they would have to spend to get things pulled to-gether.
One of the things that I try to work with organiza-tions on, where we see the industry start to take hold of a little bit, is when they look at a control environment and when they look at security, they look at it from two perspectives. One is the effec-tiveness of the control, which is what the regula-tors are looking for to make sure the control is operating effectively. Organizations are seeing the second component, which is more the efficiency of the control, or how are we operating as it re-lates to satisfying the business objectives that we have, and looking at security more strategically from that perspective.
When organizations start to look at the efficiency aspects of their control environment, getting be-yond just the effectiveness, what they see is there are a couple of basic levels of efficiency or matu-rity levels with an organization, from a control standpoint. You have organizations that are at the basic level of control, where they are just en-forcing control. When you think about a financial institution, you’re going to have someone respon-sible for network security. Someone is going to
“When I define identity and access management on a broad scale, it’s really the authentication and authorization of your users.”
Business and technology leaders - they are both crucial to a banking institution’s risk management and information security prac-tices. We understand this, and we strive to ensure students from both the business and technology sides of an institution are equally satisfied by our webinars. We em-ploy subject matter experts who speak from experience, and offer hands-on, ac-tionable advice focusing on the issues that matter most to you.
our training covers a broad range of in-formation security and risk management topics focused specifically on financial institutions. topics include regulatory compliance, business continuity/disaster recovery, application security and access management - both from the business and
technology perspectives.
Information Security & Risk Management Training
4
Copyright © Information Security Media Group, Corp.
be responsible for security around a core applica-tion. You’re going to have groups, one-off groups that may be responsible for things like wires, ACH applications, imaging environments, things along those lines. When you think about a basic organi-zation, or the low end of that maturity scale, they definitely look at compliance within those areas, but on a more granular basis. They’re siloed. And that doesn’t present a lot of efficiency to the orga-nization.
They very well may be addressing their compliance needs, but they’re doing it in a siloed and isolated fash-ion, and that really disconnects secu-rity from the overall business goals. As you move up that maturity chain a little bit, you’re going to see those controls become more collaborative and more consistent across the organization, and really, help standardize and streamline the processes a little bit.
I think when organizations first think identity and access management, they think that we all of a sudden need to get to this level of automating con-trols with a tool. When you’re thinking about the process, from a maturity standpoint, the first step is not going to that ‘nth degree with the tool, but to standardize the processes across the organization. Let’s streamline what we are doing and get those groups to work more collaboratively together, which allows us to leverage that staff more easily across business units, and makes it easier for man-agement to oversee.
It may help cost, even from a third-party consul-tant, or auditing firm standpoint, because now they are looking at one consistent control, as opposed to looking at eight disparate controls across the or-ganization. Then you finally move to that ultimate point within that maturity model when you start to automate those controls. Where are you using
technology to implement and enforce the control environment, which minimizes manual interven-tion, which makes those processes work much more streamlined and efficiently, and minimizes the likelihood of manual mistakes? A lot of the or-ganizations, when they see the gaps that they are struggling with, they are just symptoms of controls that should have a lot of manual intervention.
So, organizations are starting to look at identity and access management more in those tasks of maturity, and seeing where they want to be in that lifecycle, and really focusing on that, as opposed to just looking at identity management as a cost, and thinking, “That’s not something for us, because we just can’t spend any money on anything right now.” ISMG
read this article online at http://www.bankinfosecurity.com/articles.php?art_id=1549
“I think when organizations first think identity and access management, they think that we all of a sudden need to get to this level of automating controls with a tool.”
5
Security Strategies
“You can get very, very violent attacks that spread through social networks very, very quickly and that can install malicious software on hundreds of computers very quickly.” – Dave Jevans, APWG
6
Copyright © Information Security Media Group, Corp.
The industry’s largest entities have been at the front edge of adopting IAM solutions for nearly
a decade. Now, mid-sized and smaller institutions are looking toward IAM to help prevent unauthor-ized access to sensitive systems and provide better regulatory compliance.
And while financial institutions that have imple-mented IAM haven’t necessarily been innovators, they are knowledgeable and experienced, says Ray Webster, an analyst at Gartner, offering insights on IAM at financial institutions. “Traditionally, fi-nancial services usually lead in technology focus, based mainly because they have money to spend and they’re fairly good at implementing it,” Web-ster says.
Industry at Front Edge of IAMFinancial institutions have been at the front edge, not the bleeding edge of the adoption of IAM, Web-ster notes. IAM technology first appeared at the beginning of 2000, when organizations began to do much more with shared computing and more with the Internet. As their application infrastruc-ture became highly complex, moving off the main-frame to use hundreds of applications over their networks and the Internet, the need for a central management system of access was needed.
Financial services organizations don’t have a lot of specialization when it comes to IAM, and they’ve realized they can’t adequately manage them on a one-off basis, thus the need for management pro-
IAM Trends: Financial Services is at the Leading EdgeIAM Trends: Financial Services is at the Leading EdgeThe need to implement viable identity access management (IAM) solutions for the financial services industry has never been greater.
COvER STORY
7
Security Strategies
grams. “Driving this is the regulatory atmosphere and the need for audit controls and data protec-tion that produces reports quicker and makes this more transparent,” he says. This is one of the key reasons that financial institutions tend to be at the front of the pack of adopters of this technology.
Webster says IAM interest hasn’t reached full ma-turity yet, based on when it first started in 2000. Most of the Fortune 2000 have IAM initiatives in place, in terms of centralized management of iden-tity; on average they’re at a moderate level of ma-turity. “In two to three years they’ll be closer to maturity, reaching operational efficiency, and there will be less of a need to talk about IAM.”
There has been recognition across financial ser-vices and other industries that IAM is a core infra-structure that has to be given some attention. That doesn’t mean institutions have to automate every-thing, or that they have to revamp what they’re do-ing, he says. “Institutions need someone to assess and plan for a modern identity management infra-structure. Most organizations have recognized that at this point in the game and are working on a plan for their infrastructure.”
Among some of the trends Webster sees:
Outsourcing ChallengesAmong the IAM trends in recent years is outsourc-ing of applications to service providers, which has
IAM Trends: Financial Services is at the Leading EdgeIAM Trends: Financial Services is at the Leading Edge
8
Copyright © Information Security Media Group, Corp.
morphed into a discussion of software-as-a-service (SaaS), which in turn has morphed into a discus-sion about cloud service. Both SaaS and cloud ser-vice must be well thought out before being imple-mented by institutions, Webster notes.
“Those SaaS and cloud questions are things that have clear identity and access management re-quirements and concerns,” Webster says. “These are the problems that institutions are trying to fig-ure out today.”
The Debate: Internal vs. ExternalLarger institutions, especially the top banks, are relatively mature in the use of internal IAM. “They have automated systems in place for their tasks and a fairly good audit and information management facility that allows them to show auditors that they are practicing IAM consistently with their require-ments,” he says.
So, when a bank or credit union thinks about ex-ternalizing services, this brings its own set of con-cerns and questions. “Am I going to allow my ser-vice providers to manage my identity access, and will they do it in a secure fashion, or am I going to continue to do it on my own, and still outsource some of it?”
The move toward IAM federation is an example of this trend. “Five years ago, if I wanted to outsource an application, I would have had to outsource the identity access for that application. Now, I can keep that portion internal and outsource the application to a service provider,” Webster says.
Two reasons to keep the IAM internal and not out-source it, according to Webster: An institution isn’t dependent on an outside party who may not be as timely or thorough in keeping access lists up to date. The institution has to tell them when to take people off lists. Also, the institution must have trust
that the other organization will maintain control over the lists, and the information in the applica-tion itself is intact.
Consumer-Side Use of IAMOn the consumer side, there has been a great deal of activity on how customers and users are au-thenticated, and the focus of regulatory agencies has been here.
GLBA and PCI audits revealed to many institutions the need to move toward IAM. It was a quick hit, and the solutions can put in an infrastructure to re-port who had access to what, when, what they did, and who gave them authorization to the system, Webster notes.
Greater TransparencyA general trend in IAM is in forcing the principle of least privilege (people only have access to sys-tems/applications they need to do their jobs.) This has taken the form of putting in systems that al-low organizations to set policy and then monitor to see that those policies are enforced. “For example, I want to know that only the people in accounting have access to the accounting system, and that no-body can both create a transaction and approve that transaction. Second, I want to know who is creating transactions and who is approving them,” Webster notes. This is the direction institutions are moving toward -- more transparency.
There have been user provisioning systems and technology solutions available for 8-9 years, “but organizations have found the projects to be rather complex, and it takes some time to get it right,” he notes.
IAM in the Mid-MarketAs he looks at the smaller sized institutions, Web-ster sees the $5 billion and smaller institutions
9
Security Strategies
1/2 Page ad
have obviously got less money to spend on IAM projects than larger organizations. “They will be more conservative in their choices of technology and timeframe for doing an IAM project. Some of them are at very early stages, but some have made significant steps.”
Institutions that are not in the top banks that are just starting to look at IAM aren’t alone by any means, he says. There is a lot of IAM technology in place already in every organization. Most are work-ing off a centralized directory and active directo-ries. Many are tied into active directory groups, for email and other large applications.
“What they have is something that has grown or-ganically, and meets 60 to 70 percent of their needs, but they need to create a plan and architecture and begin adapting to it,” Webster says. Institutions aren’t being lax. On average they have at least some
of an infrastructure in place, even before they start. They need to think about what their needs are, and what policies and procedures need to be in place, Webster advises. “Only after that should they begin real technology upgrades,” he concludes. ISMG
read this article online at http://www.bankinfosecurity.com/articles.php?art_id=1585
10
Copyright © Information Security Media Group, Corp.
As we discuss employee authentication today, I’d like to focus on four component areas:
Enrollment or identification process – •generally, one can think of this as the process of assigning an electronic persona to the employees involved.
Authentication process – or the process an •employee uses to validate that he or she is who he or she claims to be.
Provisioning process – in which •administrators assign access rights to employees and conversely disallow employees from having rights.
Review or monitoring area – where •managers and administrators review users, validate their existing rights, and perform ongoing and periodical monitoring of user activities.
Now I’d like to focus on the challenges in each of these four component areas.
EnrollmentPerhaps the largest challenge is the struggle orga-nizations have in maintaining a common store for all of their employees and their user ID’s. Often because of the design of underlying platforms and
applications, it’s difficult to arrive at a common sys-tem of record. User ID’s become diffused across a number of administrative systems that complicate the ability to both add and delete users. Compli-cating that issue is the fact that the very format of user ID’s, and usually password structures, across various platforms and applications is inconsistent.
Even if organizations have set internal standards, they find themselves with sys-tems, usually older ones, that are out of alignment. User ID and password structures in applications provided under an applica-tion service provider mod-el tend not to synchronize with the internal systems. The same is usually true for commercial off-the-shelf software, and getting the vendors of those systems to change is usually difficult and time-consuming.
Adding to the challenges within the enrollment area is the issue of what’s commonly called joiners and leavers, or more simply the process of adding new employees and removing those leaving the or-ganization.
Emerging Technologies Insights:
The Future of Banking Enterprise Access Management & AuthenticationPaul Smocer of BITS on IAM: The Four Key Challenges
Paul Smocer
11
Security Strategies
AuthenticationMoving to the authentication area, perhaps the big-gest challenge faced in this space is that as organi-zations developed or acquired application systems over time, and as they introduced various operating components into their environments, they ended up with a hodgepodge of authentication method-ologies and structures. This affects fundamental is-sues like password length and composition incon-sistencies, but often also affects other decisions. For example, while most or-ganizations require strong authentication methodolo-gies in many cases, it would not be unusual to find that some systems use certifi-cates, some use dual pass-words and some use tokens. Even when using tokens, it would be fairly common in large organizations to find applications using tokens from various manu-facturers. This diversity adds significantly to the resources required to manage the authentication space. Complicating this further is that even the fundamental issues over things like password structure make password synchronization pro-cesses difficult to implement.
ProvisioningThe act of providing rights to us-ers to perform specific actions also presents challenges. Organi-zations struggle to find ways to provision new employees or em-ployees who have to have their rights changed quickly. Typically, the longer it takes to assign the correct rights to an employee, the less productive that employee could be during the period. Con-versely, deprovisioning or tak-
ing away the rights of an employee who no longer needs them also presents risk. An employee who has rights he or she no longer needs presents a threat in terms of data exposure, data loss or fraud.
Many organizations have begun to move to role-based access control processes to try to help in this space. But typically these processes only work well in environments where large groups of the
employee population require static or common access entitlements. Where there is a diversity of roles and/or a diversity of access requirements, such processes often fall short.
“Perhaps the largest challenge is the struggle organizations have in maintaining a common store for all of their employees and their user ID’s.”
12
Copyright © Information Security Media Group, Corp.
MonitoringWhile it’s clearly important to deal with identifi-cation, authentication and provisioning issues, it’s also important to understand what’s going on in the environment. This is where monitoring and re-view come into play. This area, however, presents challenges as well.
First, and perhaps most fundamental, some tech-nologies that play in this space do not even offer appropriate reports to tell who has what rights or logging to tell who has completed what activities. Without these tools, it’s impossible for administra-tors and business managers to fully understand the environment.
When they are provided, at times the reports are too technical in nature for business-line managers to understand. Consequently, the people who are typically responsible to validate that their employ-
ees have the correct access entitlements and au-thorizations struggle to work through the reports to draw valid conclusions.
One reality that presents a particular challenge in this space is that business managers who are asked to validate entitlement and activity informa-tion often have little time to do so. Their business goals and priorities put pressure on their time, and such reviews become secondary priorities -- often being rubberstamped.
Good employee authentication practices are clear-ly an important component of an organization’s data protection process and serve to reduce both insider risk and insider fraud. Authentication has been and continues to be a focus of BITS and is a key focus of the most recent financial services sec-tor coordinating committee’s R&D priorities. ISMG
read this article online at http://www.bankinfosecurity.com/articles.php?art_id=1192
“Typically, the longer it takes to assign the correct rights to an employee, the less productive that employee could be during the period.”
Photo tBD
13
Security Strategies
Full Page ad
14
Copyright © Information Security Media Group, Corp.
By Linda McGlasson
The bottom line was getting new employees up to speed. That was the final selling point for People’s United Bank to implement an identity access man-agement solution. People’s United Bank has imple-mented an identity access management solution that now automatically provisions 3,000 of its nearly 5,000 employees on the bank’s system.
Identity access management (IAM) combines busi-ness processes, policies and technologies that en-able institutions to provide secure access to any resource, efficiently control this access, respond faster to changing relationships, and -- most im-portantly -- protect confidential information from unauthorized users.
Greg Kyrytschenko, director of Information Se-curity at the bank, explains that at the time work began on the project, People’s United Bank was a $12 billion institution looking to grow through ex-pansion. “Consequently, we needed the ability to rapidly provision users,” he notes. Today, People’s United, headquartered in Bridgeport, CT, has $21
billion in assets, with more than 300 branch loca-tions in the Northeast.
Once People’s United selected a solution for iden-tity access management, the real work began. “We determined that first we needed to provision our retail branch staff, which at the time of initial de-ployment comprised 60 percent of the employee population,” Kyrytschenko recalls. People’s United partnered with the Courion Corporation to get the job done.
Getting StartedKyrytschenko’s team established roles for the bank’s entire retail environment. During the on-boarding process, a manager approves a new-hire’s access entitlements. The new employee then receives all of the appropriate access required to perform his/her job. “One of the project goals was to get the user up and productive on their first day at work,” Kyrytschenko notes.
An important part of the role management process is to periodically meet with each line of business to review defined access entitlements. Kyrytschen-ko’s team built the logic into the identity access management system, so that once the entitlements were determined, an employee could quickly and easily be provisioned. “We are now able to rapidly provision base level access (network and email) for new employees,” he explains. The Human Re-source Information System, which determines an employee’s employment status, is the authorita-tive source for the IAM solution.
Case Study: People’s United Bank Saves Time, Costs through Identity and Access Management
15
Security Strategies
Business BenefitsKyrytschenko notes some of the immediate ben-efits from implementing IAM:
Time savings• - Provisioning a new employee used to take anywhere from 5 to 10 business days for People’s United. Once a manager ap-proves the access, “It’s now a matter of less than five minutes,” he says.
Reduced risk during terminations• - With the IAM solution, the team has the ability to manage a normal termination (an employee providing two weeks notice) or an immediate separation. “We can take immediate action to terminate access via a web browser, even af-ter hours,” Kyrytschenko states.
Centralized administration• - People’s Unit-ed has centralized all of its security admin-istration operations. Previously the bank had a distributed security administration model, which added time and complexity to the ter-mination process. “Now every user access activity (‘create’, ‘modify’, ‘deletion’) funnels through my team and we can take the appro-priate action to stay in compliance with our internal and external auditors,” Kyrytschenko adds.
Streamlined processes• - With the IAM so-lution, users are appropriately notified in a timely manner so they may take any addi-tional actions required to provision other re-sources.
Kyrytschenko says the bank’s long-term strategy is to begin to manage all resources in this manner, in-cluding Blackberries, phone lines, cellphones, and computer equipment such as laptops and desk-tops.
The bank’s increased focus and defense in depth
approach has, with the IAM, “kicked it up a cou-ple of notches,” he notes. “Our regulators, Office of Thrift Supervision (OTS) are happy with the progress, but as with any regulator, they always want more.” Eventually, Kyrytschenko would want to have the “big picture” of what every individual user has access to in the bank’s environment.
Lessons Learned:
Know your business• - make sure you estab-lish a business partnership and identify busi-ness needs upfront, not simply technology needs. “Speak in business terms, and promote the benefits to the business in ways that can be easily related to,” Kyrytschenko notes.
Sell value and ROI• - IAM is a big ticket item for any organization. “Do the numbers and be ready to show real tangible results for the cost. Originally we had 98 security adminis-trators, now we have reduced that cost. I have four in my group, (two of them are interns) who are doing the administration of security access controls.” From a resource/headcount standpoint, there was a significant cost sav-ings for the bank.
Best practices• - Be sure to demonstrate an internal success story with one of your busi-ness units. This is an excellent way to recruit other lines of business. “We had a major suc-cess story with our retail environment, which we were then able to present to other lines of business,” Kyrytschenko states.
Offer enough training• - Make sure your end users know how to use the solution. Host training and demonstrations for manage-ment and others who will be using the inter-face and follow up any feedback, questions or potential issues. ISMG
read this article online at http://www.bankinfosecurity.com/articles.php?art_id=896
16
Copyright © Information Security Media Group, Corp.
Maybe the Countrywide tele-vision ads that constantly run on cable news shows I watch on weekends will now tout, “Finance your mortgage with Countrywide, and have your identity stolen at the same time for mere pennies.”
The recent arrest of a former Countrywide employee in the insider identity theft case, where an estimated 2 million mortgage loan customers at mortgage lender Countrywide were taken, is just chock full of “but for the grace of God” exam-ples for other financial institu-tions.
The fact is that a determined insider is the hardest person to stop. But the detailed, long-term movement of information by senior financial analyst Rene Rebollo while he worked at Countrywide could be viewed in hindsight as a neon blinking light on the Vegas strip that says “I’m Stealing Data From My Em-ployer.”
He was copying and transfer-ring information on Sunday evenings - a big neon flashing arrow should have been lit up. Was there a reason for this in-
dividual to be working on Sunday nights?
And nearly every Sunday night for
an extended pe-riod of time? I mean, some of
us work on the weekends every now and then, (me included). But if my
job doesn’t require me to be in the office
every Sunday night, shouldn’t that ring some
warning bells that this activity
is somewhat of an exception?
The really big clue would have been: He wasn’t using his com-puter, but a machine nearby that didn’t have its USB ports disabled. (Countrywide’s effort to stop users from copying data onto USBs or thumb drives, iP-ods or other portable storage drives was to disable all the USB ports on all machines.) The mortgage lender stopped there, and didn’t deploy any method for detecting or stopping down-loads to USB devices since it was already stopping downloads by blocking USB connections. Whoops, they missed one.
What about Countrywide’s poli-cies, procedures and internal controls? The insider’s imme-diate management should have also been clued in, but wasn’t aware, because he was coming in during non-working hours. If they did know he was com-ing in, through signature access logs, cameras, or computer logs, they didn’t realize he was log-ging into a different machine. Couldn’t a good dose of identity
Countrywide and Solving the Insider Threat
Top Internet Scams for You & Your Customers to AvoidThe Agency Insider with Linda McGlasson
17
Security Strategies
access management software solve that problem?
Looking back at the two years this insider was able to pull off his data thefts, some managers would probably think, “That guy who works for me is really a hard worker. He comes in every Sunday night to get a jump start on the next week. He is a smart, dedicated employee. Hmmm, maybe I should look into giving him a raise.”
Rebollo, as the FBI affidavit reveals, wasn’t that smart. He voluntarily told the FBI that he would charge $400 to $500 for thousands of leads. At that rate, his criminal actions would end up costing the buyers of this sto-len data about 2.5 cents per cus-tomer profile. Now that’s what a criminal would call a real bar-gain, as experts say that Social Security numbers by themselves cost dollars, not merely a few pennies. The type of informa-tion stolen from Countrywide customers (name, address, SSN, date of birth) could be used to open new bank accounts, the golden dream of every identity thief, (emphasis on the golden part.)
How to tell the difference be-tween a dedicated employee and the evil insider thief? I wish I could say there’s a birthmark on the scalp of the evil insider, but there isn’t (most times).
What companies need to realize is they have to take this threat seriously. One place to start is a study done by the National Threat Assessment Center, US Secret Service and the CERT Coordination Center at Carn-egie Mellon University, “Insider Threat Study: Illicit Cyber Activ-ity in the Banking and Finance Center”.
Next thing to do is realize this: Technology alone won’t solve the problem. Just having in-ternal controls and policies in place doesn’t solve the problem, either. A wise, well-planned, multi-pronged risk manage-ment strategy will work with a combination of appropriate physical controls and logical controls. Also don’t forget the need for complete support of senior management. Combine all this with a strong employee education and awareness pro-gram - and you’ve now cut the chances of your institution’s name being splattered every-where in the headlines.
Finally, just imagine if Rebollo’s co-workers had spotted signs of his caper, say after a month’s worth of downloads, and re-membered they could call and
report his suspicious activity to Countrywide’s information se-curity officer anonymously? Can we estimate the saving of mon-ey and reputation? Think of the human firewall Countrywide could have had in place if its em-ployees had been educated on the importance of information security and their responsibility to report “suspicious” activity
by other employ-ees. It certainly wouldn’t be more than what they’re spending on the investigation and subsequent fallout
and reputation loss because of this insider’s data theft. LM
http://blogs.bankinfosecurity.com/posts.php?postID=70
“The fact is that a determined insider is the hardest person to stop.”
Countrywide and Solving the Insider Threat
18
Copyright © Information Security Media Group, Corp.
So, did anyone read about the President’s Cybersecurity Ac-tion Plan? I’m assuming you’ve read through all 10 points. You didn’t stop to ponder after the first few did you? I mean, you didn’t happen to stop after number 8? The one about the incident response plan?
I hope not, because points 9 and 10 are really what the plan is about. One through eight were pretty much a given...appoint a cybersecurity official? Initiate a public awareness campaign? Draft an incident response plan? These are all fairly obvious and in my opinion outline what any “online business” would have to contend with. Points nine and 10 are very far-reaching, though, and very bold:
“9. In collaboration with other Execu-tive Office of the President entities, de-velop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthi-ness of digital infrastructure; provide the research community access to event data to facilitate developing tools, test-ing theories, and identifying workable solutions.
10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties in-terests, leveraging privacy-enhancing technologies for the nation.”
I know Obama didn’t actually say that in the near future our next of kin would be implanted with ID chips upon birth, but I’m a bit surprised I haven’t seen much speculation regard-ing his comments. I realize this list is but a whetting of the ap-petite compared to the policies, legislation and oversight that will eventually come out - but it is nonetheless a very important list that many have been looking forward to. After seeing points nine and 10, though, I expected an outcry from Rush Limbaugh and privacy groups of all shapes and sizes, but I really haven’t heard much yet.
To me, point nine is trying to build a case for number 10. It doesn’t really mean any-
thing; it’s just re-enforcing that Obama’s administration is look-ing to push technology to the forefront, and if the result is a microchip implanted in ev-eryone’s neck - so long as it’s “game-changing” and enhances the security of our digital infra-structure, then so be it! Num-ber 10, though, is the true point and offers a glimpse into what the game-changing technology might be.
This truly is the moment we move into the future, when ev-ery citizen of the United States is registered and tracked in real-time in a government-run database. How will this system work? Will the government be administering hundreds of mil-lions of RSA tokens? Will we all be registering with our finger-prints the next time we go to the DMV? Time, money and specu-lation will tell, and I, for one, am excited to see where this will go.
Top Internet Scams for You & Your Customers to AvoidSecure Marketplace with Mike D´Agostino
Obama’s “Big Brother” vision of IAM
“I know Obama didn’t actually say that in the near future our next of kin would be implanted with ID chips upon birth, but I’m a bit surprised I haven’t seen much speculation regarding his comments.”
19
Security Strategies
I long for a day when my wallet, my keys, my cell phone and the various other small form-factor gadgets that line my pockets will be replaced by one ubiqui-tous device that also performs authentication duties.
I won’t try to determine what type of technology will be in-volved in a government-run identity and access manage-ment system, but the privacy implications are obviously far-reaching. Is it possible to create such a system where freedom of speech and anonymity are still possible, while at the same time being able to authenticate someone’s identity with 100%
accuracy? It seems like a conun-drum, as if you know of some-one’s true identity at all times, then that person can no longer act in an anonymous manner.
This will be a springboard to an unfathomable number of new technologies and systems that society has never dealt with in the past. If every citizen is part of a government-run electronic identity and access manage-ment system, would it be too much to ask that we get rid of all cash and physical currency? I mean, if the government is so sure of who I am at any given moment, then I can surely as-sociate my finances, health re-
cords and otherwise with rela-tive security, right? It’s not like someone else can claim to be me and gain access to any of my personal data. Is a completely electronic, 100% credit-based economy too far off?
What’s your take on a possible government-run identity and access management system? Are you looking forward to the day your identity can be au-thenticated with 100% accura-cy, or are we just heading down the George Orwellian future of “1984?” MD
http://blogs.bankinfosecurity.com/posts.php?postID=213
read this blog online at
http://blogs.bankinfosecurity.com/
posts.php?postID=169
1/2 Page ad
Obama’s “Big Brother” vision of IAM
20
Copyright © Information Security Media Group, Corp.
More Resources
Defending Against the Insider threat http://www.bankinfosecurity.com/webinarsDetails.php?webinarID=67
tackling the IAM Challenge - Jay Arya of Investors Savings Bank http://www.bankinfosecurity.com/podcasts.php?podcastID=252
the Future of Banking Enterprise Access Management & Authentication http://www.bankinfosecurity.com/onDemand.php?webinarID=118
the role of Information Security in a Merger/Acquisition - Interview with Nalneesh Gaur, CISo, Diamond Management & technology Consultants http://www.bankinfosecurity.com/podcasts.php?podcastID=119
the Future of Consumer Banking Authentication http://www.bankinfosecurity.com/onDemand.php?webinarID=103
Webinars
Interviews
21
Security Strategies
About Information Security Media Group
Prior to early this decade, online banking was truly in its infancy. With the advent of more and more technology becoming interwoven with what we would consider “everyday bank-ing,” a growing list of regulations, guidance and federal mandates have been issued by the regulatory agencies which govern the banking industry. We created BankInfoSecurity.com and CUInfoSecurity.com to offer insight and guidance on how to deal with these relatively new requirements.
BankInfoSecurity.com and CUInfoSecurity.com are your one-stop portals for the latest news, insights and education on the top information security issues facing U.S. financial institu-tions and credit unions today. Through articles, webinars, podcasts, customized training and sponsored content, our team is committed to providing up-to-date information on the secu-rity regulations, threats, solutions, training and career trends that most impact banks, credit unions and other related enterprises.
GovInfoSecurity.com was formed to bring all that is risk management together for local, state and federal agencies so they can meet regulatory requirements armed with the intelligence and industry best practices they need. It’s an online resource dedicated to information se-curity, audit, risk management and compliance topics. GovInfoSecurity.com is the only such media outlet to look at information security through the eyes of the federal government.
Contact
4 Independence WayPrinceton, NJ 08540
Phone: (800) 944-0401Email: [email protected] [email protected]
ISMGCorp.comBankInfoSecurity.comCUInfoSecurity.comGovInfoSecurity.com
22
Copyright © Information Security Media Group, Corp.Copyright 2009 Information Security Media Group, Corp. ©
23
Related Documents
