[ISN] Hacking syndicates threaten banking

From: InfoSec News (isnat_private)
Date: Tue Nov 05 2002 - 22:27:53 PST

  • Next message: InfoSec News: "[ISN] Navy Sites Spring Security Leaks"

    http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,75584,00.html
    
    By DAN VERTON 
    NOVEMBER 04, 2002
    
    The number of organized hacking syndicates targeting financial
    institutions around the world is growing at a disturbingly fast rate.  
    And so is the number of banks willing to pay these high-tech
    extortionists hush money to protect their reputations, according to a
    security expert at The World Bank.
    
    Cases in which banks, brokerage firms and other financial institutions
    have quietly paid hacking syndicates extortion money are "extremely
    widespread," said Tom Kellermann, senior data risk management
    specialist at The World Bank in Washington. Kellermann, who
    co-authored a study on the electronic security risks facing the global
    financial community, presented the findings during an Oct. 29 online
    seminar sponsored by Cable & Wireless Internet Services Inc. in
    Vienna, Va.
    
    The 127-page study details the growing security challenges facing the
    financial sector as a result of the industry's unprecedented
    dependence on the public telecommunications system, rapid adoption of
    wireless systems and outsourcing of operations to third parties.
    
    And the growing dependency on Internet technologies that are linked to
    sensitive back-end systems, such as customer databases and real-time
    stock data, has made online extortion a major "safety and soundness
    issue" for the financial markets, Kellermann said.
    
    80% Go Unreported
    
    Kellermann cited reports from Framingham, Mass.-based IDC and
    Stamford, Conn.-based Gartner Inc. that indicate that roughly 80% of
    cybercrime incidents in the financial sector go unreported to law
    enforcement agencies.
    
    Moreover, he contends that IT employees keep many of these incidents
    from senior banking executives "due to the reality that they may be
    fired." Banks don't report these incidents mainly because they want to
    maintain customer and investor trust, according to Kellermann.
    
    At the same time, massive underreporting has created a vicious
    catch-22 for an industry that continues to struggle with dwindling
    budgets. "It has a magnifying effect because there's no actuarial data
    to justify the extra expense on security," said Kellermann. "We are
    losing this war."
    
    Budget issues have also led banks and other financial companies to
    outsource operations. But that can have disastrous consequences for
    hundreds of banks at once if the hosting company doesn't implement
    proper security protections, Kellermann said. He cited an incident
    last year in which hackers penetrated the systems run by S1 Corp., an
    Atlanta-based provider of electronic finance services to the financial
    industry. The incident led to the compromise of more than 300 banks,
    credit unions, insurance providers and investment firms
    simultaneously.
    
    Coverups Not Common
    
    Security experts and banking officials contacted for this story agreed
    that the vast majority of incidents go unreported. However, they said
    they aren't convinced that internal coverups by bank IT personnel are
    widespread.
    
    "I don't think that security incident coverups are common," said Joe
    Busa, an IT manager at Citizens Bank in Providence, R.I. "It is very
    hard to cover a mistake completely from your peers."
    
    According to Gartner analyst John Pescatore, all publicly traded
    companies are required by the Securities and Exchange Commission to
    report all events that could have a material effect on the business.  
    However, "there have been very few computer security incidents serious
    enough to be classified as a material event," said Pescatore.
    
    
    12 Layers of Adequate Security
    
    1. Chief security officer 
    2. OCTAVE methodology* 
    3. Authentication 
    4. Firewalls 
    5. Intrusion-detection systems 
    6. Virus scanners 
    7. Policy management software 
    8. Vulnerability testing 
    9. Encryption 
    10. Proper system administration 
    11. Active content filtering 
    12. Incident response plan/ continuity of operations
    
    * Operationally Critical Threat, Asset and Vulnerability Evaluation
      methodology for conducting threat assessments. Developed by CERT
      Coordination Center, Pittsburgh. See
      http://www.cert.org/archive/pdf/OCTAVEthreatProfiles.pdf
    
    Source: Tom Kellermann, senior data risk management specialist, 
    The World Bank
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 00:45:03 PST