http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,75584,00.html By DAN VERTON NOVEMBER 04, 2002 The number of organized hacking syndicates targeting financial institutions around the world is growing at a disturbingly fast rate. And so is the number of banks willing to pay these high-tech extortionists hush money to protect their reputations, according to a security expert at The World Bank. Cases in which banks, brokerage firms and other financial institutions have quietly paid hacking syndicates extortion money are "extremely widespread," said Tom Kellermann, senior data risk management specialist at The World Bank in Washington. Kellermann, who co-authored a study on the electronic security risks facing the global financial community, presented the findings during an Oct. 29 online seminar sponsored by Cable & Wireless Internet Services Inc. in Vienna, Va. The 127-page study details the growing security challenges facing the financial sector as a result of the industry's unprecedented dependence on the public telecommunications system, rapid adoption of wireless systems and outsourcing of operations to third parties. And the growing dependency on Internet technologies that are linked to sensitive back-end systems, such as customer databases and real-time stock data, has made online extortion a major "safety and soundness issue" for the financial markets, Kellermann said. 80% Go Unreported Kellermann cited reports from Framingham, Mass.-based IDC and Stamford, Conn.-based Gartner Inc. that indicate that roughly 80% of cybercrime incidents in the financial sector go unreported to law enforcement agencies. Moreover, he contends that IT employees keep many of these incidents from senior banking executives "due to the reality that they may be fired." Banks don't report these incidents mainly because they want to maintain customer and investor trust, according to Kellermann. At the same time, massive underreporting has created a vicious catch-22 for an industry that continues to struggle with dwindling budgets. "It has a magnifying effect because there's no actuarial data to justify the extra expense on security," said Kellermann. "We are losing this war." Budget issues have also led banks and other financial companies to outsource operations. But that can have disastrous consequences for hundreds of banks at once if the hosting company doesn't implement proper security protections, Kellermann said. He cited an incident last year in which hackers penetrated the systems run by S1 Corp., an Atlanta-based provider of electronic finance services to the financial industry. The incident led to the compromise of more than 300 banks, credit unions, insurance providers and investment firms simultaneously. Coverups Not Common Security experts and banking officials contacted for this story agreed that the vast majority of incidents go unreported. However, they said they aren't convinced that internal coverups by bank IT personnel are widespread. "I don't think that security incident coverups are common," said Joe Busa, an IT manager at Citizens Bank in Providence, R.I. "It is very hard to cover a mistake completely from your peers." According to Gartner analyst John Pescatore, all publicly traded companies are required by the Securities and Exchange Commission to report all events that could have a material effect on the business. However, "there have been very few computer security incidents serious enough to be classified as a material event," said Pescatore. 12 Layers of Adequate Security 1. Chief security officer 2. OCTAVE methodology* 3. Authentication 4. Firewalls 5. Intrusion-detection systems 6. Virus scanners 7. Policy management software 8. Vulnerability testing 9. Encryption 10. Proper system administration 11. Active content filtering 12. Incident response plan/ continuity of operations * Operationally Critical Threat, Asset and Vulnerability Evaluation methodology for conducting threat assessments. Developed by CERT Coordination Center, Pittsburgh. See http://www.cert.org/archive/pdf/OCTAVEthreatProfiles.pdf Source: Tom Kellermann, senior data risk management specialist, The World Bank - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 00:45:03 PST