Webinar: Web Session Intelligence: A Key Ingredient for FFIEC Compliance

As banks, brokerages and other organizations are contemplating the best way to address the upcoming FFIEC requirements, there are several things that need to be taken into account. What is really “required”?  What will be “enough”?

On October 26th, join me for a discussion about strategies for addressing the FFIEC guidance and how “Web Session Intelligence” can secure the navigation layer of your website as part of your strategy for addressing the guidance.

I’ll discuss an overall plan for addressing FFIEC, including what is likely to make your review by auditors more successful. We’ll also talk about how cyber criminals are finding new ways to attack websites – from using the registration flow to guessing customer email addresses and scraping data from Intranets. These attacks are not identified by a web application
firewall, an intrusion detection system, or any other mechanism. As you consider a defense-in-depth strategy for FFIEC compliance, protecting the navigation layer through web session intelligence should be at the top of your list.

Be sure to join me on October 26h at 10:00am PDT and register today!  http://silvertailsystems.com/offers/FFIEC/intelligence.php

October 17, 2011 Posted by Laura Mather | Detection, education | Detection, FFIEC, Webinar | Leave a Comment

Follow Up to SEC Requiring CyberSecurity Reporting

As I talked about last week, it appears imminent that the SEC will start requiring public companies to report their cybersecurity postures as part of their quarterly filings.  What I should have pointed out is that this is not much different from how the SEC requires organizations to report on disaster recovery and business continuity.  Cybersecurity posture is likely the next phase of regulation that we all are going to have to address.

The big question is how cybersecurity posture will be defined.  There are so many aspects that are critical to corporate infrastructures, it seems almost impossible to specify each of them.  Even saying something like what the FFIEC said “companies should have a layered approach” isn’t sufficient.  That implies that two layers of protection is enough.  But, depending on the layers, that might not be nearly close to enough.  I’ll be curious to see how this gets defined.

October 11, 2011 Posted by Laura Mather | information security, Online Fraud, Prevention | FFIEC, Fraud, information security | Leave a Comment

FFIEC Guidance – How are Organizations Responding?

The FFIEC guidance has been available now for a couple of months.  When it was first released, there was the usual furor around understanding what has changed, what is the same, and what organizations need to do to make sure they are covered.

Now that it has been out for a while, I’m wondering how organizations are responding.  I’d like to hear comments on the following:

1. Does your organization already meet the guidelines proposed? If not, …
2. Has your organization already deployed a team to address the new guidelines?
3. Do you think you’ll have solutions deployed by the January deadline?

Most organizations I talk to say that they are going to have a plan in place by January and they believe that will be enough to satisfy the guidelines.  Given that the deadline was extended several times when the 2005 guidelines came out, is anyone planning on an extension this time?

It would be great to get your thoughts.

By the way – Silver Tail Systems hosted a webinar with Avivah Litan from Gartner about the FFIEC guidance.  If you’d like to view the recording of this webinar, you can find it here: http://silvertailsystems.com/ffiec_guidance_and_multi-layered_fraud_protection/player.html

August 12, 2011 Posted by Laura Mather | information security, Prevention | FFIEC, online security, Prevention | Leave a Comment

New FFIEC Guidelines Fall Short

With all the hype around the newly released FFIEC guidelines, I believe that the overall guidance recommendations fell a bit short in terms of implementing proactive technology. Guidelines such as these should keep pace with the current state of technology. They need to not only protect against a wide variety of threats, but also safeguard against attacks that have not yet been launched. Agility is key.  

There is no doubt that the FFIEC guidance outlines recommendations for day-to-day threats and outlines techniques for stifling these types of attacks, but what about addressing the threats of tomorrow? My worry is that the sophistication of hackers is advancing much more quickly than technology and the security measures required to maintain a level of safety are not able to keep up with the advances. With today’s threat landscape evolving so quickly, security measures need to continue to change with it. Agile, scalable and innovative technology is necessary to successfully staving off sophisticated attackers, and by truly investing in such, financial, federal and e-commerce institutions will be prepared to respond to cybercrime in real-time to prevent crippling damage.

It’s apparent that  the bad guys have lapped the good guys in the fight against online fraud mainly because they are using state of the art techniques to perpetrate fraud, and they are constantly adapting. Zeus malware is a perfect example of how bad guys have evolved into technological masters of their trade. Zeus goes beyond anything we could’ve ever conceived ten years ago. Unfortunately, we (a.k.a. “the good guys”) need to get serious about online fraud and catch-up!  We have the technology and know-how, but are slow to respond. The differential between what we are doing to fight bad guys and what we need to do has grown highly disproportional. The guidelines have done little to shrink this gap.

Overall, financial institutions (among all others) need to focus on approaches such as continuous monitoring of networks, databases, outbound traffic filtering, etc. While the updated guidelines are an initial step towards bettering the state of security for the financial industry, they are by no means a fix-all, and it’s imperative that we go above and beyond those guidelines to protect users and their critical data.

July 13, 2011 Posted by Mike Eynon | information security, Uncategorized | FFIEC, information security, online security | Leave a Comment

FFIEC: A Corporate Responsibility Baseline for Financial Institutions

The official Financial Federal Security (FFIEC) Guidelines supplement was released last week, not only setting some initial ground rules for financial services organizations, but alighting considerable discussion around what is and isn’t lacking in this latest revision.

There are obvious areas with room for improvement: mobile security needs to be addressed and the speed with which these guidelines are updated moving forward needs to accelerate. Regardless, this is a positive step for the industry and adherence to these guidelines is simply a part of corporate responsibility. So what will help bait financial organizations to adhere to these guidelines? The January 1, 2012 deadline is a start. Leaving organizations with a small window of time to take action, examiners will start to formally assess financial institutions early next year.

The federal government is finally beginning to work together to establish cybersecurity baselines. As online crime is an increasing concern, it is imperative that financial organizations protect the integrity of their systems and applications, as well as the customer data they are responsible for, and by using the FFIEC guidelines as a starting point, they can begin to take a layered approach to security that is much needed.
I’m pleased to see that banks will be required to institute user-awareness programs for both consumers and business customers. It’s a known fact that the sophistication of today’s cybercriminals is incredible and it’s the responsibility of all employees (not just IT and security departments) to provide multiple layers of security to ensure that the organization is protected. By developing standards and pushing for policies, processes and legislation to be put into place – this is bound to make a significant impact on Internet security. These guidelines will help make everyone aware of what protections are and are not provided within their organization.
While there is considerably more focus on securing Web-based platforms and applications today, there is still a long way to go and we must continue to work together as an industry to combat the rise in cybercrime.

July 11, 2011 Posted by timothyeades | information security | FFIEC, online security | Leave a Comment

Webinar: Silver Tail Systems & Gartner Discuss Multi-layered Fraud Detection

With a number of recent high-profile data breaches in the headlines, and new FFIEC guidelines to address, financial institutions, e-Commerce companies and government organizations alike have a number of challenges ahead.

On July 14th, well-known Gartner analyst, Avivah Litan, will discuss how sophisticated malware attacks are rapidly shifting the Web fraud detection market landscape, making it necessary to adopt a multi-layered fraud protection strategy. With cybersecurity being a high priority for online financial institutions, Avivah will also address the newly issued FFIEC guidelines that are designed to help banks determine what technology investments to make in order to safeguard private networks and customers’ personal information from cyberattacks.

Avivah and Silver Tail Systems Co-founder and VP of Product Marketing, Laura Mather, PhD, plan to discuss new approaches to online security and how organizations should think about fraud prevention going forward. Together, they will share how several leading banks and e-Commerce organizations are proactively preventing fraud and abuse.

Join Avivah and Laura on the 14th at 10:00am PDT and learn to protect your organization against online fraud: http://www.silvertailsystems.com/offers/gartner/gartner.php

July 8, 2011 Posted by Mahesh Iyer | Fraud, Online Fraud | FFIEC, Fraud, Online Fraud, Webinar | Leave a Comment

New FFIEC Guidelines Put Startups in the Lead

It’s been a long time coming, since 2005 to be exact. Last week the Federal Financial Institutions Examinations Council issued a supplement to its Internet banking authentication recommendations. The newly issued instructions to regulated financial services focus on protecting high-dollar Automated Clearinghouse (ACH) transactions that have been targeted by savvy cybercrime groups that hijack business PCs in order to initiate fraudulent transactions. The FFIEC also instructs banks and financial institutions to focus their network defense on layered security protections that involve fraud monitoring; use of dual customer authorization through different access devices; the use of out-of-band verification; and the use of “positive pay,” debit blocks and other technologies to appropriately limit the transactional use of the account.

What I find most significant about these updated guidelines is that online security officials are enforcing policies that only fraud prevention startups, like Silver Tail Systems, can address. And according to the FFEIC, “Fraudsters have continued to develop and deploy more sophisticated, effective and malicious methods to compromise authentication mechanisms and gain unauthorized access to customer accounts.” Predictive analytics technology, applied to security, creates an ideal solution to identifying and stopping irregular behavior before it does any damage. I’ve seen first-hand where larger organizations try to stay ahead of the curve, but they just can’t keep up. With long development cycles, and a hierarchy of approvals to be made, many large security providers hinder themselves in their mission to produce cutting-edge technology before the bad guys further evolve.

With the recent surge of cyber security issues plaguing financial institutions, I feel as though large institutions have not taken full advantage of the benefits this technology provides: until now. Silver Tail System’s suite of fraud detection and mitigation solutions allows banks to quickly identify and remediate exploits, saving significant resources typically spent on analysis and clean-up of damaged webpages. Utilizing advanced behavioral analysis technology, organizations can proactively safeguard against account compromise and fraud with web–traffic insights on the public facing website and third party applications. Overall, the new FFIEC guidelines are an important milestone in helping institutions take cybersecurity to the next level.

July 7, 2011 Posted by paulgacek | information security | Detection, FFIEC, online security | Leave a Comment

It’s About Time: FFIEC Releases New Guidelines for Financial Institutions

As I’m sure many of you have seen, it’s finally here: the financial industry’s most anticipated document. Just in time for Independence Day Weekend, the Federal Financial Institutions Examinations Council (FFIEC) issued a supplement to its Internet banking authentication recommendations. Last updated in 2005, the newly issued 12-page document discloses guidance to help banks determine what technology investments to make in order to safeguard private networks and customer’s personal information from cyberattacks.

I am glad to see online security officials continue to emphasize an important point: cybersecurity must be a high priority for online financial institutions. We can’t guarantee networks are completely bulletproof, but we can protect against cybercrime by ensuring that organizations are more proactive. 2010 saw a surge in data loss as a result of breaches, and 2011 has seen an astounding number of high-profile breaches already. I was pleased to see my stance affirmed when the FFIEC recommended that a multi-layered approach to security is critical in helping combat cyber threats in real-time.

One area of focus the document does not discuss in detail is the rise of mobile banking from smart-phones or tablets. Gartner analyst Avivah Litan also agrees with this point; the recent rise in malware and man-in-the-browser, man-in-the-middle and man-in-the-mobile attacks are particularly alarming. Retailers, banks and credit card providers all need to be aware of the potential dangers associated with mobile purchases, mobile banking, online transactions and more. With so much corporate functionality and data available through mobile devices, we are already seeing abuse of these functions and I only see this problem getting worse.

The FFIEC guidelines also fall a bit short in that they don’t talk about the threats that occur beyond authentications and transactions. Recent attacks have used functions of a website other than login or money transfer to steal data and harm the brand reputations of some of the world’s largest websites. It is critical for online financial institutions – as well as any other online entity – to start looking at ways their websites can be abused outside of login and money transfer.

It’s clear that financial institutions need to put preventative security in place and improve responsiveness to emerging and constantly evolving threats. One way to accomplish this is through behavioral and predictive analytics. By detecting and stopping threats in real-time, no matter what part of the website they are attacking, we can minimize the impact of data breaches, mobile threats, Man in the Middle, Man in the Browser, and whatever threats the attackers throw at us tomorrow and beyond. It’s great that the FFIEC supplement agrees with the importance of multi-layered security and I’m interested to see how financial organizations will tackle this approach in a mere six months and how much impact it will have given that the criminals have already found other ways to steal money, data, and brand reputation. Regardless, this is a step in the right direction and I look forward to working with institutions to minimize the threat landscape.

July 5, 2011 Posted by Laura Mather | Fraud, information security, Man-in-the-Browser, Online Fraud | FFIEC, Fraud, Man-in-the-Browser, Online Fraud, online security | Leave a Comment