Security and Risk Management Strategies Blog

Blogger: Diana Kelley

Remember when Enron and WorldCom were melting down? When the venerable Sarbanes and Oxley came up with their now infamous bill? As an IT security professional did you have any inkling that these events would forever change our IT lives? Few of us did – until section 404 became woven into the fabric of most security professionals' lives.

SOX was meant to protect investors by providing them with real numbers in the annual report. Numbers that could be used by investors to realistically assess the health and financial projections of the corporations they were investing in. For IT folks it became an exercise in access control, logging, firewall, and identity management. Few would support the assertion that Enron, Andersen, or WorldCom fell because their IT systems were not being managed properly – because a firewall wasn’t configured properly or a mail server went down. While some of the misdeeds associated with what happened could have been preserved by IT mechanisms (forced email archiving, for example) – the bottom line is that if CEOs and CFOs are feeding bad data into the books and then forcing deletion of the real records, there’s not a lot the IT departments can do about that.

Well, here it is, the end of 2007 and it seems we’re going back to the future with bad information to investors. This time around the problem centers on risky subprime lending, CDOs (collateralized debt obligations) and SIVs (structured investment vehicles). For more information on CDOs, Peter Eavis of Fortune provides a much clearer explanation than I could. These structures resulted in billions of dollars of loss at Merrill-Lynch and Citibank this fall and in the departures of Merrill's and Citi's CEOs. Reports indicate that Bank of America and HSBC are also at risk for significant losses.

Did investors have any clue that the FIs were at risk for such heavy losses? It looks like the answer is no because the full risk exposure associated with CDOs was maintained in off-balance sheets even though the FI is ultimately responsible if losses occur in association with the CDO.

Which to me would mean it was always a risk exposure and should have been on the balance sheet. But what do I know? I’m neither an economist nor an accountant.

But I am an IT security professional and I’m smelling something brewing here. If we in IT had a major hit from SOX/404 – is it possible that the CDO meltdown is going to result in more work, regulations, and compliance fire drills for IT? I think it just might. For example, IT may be enlisted to help ensure that the databases or spreadsheets where the officially "off balance" information was kept is available and access to this data is being audited and monitored. With any luck, though, we should be able to leverage our SOX work if some new regulations hit the books post 2007-CDO crisis.

For savvy IT teams, I recommend getting ahead of the curve by reviewing the audit and monitoring for accounting systems and key financial databases. Also, review access control and identity management for employees and partners that have access to those systems. And finally, especially for FI IT teams – check on monitoring and archiving for all key communications channels. This includes SMS messages, email, VoIP, and IM. If proper controls are already in place for protection – new legislation or audit rules should be a matter of doing a mapping of existing controls to them.

We’re living in a reactive world where legislation is written when new loopholes are exposed. This may be how financial and tax law is created – but in IT we don’t have to be in perpetual response mode. Be proactive about documentation and controls – and strive to be ready to map and support, rather than scramble and slide, when the next decree comes down.

Blogger: Dan Blum

Once upon a time, King Arthur’s Knights of the Round Table gathered to plan the defense of the realm. So it was this summer near Wall Street, where I attended a private roundtable meeting with some leading thinkers from a number of large financial institutions (FIs). Just as England faced innumerable invasions and rebellions, so FIs currently confront a rising tide of attacks in these Dark Ages of cybercrime.

Today’s knights and ladies of information security from leading FIs attending the roundtable have become convinced that our desktop protection and consumer authentication models are broken, and have to change. They favor a paradigm shift towards strong endpoint execution controls and risk based (or contextual) authentication.

Not surprisingly, they have worrisome things to say about the evolution of the threat. One CISO noted that his organization has seen attackers impersonating OTC, IRS, SEC officials in phishing attacks aimed at specific employees; externally he estimates that as many as 25% of consumer workstations are compromised.

Security departments at major FIs generally aren’t lacking for funding or top level support; executive management knows that they and their business model are always under attack. But still, they face serious challenges in confronting the threat. There are issues with deploying defenses and getting internal buy in to follow security policies to the letter. For example: “Data leakage protection products are mostly about detection. They are big, noisy and not very useful. They tell you about the fire after the house has burned down and you don’t have enough people to find the real fires and fight them amidst all the noise.” Meanwhile, attackers are always innovating, forcing FIs to adopt overpriced point solutions that don’t integrate well with their existing control environment. And after they are finally able to integrate, test and deploy point solutions, criminals always seem find a new attack vector.

There was a palpable sense at the roundtable that the cybercrime situation is not under control, and we are not winning the battle. The CISOs and other leaders of information security in attendance feel some urgency about getting the industry to make fundamental changes in endpoint execution control and risk based authentication. I also heard issues on the technical management side that should be addressed. (Historians say the real King Arthur’s success in repelling invasion for a generation came not just from strength and unity of purpose, but also from superior organizational and logistical innovations). The following are some ideas we discussed together at the roundtable about endpoint execution control and risk based authentication, as well as my own thinking on security management frameworks.

The information security industry needs to change the game in three critical areas:

Endpoint execution control: FIs doubt that signature-based anti-malware can keep up, and are not overly hopeful about the behavioral detection algorithms every vendor seems to be touting. One CISO’s company had been hit by targeted attacks which the incumbent anti-malware vendor failed to detect. He favors a whitelisting approach for application control: “You can manage what you can control, you can control what you can describe. But the description has to be provided by the application vendor, and it has to provide enough contextual information for risk management.” At Burton Group, we’ve researched multiple whitelisting schemes for endpoint protection, including host intrusion prevention system (HIPS) vendors, Vista’s User Account Control (UAC) on a restrictive setting, and BeyondTrust Privilege Manager. We expect that significant progress can be made using whitelisting to safeguard enterprise desktops, but cleaning up the consumer workstation mess will be a harder nut to crack.

Risk based authentication should ride to the rescue. One CISO envisions simple authentication evolving into “risk based authorization with NAC [a security assessment of the client] and other contextual data.” We’re far away from that today in the consumer space and authentication tokens alone won’t help: one roundtable participant has already met institutional users who have boxes of tokens for different hedge funds. Could a managed service someday deliver more secure and convenient authentication across multiple FIs? One significant constraint was mentioned at the roundtable: “We are looking for authentication [tools or services] that cost less than a quarter per user.” Many FIs are already using passive risk analytics that don’t directly involve the consumer user and endpoint. Longer term more active risk analytics (such as issuing a real time challenge to the user) should be considered. And at the same time, keep watching the Internet authentication space, where a user-centric identity interop event at Burton Group’s Catalyst conference showed considerable progress.

Security management frameworks: Platform vendors need to stop trying to take over the world by locking customers into proprietary interfaces. Point solution vendors need to build to open platforms if there’s to be any hope of improving the FI’s ability to deploy innovations that confer lasting benefit against attackers. To illustrate the limitations, the roundtable estimated it takes roughly one year to roll out significant new security functionality, but just weeks or months for attackers to make inroads against it or learn how to go around it. Why should every security product have to duplicate console, agent, update mechanisms, workflow, event logging, reporting and more? The first step in getting to better defined security management frameworks is for the vendors and customers to understand security will continue to be a multi-vendor, best of breed endeavor (see our long tail of risk paper for justification of this theory). The most promising near term path to security management frameworks is to fast track common event formats, the Trusted Computing Group’s Statement of Health Protocol and other standards.

In conclusion, it’s clear the industry has hard work ahead. It won’t be easy: As we’ve described in our Malware Predictions 2007 podcast, for example, malware will continue to be a tough enemy. Burton Group will continue exploring these areas and posting its ideas, and we would like your feedback. The roundtable will meet again. I’m confident that, over time, the industry can come up with some game changing approaches.

Picture source: http://users.skynet.be/keltic/edit07.html