Financial Services Roundtable Promotes Information Sharing
Blogger: Dan Blum
Just as King Arthur’s knights gathered around their roundtable to try and divine the future intentions of invaders and other threats to the realm, financial services and other enterprise organizations have a critical need to share information about emerging cybercrime threats and attacks. So it was that one day this Fall in New York, I found myself at a private Wall Street roundtable meeting with leading thinkers from a number of large financial institutions (FIs).
Whereas the previous roundtable meeting I blogged about in the summer concerned general issues, the second meeting addressed predictive threat analysis. Attending were a number of Wall Street firms, National Cyber Forensics and Training Alliance’s (NCFTA), FBI and Burton Group.
The meeting started with a general introduction noting the evolution of the threat from script kiddies to organized crime to state sponsored industrial espionage or low grade information warfare activities. For example, the Russian Business Network (since gone underground, apparently) was a front for organized crime, a one stop shop allegedly tolerated by the Russian government as long it kept its attacks external. The speaker also noted that:
- China, France, Japan, Israel, Germany are similar in that they make no distinction between industrial espionage and national espionage. Some would argue the US is the same. Welcome to globalization!
- There has been good news and bad news for vulnerability management. iDefense says that OS vulnerabilities are generally down. On the other hand, there is now a thriving marketplace for vulnerabilities and the bad guys can find them.
- One thing hasn't changed - 85% of threats are still internal. One financial service had to surveil senior management after finding increased "rolodex activity" after executive departures. The company is working on ways to discourage or stop this behavior.
- Not all solutions are purely technical. With bad guys turning to pump and dump schemes against penny stocks, E*Trade lost $18M. But application developers at one bank were tapped to change the code on the web site so that customers have to call in low priced stocks trades, which are in any case a low revenue source for the company. This procedural solution was a decisive win against pump and dump schemes.
The NCFTA, a non-profit member-supported organization, described “Stock-Aid”, an information sharing service it provides for financial
services facing pump & dump attacks. Through NCFTA, the banks share feeds with the bad guys’ IP addresses and the names of stocks that are being attacked.
Could the industry do more than just block cyberattacks and perhaps shut down the botnets they’re coming from down? In the game of whack-a-mole NCFTA provides a hammer. And the FBI’s Botroast operation took down two large botnets. But new botnets keep emerging.
A more productive approach is to catch criminals by following the money: NCFTA noted that eGold gave over all their data, PayPal cooperates, and so do many other organizations that have been used for money laundering. Unfortunately criminals keep finding new places to hide in the money game; the latest ploy is to move money through online games like World of Warcraft.
The issue of information sharing is important to all industries, not just financial services. That’s why it’s so beneficial to participate in ISACA, BITS, I4 and other organizations. The warriors of information protection can either band together and share information like King Arthur’s knights, or risk falling into a dark age of cybercrime.
