CUInfoSecurity.com - Information Security News, Regulations, & Education

Just as quickly as the tweets came in asking for donations, so too came the cyber criminals looking to divert funds from legitimate charities to their own pockets....

Unbelievable how fast the New Year has flown by already. It seems like we're all trying to get 12 months worth of work done in one....

Think about it: Identity theft, fraud, regulatory compliance, vendor management, security awareness, risk management, privacy. These topics have no industry loyalty; they're common to all public and private organizations....

The FDIC's alert this week is a great example of what needs to be told to customers....

And so it was at the RSA Conference 2009 at the Moscone Center in San Francisco, an interview with a different security vendor every half-hour, on the half-hour, for 3-and-a-half days....

But on the other, can't you see that first lawsuit filed by a breached customer saying "Hey, you gave me this stuff and said my PC was safe ...?"...

If you pay attention to the popular news media, then your answer is 106. And you'd be partially right. That is the number of FDIC-insured banks to have failed this year - the most in any year since about two President Bushes ago....

What do these three topics have in common? They're the information security areas with the greatest potential for job growth, according to our new Information Security Today Career Trends Survey....

As December starts, already I'm talking with thought-leaders about what the world of information security might look like in 2010....

We should learn several lessons from the BB&T acquisition of Colonial:...

This week that all changed....

Norm Lorentz served as the federal chief technology officer in 2002 and 2003, working within the White House Office of Management and Budget. In that job, Lorentz focused on developing the federal IT enterprise architecture, in which information security was a crucial component....

As this morning dawns on San Francisco, so begins the 2009 edition of the RSA Conference.

As anyone in information security can tell you, this is the Mardi Gras, the Super Bowl, the event in the industry. It's where security professionals from all walks of the public and private sectors come to discuss the major threats and solutions of the day....

Once we accept that reality, the next challenge is to acknowledge that a certain amount of IT risk is a part of conducting business. Risks also come in many different forms. I'm often asked which is worse -- regulatory, policy or compliance risk? I believe it may actually be reputational risk....

The big question is: If your institution was hit with this kind of data breach that wasn't caused by your institution, would you be ready to respond?...

That said ... there really are some funny stories out there about attempted robberies!...

Almost exactly one year ago, I interviewed Charles Antonucci Sr., CEO of Park Avenue Bank. His institution was in the news because it withdrew its application for federal Troubled Asset Relief Plan (TARP) funds.

Last Friday, Park Avenue Bank was closed....

Today I'd like to talk about my favorite interviews of the year. And there have been a magnificent seven of those....

Have you had this conversation with your board lately?...

I made the mistake of popping open a browser today and loading my preferred news website, and it was sort of like the ultimate one-two punch that hit me with concussive force....

Edgar Allan Poe might be the conference theme, but the topic everybody is talking about? Government.

From financial regulatory reform and compliance to the Obama Administration on cybersecurity, attendees and sponsors alike all are talking about the convergence of the U.S. federal government and information security....

Without even considering the external threats that flaws in Microsoft Excel spreadsheets pose, including the yet unpatched zero day flaw Microsoft recently revealed in late February, the concern that many institutions may overlook is the potential for fraud perpetrated by employees....

Yet, increasingly today, you want people who can run security like a business, feel comfortable in maintaining a seat at the table and are willing to work with changing governance...

If I could boil down the event to just a couple of themes, they'd be......

This past Friday, as the annual RSA Conference concluded, I presented the results of our annual Banking Information Security Today survey to a surprisingly packed house of banking/security leaders, regulators, consultants and vendors....

In making her first public appearance since delivering her long-awaited cybersecurity review to President Obama last week, Melissa Hathaway took to the stage at the RSA Conference in San Francisco on Wednesday. And she did exactly what Treasury Secretary Timothy Geithner was criticized for when he made his first public appearance to discuss how the Obama administration would tackle economic recovery....

These criminal activities perpetrated by these individuals had a great deal of impact on the banking institutions - a different impact, in some ways, than the actual incidents had on the retail outlets....

First, have you checked out any of the new Bank Information Security Handbooks we introduced last week?

These electronic editions compile highlights of our content - articles, interviews, blog postings, agency alerts, etc. - in a unique format that gives you access to broad information resources from our ever-expanding content library. The goal is to put more information at your fingertips - help you make better-informed decisions. Humbly, I think we've succeeded....

That is the question of the summer, and the answer will be found in the results of our new Identity Theft Red Flags Rule Compliance Survey. The goal of this survey (which ends on Friday, June 27, hint, hint) is to take the pulse of the marketplace ......

I spent some time today looking back over all the articles we published (so far) in 2009. And that number is 891, by the way - an average of just over 17 per week, or three-plus per weekday. But the number that concerned me most is 10 - what have been the top 10 most popular stories of the year?...

However, I'm in a better position to forecast how it's likely to go down. We've started seeing final draft versions of Red Flags programs from our clients, and combined with the availability of the agencies' related examination procedures I'm developing a perspective not previously possible....

My 95-year-old great uncle remembers the 1919 school year as being abbreviated, cut short as a second round of infections that hit the central Indiana community where he and my maternal grandmother grew up....

If anyone gives an answer, it usually defines something technical - such as making sure your computer networks are secure so hackers can't in, or staying up to date with the latest patches for your anti-virus software. Afterwards I will explain that, yes, those things are indeed part of what makes up information security, but that there is so much more to it....

But who knows about Unique Industrial Product Co., a Sugar Land, Tex.-based company that lost $1.2 million to fraudsters this last April?...

Lehman Brothers, after being in the business for 158 years, is now to be referred to in the past tense. Yes, the biggest bankruptcy in history was filed yesterday, September 15, 2008. The day will go down in history for a couple of other reasons:...

Go to Google News and type in "banks, confidence" - see what results you get.

These words are top-of-mind for all of us, of course, in the wake of the IndyMac Bank failure . Customer confidence is almost like the stock market - on a daily basis, we wonder whether it's up or down.

Even where I live, in southern New Hampshire, one of our community newspapers, Foster's Daily Democrat, came right out last week and asked its readers: 'How confident are you in your local bank?' Not sure that's a fair question, as the newspaper really didn't give its readers any context in which to frame their answers. But, still, in a resulting news story, NH banking leaders were quick to distance themselves from the turmoil caused by the subprime mortgage crisis....

Question: How do you define a community bank?

Answer: When the CEO can walk out onto any street, be recognized and asked "What are you doing with my money?"

Suddenly, in the wake of recent bank closings, this old scenario leaps to mind, but now it's no joke....

Based on what we've been seeing and hearing out in the field, the examiners aren't letting anyone phone this one in any more....

The recent arrest of a former Countrywide employee in the insider identity theft case, where an estimated 2 million mortgage loan customers at mortgage lender Countrywide were taken, is just chock full of "but for the grace of God" examples for other financial institutions....

You'll have to forgive me for being so easily distracted by this headline, but social engineering is a topic of immense interest for me these days....

"Technically, we don't have a phishing problem," he was told....

But what are on my mind today are the big stories that no one seems to be talking about....

A few weeks back, near my home in New Hampshire, a would-be robber held up a local Citizens Bank branch, and he attempted to get away with an undisclosed amount of cash....

When I applied for a mortgage a few years ago, I was offered something outrageous. I've always worked, and I think financially I am a stand-up citizen. However, if I were to use the full extent of the mortgage I was offered, I don't think I would have been able to pay it off under normal, reasonable terms. Even with the stronger market at the time....

Since we first broke the news about the Heartland Payment Systems (HPY) data breach back on Jan. 21, this story has just dominated conversation in and about our industry.

On our site, the latest news updates and have proven enormously popular....

As I left my house this morning, the President was addressing us about the plan and why we should embrace it.

By the time I got midway to work, Citigroup had acquired most of Wachovia's assets....

Last week saw both the OCC and FDIC release their approaches to the Identity Theft Red Flags Rule examination procedures.

No huge surprises here. But what's interesting is when you review the somewhat understated aspects of the guidelines....

Unfortunately for some unlucky players (and their customers) in the financial services industry, they're on this year's list....

For some time, even those entrenched in Internet marketing and technologies struggled to define the term (brings to mind "GRC"), and nowadays it seems more appropriate to describe web 2.0 by giving examples of specific websites. For example, MySpace.com is a web 2.0 website....

The ID Theft Red Flags Rule, Business Continuity and Anti-Money Laundering have dominated the headlines - and banking/security priorities. But recent attention paid to Application Security has the potential to fuel one major fire drill in 2009....

Well, first a bit of background. First Pryority was founded in 1900 by W.A. Graham,...

We'll be talking the news of the day, a colleague and me, and the topic of H1N1, or swine flu will arise....

Just as the major banking regulatory agencies went before the Senate committee recently to deliver their "State of the Banking Industry" addresses, I was sitting back and starting to think about drafting the questions for our next State of Banking Information Security survey....

This is because I'm just now helping to put the finishing touches on our annual State of Banking Information Security survey, which helps us take the pulse of the banking/security community, so we can gauge the priorities for the year ahead.

Last year - the survey's first - we quickly determined that customer confidence was a huge topic for banking institutions, and see how that's played out this year....

On Tues., Jan. 20 - Inauguration Day - Heartland Payment Systems (HPY) President/CFO Robert Baldwin announced the company had been breached sometime in 2008.Heartland, which processes roughly 100 million transactions per month for 250,000 different businesses, says it discovered malware attached to its processing platform, and an undetermined number of consumers had their names and card numbers exposed to hackers....

Well, "when" was Thursday, and "what" arrived in the form of a new report from the U.S. Government Accountability Office (GAO), proposing a new framework for the discussion of modernizing what it calls the "outdated U.S. financial regulatory system."

Let the debate begin......

Sadly speaking, I knew what was coming next. Here were the findings from the audit they recently went through....

We were just days away from Aug. 1, the date after which the Federal Trade Commission (FTC) would start enforcing compliance with the Identity Theft Red Flags Rule.

Then came the announcement from the FTC that it's going to extend the deadline. Again....

OK, so I know some of you out there are still kinda dying to know, but don't dare to ask - what is Twitter?...

Just finished a new book, "Late Edition," by one of my favorite writers, Bob Greene. This is a touching, often funny memoir of Greene's days as a newspaper rookie in Columbus, Ohio in the 1960s....

And then, through the magic of podcasting, I get to share these conversations with you....

So much of what's required by regulation often presents itself as a documentation exercise and rarely transcends the theoretical domain into practical use. So, when it happens, when an institution needs to depend upon one of these documents to manage through the very situation it was intended to address, it's of great interest to the practitioner community....

When I hear information security professionals say they're overwhelmed with the amount of work that is having to be done to comply with such regulatory requirements, I think of what my grandmother always used to tell us when we grandkids were squabbling over something or tormenting our siblings - "Treat others as you would like to be treated; that's the Golden Rule."...

The negative side web users should consider before placing information on such social networking sites include the connection one MySpace page owner had to last year's Eliot Spitzer scandal....

After two months of anxious anticipation, today is May 19, the deadline Visa set for financial institutions to file fraud claims related to the Heartland Payment Systems (HPY) data breach.

So...now what?...

I see a disturbingly similar pattern now in the banking industry....

Interesting nuance in the Heartland Payment Systems breach this week. Did you read the article about Visa and the security update it's presenting to its network of processors? In one part of this presentation, Visa discusses myths and facts about PCI DSS compliance, and one of the clarifications made is: "No compromised entity has been found to be PCI compliant at the time of the breach."...

No doubt, the security controls from the 'green terminal' days are not a good fit for the Internet-enabled data centers! If we look back at the last 10 years (sorry, I know that's like 1869 in Internet years), the banking sector has made significant progress in instituting appropriate controls. Granted, at times this is due to the regulatory requirements - e.g., Thou shall strengthen authentication on Internet-enabled applications or Thou shall notify your customers when you suspect a breach. Nonetheless, speaking in broad terms - the progress has been made!

But that's not the point of today's discussion. Instead of worrying about the weaknesses, let's focus on some of the strengths of information security programs at financial services organizations....

Well, here's what one bank actually did about it....

As we tackle this wild economy, which has deflated the market, toppled institutions, written history ... it's time to hear from real people to gain real insights on the events that are reshaping reality for us all.

Consider this my open call, then. Banking leaders: I'd like to speak to you and hear your thoughts - share them with our audience - on how you and your institution are responding to economic events and strengthening your own customers' confidence....

Late last week I'd sent an email to the BIS (BankInfoSecurity.com) team suggesting that they consider publishing a piece about phishing. I've been getting clobbered with a wide-range of phishing emails over the past few weeks and thought it was noteworthy. It's not that I've been completely immune from receiving these in the past, but I've never had this many pass through my inbox in so short a period of time....

So, when I was having a conversation with the Managing Partner of my firm and touching on some of the more noteworthy details from the myriad meetings and activities that occurred during the week, there was one topic that surfaced a few times and it had nothing to do with current events....

It's just come to my attention that when President Obama revealed his administration's cybersecurity policy at the end of May, the document's introduction featured a prominent reference to an article published on our sites in February of this year....

Now I suspect this spring (or possibly even sooner) we're going to see some color of a different kind in D.C. - the color red....

In the wake of Washington Mutual's historic failure last week and the Wachovia takeover today, all anyone wants to discuss is the enormity of these events what they mean to the banking industry....

But there has been for our industry (financial services and information security in particular) a really big hanging chad question since Bush took office back in 2001....

Since first joining Information Security Media Group late last summer, one of my primary goals has been to debut a blog for BankInfoSecurity.com and CUinfoSecurity.com.

Today, proudly, I'm able to announce the launch of not just one blog, but five - with more to come in the months ahead - all of which you can subscribe to, ensuring you always stay on top of the latest, hottest conversations....

What happened last Friday with Addie Polk of Akron, Ohio, a 90-year-old homeowner who shot herself when the sheriff's deputies came to serve her papers from a mortgage sold to her by Countrywide, now makes her a symbol of the nation's home mortgage crisis....

Your customers may not even know your institution is examined for security compliance by the banking regulatory agencies, and so most likely will have never even heard about the ID Theft Red Flags Rule and the impending November 1 compliance date. That being said, the resulting preparedness by financial institutions to adhere to the Red Flags Rule and strengthen their position against identity thieves will hopefully have a resounding effect on said customers.

I'm convinced that if you asked the majority of people how their bank operates -- more specifically, how their bank operates in a "secure" manner -- they would be clueless. I have no caveats saying the general public has no concept of how their private information is kept private, and the steps financial institutions go through to secure their sensitive data. Some would tell me that the general public doesn't have to know, they shouldn't care how it is done, just that it ("security") is getting done and everything is being done to keep their sensitive data private. I think I would agree, however there is one ultimate security concern that consumers have. I'll explain below......

With the election of Barack Obama as the next U.S. President, we know who our nation's leader will be for the next four years. And with Democrats picking up additional seats as the majority party in both the House and Senate, we have a sense that Obama is going to have some congressional support for the change he's promised.

The real question is: What kind of change are we talking about for the banking industry?...

So, here it is - a question that has been on my mind since the very first time I saw my bank's name in the press, citing some sketchy details about a system compromise....

In the wake of recent news of IndyMac and other bank failures, it seemed safe to say that U.S. banking institutions were dealing with a bit of a crisis of confidence. I mean, I didn't imagine that line of anxious customers outside IndyMac, did I?

But then I got a recent note from a community bank CEO, who had a decidedly different perspective....

I was in shock, I could not believe such a headline made front page news on Digg.com. I didn't think anyone would believe me; I had to take a screenshot! OK, OK, I may be exaggerating a bit - however I can say that as much as I visit Digg.com, rarely do I see something that has implications to banking and information security make the front page. Perhaps a very topical story on phishing will make it, but it's rare to see a headline about identity theft with a particular bank being named - albeit a very large bank.

What's that you say? What is Digg.com again? As I stated earlier, technically I would say Digg.com is a social media website, falling into the realm of "web 2.0". More specifically, any person can submit any web page (in essence a headline and short description), and then other users can digg (vote for) the web page. The more diggs/votes the web page gets, the closer the listing moves to the front page. On very, very rare occasions, a web page will become so popular it makes it to the front page of Digg.com, and millions of people will see it....

Me? I'm thinking of the pace of failed banking institutions we've seen so far this year - and wondering just how much we're taxing the FDIC's insurance fund....

About a year ago, when I logged in to do some routine internet banking - check balances, transfer some funds - I was met by a new security page that wanted to better protect my assets....

One single institution's report of the number of cards compromised by the Heartland Payment Systems (HPY) data breach - 10,000....

It started on Monday evening, when I read an Associated Press story online about how the Bush administration ignored the developing problems in the financial markets....

Chuck Schumer's letters in late June to banking agencies inquiring about the stability and strength of IndyMac bank -- prior to the bank's takeover on July 11 by the FDIC - were pointed to as a contributing factor to the bank's failure....

Up to this point, as you know, whenever the FDIC has closed a bank this year, it's waited til after markets have closed for the week - let things settle over the weekend, and then the failed bank can reopen under its new flag on Monday.

But Washington Mutual is different. When a 119-year-old bank fails - the largest such failure in history - it happens on its own schedule, and frankly all the old rules go out the window....

We've talked a lot about the banking crisis over the past year - the differences between Wall Street and Main Street, and how all financial institutions are impacted in one way or another by fallout from the industry's "3 B's," Bailouts, Bernie and Bonuses....

With more people able to view our stories w/o first having to register or log in, that will enable more opportunities for folks to comment on our stories, which then fuels one of my favorite parts of this job: Reader response....

First Sheila C. Bair, the Chairman of the FDIC, touched on emerging guidance regarding third-party service providers in...

Now, here is a related story for all of you information security professionals out there who think you don't have to "study chapter 14."...

About another credit card processor that supposedly has been breached, exposing consumers and cards to potential fraud.

This news comes almost a month exactly after Heartland Payment Systems (HPY) went public with news of its data breach sometime in 2008....

It was a great read and illuminated many of the very same points I typically cover when working with clients on BCP....

It seems that the FBI is getting pretty clever at "blending" into the cyber criminal world. A tip of the hat goes to Shawn Henry, the FBI Cyber Division Assistant Director, and his team for turning the tables on this group of cyber criminals....

It is the sign of the times. Foreclosure rescue scams are on the rise, along with mortgage fraud....

The Internet Crime Compliant Center (IC3) says that reports of Internet-based crime jumped 33 percent in 2008, according to the group that monitors web-based fraud....

Just when you think you've seen the biggest bank failure in modern times in IndyMac, WaMu comes along and tops them all.

Just when you think you've seen the blackest of Black Mondays in your lifetime, a darker day dawns, and the stock market reels from a record plunge of 777 points....

It really shouldn't come as any great surprise, as polls like this one often reflect what's occupying everyone's mind, and these days it's all about the economy....

Helpless feeling, no?

That's why this week, in advance of the Thanksgiving holiday, we're prepared a news package focusing on some things you can control - what I'm calling The 5 Essentials of Banking Security in Tough Times....

When Bernard Madoff appears in court this morning, presumably to plead guilty to at least a portion of the fraud he committed in his $50 billion Ponzi scheme, the world will be watching....

Then came the global credit crunch, and it was worse. Reading the economic tea leaves, the feds in October swept in with a $700 billion economic relief package designed to bail out some of the nation's troubled financial institutions. So, then we saw:...

Since the previous weekend, the discussions over the barbecues and around the water-coolers have ranged from "How come we didn't see it coming?" to "Who's next?" and "How big is the FDIC's chest to take on these hits?" I don't know the answers to most of these ... all right, let me be honest - I don't know the answers to ANY of these questions....

Anxious because you have an upcoming regulatory exam?

Frustrated by the effects of the global recession, and wondering when the heck we're going to climb out of it?...

Well, PCI (aka, the Payment Card Industry Data Security Standard) equals compliance, compliance equals opportunity, opportunity equals revenue, and revenue is good -- particularly when working for a professional services firm....