Wst digital issue_2012_04

PLUS:Breaking Down the Threat Landscape p.4

Damage Control: 9 Steps to Containing The Fallout From a Breach p.5

10 Best Practices for Stopping The Insider Threat p.7

Pocket Protectors: How to Secure Mobile Devices p.12

Security Vendors’ Dirty Little Secret p.15

Balancing Security and Access Is the Key to Protecting Data p.18

Table of Contents p.2

Wall Street firms are under the constant threat of cyber

attacks. But in today’s age of mobility, locking away data

to keep it safe from hackers no longer is an option. p.10

April 2012 Business Innovation Powered By Technology

UNDER

SIEGE

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.

HP VIRTUALSYSTEM FOR VMWARE SOLUTIONS ACCELERATE YOUR CLOUD READINESS.

Learn more about proven virtualization solutions from the desktop to the data center, and into the cloud.

hp.com/go/vmware

Plan your path from server to virtualization to the cloud with preconfigured solutions from HP, Intel®, and VMware®.

April 2012 2www.wallstreetandtech.com

April 2012

COVER STORY

10 Threat AssessmentAs cyber attacks grow increasingly sophisticated andthe consumerization of IT introduces new enterprisevulnerabilities, Wall Street organizations must reassesstheir threat readiness and strengthening theirdefenses, starting with real-time monitoring.

UPFRONT4 By the NumbersA review of VerizonBusiness’s data breachcases reveals a growingglobal threat.

5 Breach ContainmentA breach can happen to any company. Here are nineways to limit the damage.

7 The Insider AttackThe CERT Insider ThreatCenter and the U.S. SecretService offer 10 tips to stopinsider attacks.

INDUSTRY VOICE15 Data On the MoveAs data proliferates outsidethe enterprise, encryption isthe best way to secure it,

argues Voltage Security’sMark Bower.

PERSPECTIVES18 Delicate BalanceThe key to protecting datais balancing security and access, according to AlexTabb, Tabb Group.

3 EDIT MEMO

PLUS: 12 The Mobile DilemmaMobile devices have boosted productivity — and risk.

contents

fromtheeditor

ata security certainly isn’t a newconcern for financial services firms.Security always ranks near the top

of priorities for CIOs, CTOs, CSOs and CROs. ,The data security landscape, however, ischanging at a faster pace, and the stakes arehigher, than ever before.Since the beginning of 2011, there have

been more than 598,000 personal financialrecords exposed to potential fraud in 58 separate incidents involving financial servicescompanies, according to the Privacy RightsClearinghouse. While the total number of incidents and exposed records is down sub-stantially from the 12.3 million records thatwere exposed by 604 breaches in 2010, thecomplexity of the attacks and the amount ofmoney that has been lost is staggering.For instance, in one attack against Fidelity

National Information Services, a globalprovider of banking and payments technolo-gies, millions of dollars literally went missingovernight. A group of criminals obtained 22legitimate ATM cards and then duplicated and

altered them so an unlimited amount of cashcould be withdrawn with each. The cards werepromptly shipped overseas, and a total of $13million was withdrawn over just 24 hours. This one incident highlights how damaging

a data breach can be. In addition to the directmonetary loss, other costs — such as customerchurn, reputation damage and regulatory fines— add to the costs. Other incidents, while not leading to direct

monetary losses, can be just as damaging. Nasdaq’s Director Desk, a cloud-based systemdesigned to facilitate boardroom-level com-munications for 10,000 senior executives andcompany directors, was hacked last year; thecriminals may have had access to insider information, which they could have sold orused to make profitable stock trades.While the types of data breaches are numer-

ous, there is some good news: The average costof data breaches has dropped by 24 percent,according to a study from the Ponemon Insti-tute. This could partially be attributed to bettersecurity and an improved ability for firms to

respond quickly to a breach. But, while the costof a single breach might be on the decline, therate of malicious attacks from malware, insiderthreats and phishing attacks increased by 31percent, says the study.Couple the growing complexity of attacks

with users’ demands for greater access to data,and technology executives have their handsfull. Not only do firms have to protect datafrom traditional hacks and insider threats, theyalso have to protect data that is going outsideof their own firewalls. Internal users, includingtraders, portfolio managers and business executives, as well as external customers increasingly are demanding mobile access toproprietary data on tablets and smartphones.The demand for greater access to data will

not slow any time soon — users increasinglywill expect to be able to trade, transfer fundsand do almost anything else they can do on aPC from their mobile device. Firms that can’toffer mobile functionality because of securitylimitations will be at a serious disadvantage tocompetitors that can. �

Mobile: Data Security’s New Frontier

D


Greg MacSweeney,

Editorial Director

@gmacsweeney

ore than 85 percent of the databreach incident response cases investigated by Verizon Business,

the telecom provider’s enterprise solutionsgroup, in 2011 originated from a hack, andmore than 90 percent came from the outsiderather than via a malicious insider or business

partner. Verizon published at the endof February a snapshot of data from itsupcoming 2012 Data Breach Investiga-tions Report, using data from its owncaseload of approximately 90 casesfrom among 855 breach cases last year.

“This is the first year that we worked morecases outside the U.S. than inside,” says WadeBaker, director of research and intelligence atVerizon Enterprise Solutions. “That ratio hasbeen building, and it makes the case that thisis not a U.S.-specific problem. All regions arehaving data breaches.”

Near the top of the list of compromised industries again was financial services, whichtrailed only the retail sector and was followedby the hospitality industry. A big factor in thisyear’s breach cases was the rise in hacktivist-based attacks, Baker reports. Outside attacksjumped from 88 percent of breaches in 2010 to92 percent in 2011, and breaches due to internalthreats continued to decline, from just morethan 10 percent in 2010 to less than 5 percentin 2011, according to Verizon’s data. “We can expect this trend to continue,” Baker says.As for breach methods, hacking and mal-

ware, which both showed increases, were thetop threats, while social engineering, misuse,physical threats, errors and environmental factors all dropped. The most commonly usedvenue for breaches was exploiting default oreasily guessed passwords, which represented29 percent of the cases, followed by backdoor

malware (26 percent), use of stolen credentials(24 percent), exploiting backdoor or commandand control channels (23 percent), and keylog-gers and spyware (18 percent). “There were alot of authentication-type attacks,” Baker says. As for the targets, 90 percent of the breaches

Verizon investigated went after servers. Nearly50 percent targeted user devices such as desk-tops, laptops and POS terminals as a point ofentry. “The user device serves as a footholdinto the environment,” Baker explains.Perhaps most alarming, most organizations

found out that they’d been hit from an exter-nal source, usually law enforcement, accordingto Baker. And for nearly 60 percent of the cases,it took months before the organization learnedthat it had been hacked.�

This article originally appeared on DarkReading.com,

a UBM TechWeb property.

Outside Threats Dominated 2011 BreachesA preview of Verizon Business’s data breach cases shows that malware and hackingare the top breach methods, and threats from outside the U.S. are growing.

By Kelly Jackson Higgins, Dark Reading

M


frontup

of attacksin 2011

originated outside the enterprise.

92%

ata breaches are a fact of businesslife. But beyond keeping a databreach response plan at the ready,

how can IT departments best prevent and mitigate data breaches? Start here: 1. Put a good information security pro-

gram in place. According to a recent studyfrom the Identity Theft Resource Center, thegreatest number of 2011 data breaches weretriggered by hackers, and in the first month of2012, new breaches appear to be following suit.2. Enforce strong passwords. In January,

shadowy hacktivist group TeaMp0isoN up-loaded to Pastebin a list of about 80 T-Mobileemployees’ usernames, passwords, email addresses and phone numbers. Interestingly,many of the T-Mobile passwords, if they wereactual passwords, were simply “112112” or“pass.” In its Pastebin post, TeaMp0isoN —which reportedly worked with Anonymous on

the recent credit card wealth-redistributionscheme known as Operation Robin Hood —called out the apparent password non-variety.“Look at the passwords, epic fail. All the pass-words are manually given to staff via an adminwho uses the same set of passwords.”3. Hide breaches at your peril. Symantec

in January confirmed that Norton sourcecode leaked earlier in the month by hackerswas genuine. But Symantec downplayed the

incident, saying the code, from two of itsolder products, had been stolen from a thirdparty. In other words: It was old code, there’snothing to see, everyone move along. Except

that just two weeks later, Symantec cameclean and admitted that the code to its flag-ship Norton product had been stolen backin 2006, Reuters reported. That raises the possibility that anyone in possession of thesource code back then may have found waysto use Symantec’s security software to com-promise users’ machines. 4. Gauge breach-notification speed care-

fully. After discovering a breach, businessesmust balance the need to gather as much in-formation as possible with issuing a timely andclear notification. “Transparency is key to main-taining relationships with customers and reg-ulators,” Ted Kobus, national co-leader of theprivacy, security and social media team at lawfirm Baker Hostetler, said in a blog post. “Becertain you understand the scope of thebreach before making an announcement.” 5. Expect data to be breached. Plan for this

9 Ways to Contain the Fallout From a Data BreachCompanies can take an array of approaches to owning up to data breaches, ranging from secrecyat all costs to total transparency. What’s the best way to mitigate the fallout?

By Mathew J. Schwartz, InformationWeek


frontup

“Transparency is key to maintain-ing relationships with customersand regulators.”—Ted Kobus, Baker Hostetler

D

worst-case scenario: all data stored by yourbusiness gets exposed. So what should happen next, and how can that scenario bebest prevented? “There is no silver bullet forsecurity, so you need to plan for the eventu-ality of a data breach, and it’s going to be crit-ical how you respond to it afterwards — andnot just with legal indemnifications and creditmonitoring,” says Lawrence Pingree, researchdirector at Gartner. “Most companies are

offering credit monitoring after these databreaches, but most of these only last a year ortwo — and who’s to say the data will be gonein a year or two?” 6. Encrypt all sensitive data. Data breach

notification laws exempt businesses from hav-ing to issue notifications if the exposed datawas encrypted. Accordingly, whenever possi-ble, encrypt all data in transit, as well as at rest.“Encryption is not only a safe harbor, it is expected by customers and regulators,” saidBaker Hostetler’s Kobus. 7. Expire your own data. If stolen data has

no expiration date, then it’s up to businessesto delete their own data. Both Honda Canadaand Sony were caught last year after hackersstole outdated customer information that eachcompany had failed to delete. The breach atHonda appeared to put the company in viola-tion of Canadian privacy law, which requirescompanies to delete any personal informationthat’s no longer required. Arguably, however,all businesses should follow that practice. 8. Beware social engineering. When it

comes to low-cost, high-impact strategies forstealing sensitive data, attackers have becomewell-versed in the art of the social engineering

attack. “Social engineering tools are beingused creatively to gain access to personal information,” said Kobus. Accordingly, keeptraining all employees who handle sensitiveinformation in the art of detecting and resist-ing scam phone calls and emails. 9. Demand data discovery services.

Breached data has a habit of ending up every-where, from black market carding sites to peer-to-peer networks. While the data could theo-retically be expunged, first it must be found.Accordingly, expect related, commoditizedservices to follow soon. “The strategy movingforward ... is to have services that will go afterthat data and provide insight into where thedata is located,” says Gartner’s Pingree. “EvenGoogle could get into this sort of technology.They have the search capability; they just needto start looking at data and indexing data withthe ability to compare host data and web data,and include P2P networks in their indexing.”While such services aren’t yet available, withdata breaches showing no signs of abating, expect to see such services emerge soon. �

This article originally appeared on Information-

Week.com, a UBM TechWeb property.

April 2012 6

frontup

www.wallstreetandtech.com

1. Put a good information security program in place.

2. Enforce strong passwords.3. Hide breaches at your peril.4. Gauge breach-notification speed carefully.

5. Expect data to be breached.6. Encrypt all sensitive data.7. Expire your own data.8. Beware social engineering. 9. Demand data discovery services.

Fallout Containment

hat’s the best way to spot andblock insider attacks? Start by

putting an insider attack preven-tion program in place, according to Dawn Cap-pelli, technical manager at Carnegie MellonUniversity’s CERT Insider Threat Center, whospoke in February at the RSA conference in SanFrancisco. Cappelli is co-author, with AndrewMoore and Randall Trzeciak, of the recently released “The Cert Guide to Insider Threats.”

Working with the U.S. Secret Service, Cappelliand company have reviewed hundreds ofhacking cases to deduce how businesses canbetter block a greater number of malicious in-siders. Here are their top 10 recommendationsfor spotting and stopping insider attacks before they get out of hand:1. Protect crown jewels first. To put an

effective insider-threat program in place, firstask: What’s the single most important piece of

information in your company? “We’ve workedwith a number of organizations, and they tellus everything is important,” said Cappelli. “Sowe say, what’s the one thing that if someonetook it to a competitor, or out of the UnitedStates, would be worth millions — or billions— of dollars?” Then secure it, preferably notjust with encryption, but also by restricting access, as well as logging and monitoring whotouches that data. 2. Learn from past attacks. Don’t let insider

attacks — successful or otherwise — go towaste. “If you experience an attack, you’re notalone, but learn from it,” said Cappelli. Shecited a case of a financial firm that happenedto catch an employee trying to steal its tradingalgorithms. Seeing a weak point, the securityteam put new controls in place to explicitlywatch for similar types of attacks. Thanks tothe improved security, the firm later caught

another employee who was trying to copy thealgorithms to his personal email account andan external hard drive. 3. Mitigate trusted business partner

threats. Who has access to your business’ssensitive information? Although that list willinclude employees, other “insiders” will betrusted business partners, who might enjoyequal levels of access with less accountability— and opt to take sensitive information with

them when they switch to a new employer.“The good news is, if they take it to a competi-tor in the U.S., there’s a good chance that theymay report them to law enforcement and

The 10 Best Ways to Stop Insider AttacksThe threat of insider attacks is real. The CERT Insider Threat Center and the U.S. Secret Service offer tips on the smartest ways to detect, block and investigate insiders with malicious motives.

By Mathew J. Schwartz, InformationWeek

One of the biggest insider-theft-prevention lessons to learn is that technology alone oftenwon’t block attacks.


frontup

W

they’ll get it back,” Cappelli said, since mostwill want nothing to do with trade secrets. Thebad news is that one-third of all intellectualproperty theft cases result in the informationbeing taken outside of the United States, atwhich point recovering the data becomes unlikely, if not impossible. 4. Make suspect behavior cause for

concern. Watch for human-behavior warning

signs. Indeed, in reviewing numerous casesof insider theft, Cappelli said, concerning be-haviors were the fourth most likely sign thatthere was an inside-theft issue. “We usuallycall these people as being ‘on the HR radar,’” she said. Accordingly, watch for warningsigns, and have a response plan in place forwhen such signs are spotted. 5. Train employees to resist recruiters.

“Many employees who commit fraud are re-cruited from outside,” said Cappelli, and insid-ers often say they’re not committing a crime,but rather just giving data to someone else,who then commits a crime. Alter such thinkingby creating clear, related security policies andbroadcasting the fact that all data access is au-dited. Cappelli offered this sample boilerplate:“We log everything that everyone does here,and the evidence is going to point to you.” 6. Beware resignations, terminations.Most

insider attacks occur within a narrow window.“The good news about [insider] crime, theft ofintellectual property, is that most people whosteal it do [so] within 30 days of resignation,”said Cappelli. (The exception is fraud, which —as long as the attacker is making money —can continue indefinitely.) In other words,

malicious insiders are most likely to strike 30days before or after they leave. Accordingly,keep a close eye on departing or departed employees, and what they viewed. “If someoneresigns who had access to your crown jewels,you need to go back and proactively investi-gate that,” Cappelli advised. 7. Apply current technology. How can busi-

nesses take their current technology and useit to spot suspected insider theft? “A lot of peo-ple spend a lot of money on tools, on technolo-gies, and most of those tools are focused onkeeping people outside of your network,” saidCappelli. “What we’ve found is that you can usethose same tools, but differently,” to watch forinformation that may be exiting your network.Centralized logging tools can be used to spotsigns of data exfiltration — for example, if a“departing insider” has sent an email in thepast 30 days to someone outside the corporatedomain that exceeds a specified file size. 8. Beware employee privacy issues.When

creating an insider-theft-prevention program,always work with your company’s generalcounsel, because privacy laws vary by state andcountry. “There are a number of issues regard-ing employee privacy — I know they can be


frontup

1. Protect crown jewels first.2. Learn from past attacks.3. Mitigate trusted business partner

threats.4. Make suspect behavior cause

for concern.5. Train employees to resist recruiters. 6. Beware resignations, terminations.7. Apply current technology.8. Beware employee privacy issues. 9. Marshall forces.10. Get started.

Stopping theThreat Within

overcome, but it has to be done very carefully,” said Cappelli. 9. Marshall forces. As with many aspects of security —

including data breaches — businesses that prepare for attacksin advance tend to better manage the aftermath. When itcomes to combating cases of suspected insider threats, include“HR, management, upper management, security, legal, softwareengineering — you need to involve all of those organizations— and of course IT and information security,” Cappelli asserted. 10. Get started. Perhaps the most important insider-threat tip

is simply to get a program in place as soon as possible. Creatingsuch a program takes time, according to Cappelli. Perhaps thebest place to start, she said, is to get buy-in from senior managers.One business with which she recently worked gathered all 23of its c-level managers in a room for two days, during which timethey created an insider-threat program from the ground up.

One of the biggest insider-theft-prevention lessons to learn,Cappelli noted, is that technology alone often won’t blocksuch attacks. A corollary to that, meanwhile, is that by combining proper policies and procedures with awarenessand having an insider-theft reaction plan already in place,businesses can more quickly combat suspected attacks. Because whether it’s a question of preventing IP from leavingthe building or spotting fraudulent activity, “Our goal is tostop an insider as soon as possible,” Cappelli said. �

This article originally appeared on InformationWeek.com, a UBM

TechWeb property.


frontup Be Prepared...Data-centric security: the best protection against emerging forms of advanced security threats

Back in the good old days, when information security was largely an IT issue, the tech folks mainly concerned themselves with keeping 'boundaries' around business data. Not anymore! Today, as even the least tech-savvy CEOs will attest, the rapid adoption of cloud and mobile computing, along with the overall consumerization of IT, has caused traditional data 'boundaries' to become fluid, even nonexistent. The data that hackers target is everywhere, from a server to an iPhone.

This is why we here at Voltage talk so much about data security - it's a world away from the traditional layered approach of putting one barrier after another on the basic data 'containers'. In today's business world, the data doesn't remain in the containers very long; it is in constant movement, and the bad guys are now smart enough to follow it.

Protecting private and sensitive data in a cloud-driven and mobile world requires dedicated resources and has become a vital part of corporate strategies. Not just to comply with country and industry regulations, but also to protect the brand and the business.

Essentially, business now need to think about data protection from a data-centric point of view.

Let us help you with your data-centric encryption needs. Learn more »

www.voltage.com

http://www.voltage.com/solutions/verticals/verticals-financial.htm?utm_source=wsjad&utm_medium=onlinead&utm_campaign=wsj-fullpage-ad

ata security has long been a priority for financialservices firms. But a wave of very public cyberattacks by international hacker groups such asAnonymous, combined with an already distrust-

ful public following the financial crisis, has forcedfinancial services firms to step up their network security toprevent data breaches and regain clients’ trust. While victimsof some of the more notable attacks and data breaches of2011 were large consumer companies and governmentagencies — including Sony, PBS, the U.S. Senate, and eventhe CIA and FBI — security experts say financial servicesfirms, traditionally a popular target of fraudsters, are increasingly a target of criminal hackers.Citibank, for example, discovered a data breach on

May 10, 2011, from a hack attack, the consumer fraudwebsite PrivacyRights.org reported. Two weeks later, Citigroup officials concluded that the data thieves hadcaptured included the names, account numbers andemail addresses of about 360,000 customers. “The reality is that the people who are looking to commit

fraud are targeting anybody who has Internet access to applications to allow money to be moved,” comments Ben

Knief, vice president at Nice Actimize, a provider of financial crime,risk and compliance solutions. Outside of the retail banking area,

hackers could target asset managers, wealth managers, even investorswho have access to online assets, relates Knief. >>


coverstory

The growing sophistication of cyberattacks and the prolifera-tion of vulnerabilities resulting from the rise of mobile computing are forcingfinancial institutions to rethink data security and embrace new fraud-fightingtechniques and technolo-gies, including real-timemonitoring.

D

And, security professionals say, cyber attackshave become relentless — and more sophisti-cated than ever. According to reports, hackerscan even purchase crime-ware kits on the Internet based on the number of machinesthey want to infect for as little as $400 to $700.While five years ago financial services firms

mainly saw hackers using “relatively simplisticmethods to target customer accounts, attack

patterns have shifted,” says Lou Steinberg,CTO at TD Ameritrade. In addition, many hackers, such as Anonymous, now have socialagendas, he notes. Hackers, according to Jason Milletary,

technical director for malware analysis on theDell SecureWorks’ Counter Threat Unit (CTU)research team, a provider of security informa-tion services to financial firms, use a variety oftechniques to distribute malware — maliciouscode on computer systems designed to stealpersonal information and passwords or to takecontrol of the machine for distributing spam

without the owner’s knowledge. They mayleverage social engineering (by making anemail appear to come from a friend or colleagueto entice the user to open the document, for example) to try to get users to reveal passwords.Hackers also look to exploit weaknesses in applications to steal clients’ credentials.“We see an evolution of the malware so they

can elude detection,” says Milletary. The topmalware threat experienced by the 900 finan-cial customers that use Dell Secure Works’ intrusion prevention system, he reports, isBlack Hole, a type of crime-ware developed inRussia to hack computers via malicious scriptsplanted on compromised websites.“Now we see much more sophisticated or-

ganized rings that profile us and the other fi-nancial services institutions. They try to under-stand where we might have weaknesses,” TDAmeritrade’s Steinberg says. “Hackers are play-ing offense, and we are playing defense.”

Keeping Up With the Mobile ThreatAs a result, financial services IT department areshoring up their defenses, using security tech-nology more proactively than ever before toprotect their clients’ assets and corporate se-

crets. But preventing cybercrime has becomemore challenging for banks and Wall Streetfirms as they increasingly offer new productsvia mobile devices, including Apple’s iPad. “The attack surface has gotten broader and

more complex,” explains Steinberg, who pointsout that hackers now can penetrate theperimeter via the web, mobile devices andeven voice-over-IP telephony networks. “Asbanks and online brokers offer bill paymentand more new products via mobile devices,that opens up new opportunities for a fraud-ster to take advantage of,” he says.To protect customer data, historically, IT and

security departments looked at putting barri-ers around data, differentiating between whatwas inside the company versus what shouldbe kept outside. “If data was on laptops andportable devices, it had to be encrypted,” saysChet Wisniewski, senior security adviser for security software firm Sophos. “And if it wasinside [the firewall], they didn’t need to encryptit because it was in a vault.”With the explosion of the mobile channel,

however, that is an artificial approach that nolonger works, Wisniewski contends. “As soon aswe start carrying out these phones and tablets,


coverstory

April 2012 11

“Hackers are playing offense, and we are playing defense.”—Lou Steinberg, TD Ameritrade

there is no inside and outside,” he says, notingthat employees may be sitting in an airport ora Starbucks while accessing data. Complicatingmatters further, Wisniewski adds, companiesare looking at moving data into the cloud as acost savings measure, so data is freely movingbeyond the enterprise. (For more on mobile device security, see related sidebar, this page.)Since the boundaries between what’s inside

the company and what’s outside the company are blurred, financial services firmsare shifting their approach, according to Wisniewski. Now they seek to determinewhich data is sensitive and to ensure that it’sprotected. “Regardless of whether the data ison a PC desktop inside your building or on aniPhone, the approach is, you classify the dataas to its importance and make sure it’s protected, and that gives you the ability tomake it portable,” says Wisniewski.Not all data is the same, adds TD Ameri-

trade’s Steinberg. With so much data, and somany ways to attack it, TD Ameritrade classi-fies data based on its sensitivity, he says.“Knowing my favorite flavor of ice cream isnot the same as knowing my Social Securitynumber, and so different levels of protection


coverstory

As a result, banks must monitor the appli-cations on the mobile device as well as onthe corporate server. “The piece that’s sit-ting on the mobile app is making requestsback to an application server at the bankthat is processing your requests,” Callahanexplains. “You have to make sure that thoseapplications are safe and secure.”Another way to protect corporate data

on mobile devices is to educate employ-ees to make sure that the built-in securityprotection mechanisms are not removedfrom these devices. On Apple devices, ITdepartments need to instruct employeesto avoid “jailbreaking,” which removes thesecurity measures built into the devices.“They are there to prevent you from load-ing apps without going to the approvedApp Store,” explains Wisniewski, whonotes that for Android devices the processis called “rooting.” “Removing that secu-rity mechanism allows you to load thingson your phone away from what [the

(continued on next page)

ith millions of consumers carry-ing iPhones and Androids intheir pockets, smartphones al-

ready are targets of cyber attackers. But nowemployees of Wall Street firms are gettingemails and viewing spreadsheets on the go,so corporate data is moving onto the smartdevices as well. “It’s a very challenging prob-lem,” says Chet Wisniewski, senior securityadviser at Sophos. Productivity has gone upby virtue of employees working on theirsmartphones and iPads into the eveningand on the weekend, he adds, so IT depart-ments need to find ways to enable a mobileworkforce rather than simply say, “No.”Mobile devices are a path into the enter-

prise, adds Michael Callahan, VP of enter-prise security products at HP, which offers areal-time application monitoring solution.“If you have a mobile device and the bank’sapp is on there, if the app has a vulernability,the attacker exploits the app,” he warns.“Once they have control over the device,they now can gain access to your accounts.”

W

April 2012 12

get assigned to different levels of informa-tion,” illustrates Steinberg. “If you try to pro-tect everything, you protect nothing. Whatwe’d rather do is classify our information andassign our best controls — our best protec-tive measure — against the most important,most sensitive data.”

The Real-Time Monitoring ImperativeBut even after classifying sensitive data, protecting it requires more than firewalls andencryption, argues Lance James, director of intelligence at Vigilant, which provides man-aged security monitoring services. Accordingto James, firms need what he calls a “holisticapproach” to security, which means employingmultiple technologies — not just firewalls, butmonitoring. “You want to optimize and moni-tor because threats change,” says James, whoworks on the company’s collective threat in-telligence (CTI) product. “We are focusing onwhat the emerging threats are and buildingrules and content to monitor all devices ontheir network,” he explains.“It’s definitely a big thing now to have visi-

bility into your network,” adds James, acknowl-edging that “there is no silver bullet” for pre-

venting breaches. While firewalls were the bigthing in the 1990s, “Threat intelligence is thebiggest thing now,” he continues. Offered assoftware as a service, Vigilant’s CTI is used tocreate rules to help firms identify threats.The CTI feed, James explains, integrates with

a company’s security event manager (SEM) —also known as a security information andevent manager (SIEM) — a tool that centralizesthe storage and interpretation of all logs andevents from software running on the network.While Vigilant offers its own centralized logmanagement console through which all devices are monitored, it also works with otherSEMs, including Hewlett-Packard’s top-sellingArcSite SEM, according to James. Other vendors recommend real-time moni-

toring of patterns to detect cyber attacks. TDAmeritrade’s Steinberg says behavioral solu-tions, such as device fingerprinting and profil-ing how clients do business with the firm, havebegun to mature. “We can look for patternsthat are not typical,” he explains. “If a clientstarted wiring money to Kuala Lumpur, andthey never sent money before through thewires, that would be unusual, and we wouldwant to do additional authentication profiling


manufacturers] have approved,” hesays. But, “It does weaken the security.”Recently, financial services firms have

begun sending their customers textmessages with a secondary authentica-tion code when they wire funds, says Jason Milletary, technical director formalware analysis on the Dell Secure-Works’ Counter Threat Unit (CTU) research team. But hackers can placemalware on phones to try to access thatcode, he acknowledges. Some of the answers to preventing

mobile cyber attacks can be found inthe mobile devices themselves, arguesBen Knief, VP at Nice Actimize. For ex-ample, mobile devices can be used aslocation sensors and many have cam-eras, “so you can use it as a facial sensoror as a biometric sensor,” says Knief. Thelatest Android phone actually unlocksyour phone based on facial biometrics,he notes. “If you hand the phone tosomeone else, it stays locked.” —I.S.

coverstory

how they connect to us, what time of day and from where.”While Steinberg says TD Ameritrade has done quite a bit of

work internally to develop fraud-fighting technology — where,he says, the company tends to be “a bit ahead of the curve”— he notes that TD Ameritrade also works with large networkcarriers and technology providers to improve real-time monitoring. Equally as important, the firm works closely withpeers in the financial industry to share data about the threatlandscape, Steinberg adds. “We probably trade data about

real-time attacks abouta dozen times a day,” hesays, noting that thereare a number of groupswithin financial servicesthat are self organized

via mailing lists and phone-call trees as well as various othermechanisms for informally sharing data. In addition, the federalgovernment, namely the FBI, provides the industry with vulnerability and real-time data, Steinberg says.Given the sophistication of the malware and viruses that are

out there, and the speed with which they are evolving,Sophos’s Wisniewski reiterates the need for a layered approachto protecting customer assets from cyber crime. “You needmany layers in place to stop the bad things before they hap-pen,” he says. “By implementing all of these tools, the companyhas five, six or seven attempts to stop the bad virus from com-ing in or prevent the user from accessing the fake website.” �


“You need many layers inplace to stop the bad thingsbefore they happen.”—Chet Wisniewski, Sophos

coverstory

April 2012 14

here’s no question that technologieskeep getting better. The trouble is, sodo hackers. And regrettably, the bad

guys often get better faster than the good guys. This is the reason data breaches have

become an unfortunate reality of modernbusiness. The sheer volume and reach of manybreaches bear testament to the fact that allkinds of sensitive data have already beencompromised or stolen outright. Out of this environment has come an emerg-

ing breed of cybercrime that’s particularly wor-

risome. Sometimes referred to as “advanced persistent threats,” these assaults don’t just buildon the growing sophistication of attacks in general; they play specifically to the informationenvironment as it now exists. While often mas-sive in scope, they lie dormant within the infra-structure until the target is most vulnerable. Andwhat they target is not the technology but thedata — specific, high-value data, such as employ-ees’ personal information, customers’ addressesand payment details, legal contracts, designschematics, and operational plans pertaining tointellectual property and trade secrets. Most companies place a premium on IT

security and believe they have ironclad pro-tection. However, the toll from cyber attackscontinues to climb. That’s because there aregaping vulnerabilities in the way defenses aredeployed — firewalls, endpoint security andeven protected storage can all be bypassed byattackers. The dirty little secret (that most ven-dors never want you to know) is that with just

a little effort, sensitive data can be breached. Consider this in the context of a different

kind of criminal history. While bank robberieshave always fired up the public imagination,the most effective thefts seldom occurred inside the bank; Dillinger-like exploits aside,the vaults were usually too secure. Instead,smart criminals waited until the money wasout in the open, such as at tellers’ windows orwhen being hauled to armored trucks.

Perimeter Security Many companies still make the same mistake— they focus security strategies on the vaultrather than the cash. As before, many favor theapproach of building a perimeter around thedata — on servers, desktops, laptops, pipes andpackets. However, as any CEO will attest, therapid adoption of cloud and mobile comput-ing, along with the overall consumerization ofIT, has caused those perimeters to becomefluid, even nonexistent. The data that the bad

Data Is the New PerimeterData-centric security offers the best defense against advanced persistent threats, argues Voltage Security’s Mark Bower.

T


industryvoice

Mark Bower is VP of product management for security solu-tions provider Voltage Security. Bower has more than twodecades of experience in the data protection area. His expert-ise spans electronic banking, smartcard payment systems,Public Key Infrastructure (PKI), identity management systemsand cloud security both for the commercial and government sectors.

About the Author

guys want is now all over the place, from thebiggest servers to your iPhone. But here’s another cinematic image: Many

banks use dye packs that explode and stain thecash once it’s stolen, making it worthless. Imag-ine doing this to your data — basically, ensuringthat even if it gets breached, it will be worthlessto the criminals. That’s the essential logic be-hind a data-centric strategy. In this scenario, thedata is protected end to end using encryption,regardless of which channels it goes throughor where it reaches. It can be accessed only bythe intended party and no one else.This isn’t easy. Encryption techniques typi-

cally rely on long, randomly generated keys,and the process is complex, time-consumingand expensive. However, not all encryption iscreated equal. There are any number of en-cryption solutions available, but many bringtheir own problems. For example, database en-cryption only protects data when it’s “at rest”;network data encryption only protects thedata when it’s between two points of a network. Methods using PKI, or Public Key Infrastructure, require high operational costsin key management and are not easily sustain-able. Putting in a mix of solutions, meanwhile,

can add vulnerability, bring greater complexityand increase costs without adding scalability.

Key Innovations in EncryptionHowever, there are now alternatives that areaccessible and affordable. Identity-based encryption (IBE) takes a completely new ap-proach by using any arbitrary string as a publickey, enabling data to be protected without theneed for certificates. IBE is stateless and dy-namic, as well as easy to use, scale and distrib-ute. It’s also efficient at generating and man-aging keys to scale when sharing unstructureddata, without the cost of PKI.The underlying principle here is stateless key

management, which effectively allows keys to

be generated on the fly, derived only fromidentity information that’s already available,such as your email address. Stateless key man-agement is transparent and easy to managebecause, from an IT operational standpoint,there’s no database to manage. It also worksnicely with existing business processes, suchas electronic discovery and recovery. It’s easilycompatible with business processes, retainsthe protection from mainframe to mobile, andgoes a long way toward ensuring compliance. Format-preserving encryption (FPE) offers a

fundamentally new way to encrypt structureddata, such as credit card numbers or Social Security numbers. Encrypted data retains itsoriginal size/length and format, and, as a re-


industryvoice

1. Follow the data.While everyone acknowl-edges the value of encryption, not all encryp-tion mechanisms are created equal. Adata-centric approach that renders stolendata useless to thieves, regardless of where it’sbreached, should be the first line of defense.2. Keys to the kingdom. The best securitysolutions have keys that are never stored,

per se; they’re computed only as needed, sothey can’t be stolen.3. Take the target sign off your back. Cybercriminals look for the highest reward withthe lowest protections. If all they get fromyou is encrypted data, they’ll go elsewhere.Data-centric security ensures digital assetsremain encrypted wherever they go.

The 3 Tenets of Information Security

sult, organizations don’t need to make time-consuming mod-ifications to applications or database schemas. This approachmakes it possible to integrate data-level encryption every-where, even legacy business application frameworks, over-coming a hurdle that was previously insurmountable. (FPE isa mode of the advanced encryption standard [AES], recog-nized by the National Institute of Standards and Technology.)

It’s essentially counterintuitive for corporations to plan for a breach; thethinking is always to prevent attacksrather than prepare for the aftermath.But it’s exactly the right philosophy in anenvironment where many financial serv-

ices providers have data that, in the wrong hands, is worthmore than all of history’s greatest bank robberies combined. Enterprises that have been at the receiving end of criminals’

attention know the difference this security strategy can pro-vide. “Every single breach I know of wouldn’t have happenedif our end-to-end encryption solution had been there,” saysBob Carr, CEO of Heartland Payment Systems, which suffereda severe data breach a few years ago and has since trans-formed its security structure with a data-centric approach. Imagine a scenario in which cyber criminals deploy resources

worldwide to penetrate a network and retrieve the data. Thenthey find the data is worthless, essentially gold turned intostraw. That’s what end-to-end encryption within a data-centricsecurity strategy offers. �


industryvoice

The dirty little secret that vendorsnever want you to know is thatwith just a little effort, sensitivedata can be breached.

One-touch access to Wall Street & Technolgy.

Hand-picked content from the editors, including today’s top stories and breaking news.

Easy, fast navigation.

100% free. Try it today.

What you need to know. Now. The Wall Street & Technology iPad™ App

Sponsored by:

ecurity and accessibility are in-versely proportional, which meansthat the more secure you make some-

thing, the more inaccessible it becomes — amaxim as true for office buildings, transit sys-tems, banks and embassies as it is for net-works and data. After all, with sufficient time,enough money and considerable effort, youcan turn any building into Fort Knox, but bydoing so you’re probably going to make itnearly impossible for anyone to enter thebuilding to accomplish anything of value. Thesame holds true for the industry’s intercon-nected world of financial data. The key in terms of security, whether it’s

physical or for data, is to find the right balancebetween protection and access. Go too far in

one direction, and you hamstring an organi-zation with overly complex, time-consumingroutines that drive down efficiency and in-crease customer dissatisfaction; go too far theother way, and you leave yourself and yourcustomers vulnerable to all sorts of threats.Securing financial services data today has

become a herculean task made more challeng-ing by our never-ending drive to make thingsfaster, more efficient, more integrated andmore accessible. To complicate matters, not alldata or organizations are created equal. For ex-ample, some institutions, such as large sell-sidebrokers, may have the capacity to build out in-ternal resources that drive information securityinfrastructures while some smaller, more agilebuy-side shops and private equity firms can’t.

But both types of firms are subject to the sameinternal and external threats that characterizetoday’s burgeoning data security concerns. Obviously, everyone in the global capital

markets industry lives and dies by their data.Whether it’s golden source data that sets pric-ing for fixed income assets, proprietary datathat drives algo creation or customer data thatcontains personally identifiable information,all of it is important, and all of it is valuable.

Beyond the Usual SuspectsJust like a modern-day “whodunit” novel, thecast of characters outside your firm interestedin getting their hands on your data is exten-sive — and growing. These characters are waybeyond the big bad wolf, things that go bump

perspectivesFinancial Data Security: ‘Hey, Be Careful Out There’ The key to protecting financial data is to find the right balance between security and access.

S


Alexander C. Tabb is the practice leader and managingdirector for Tabb Group’s crisisand continuity services practice. An expert in international affairs,he joined Tabb Group in October 2004 from Kroll Inc., the international risk consultingcompany. [email protected]

By Alexander C. Tabb, Tabb Group

mailto: [email protected]


perspectivesin the night and Matthew Broderick’s teenagehacker in “War Games.” Today, the list of ne’er-do-wells includes

hackneyed villains, spies, disgruntled em-ployees and careless personnel. Just over

the past few years, we’ve seen a marked increase in the number of threats, attacksand careless mistakes that have targeted theindustry. They’re real, they’re damaging andthey need to be dealt with. “Hactavists,” like the wildly conspiratorial

Anonymous, routinely target groups and or-ganizations within the financial services indus-try. The latest example of this was reported inThe Wall Street Journal: State-sponsored hack-ers and government-run intelligence agenciesallegedly have been linked to numerous attacks against both high-tech and financialservices industry leaders, including Googleand Morgan Stanley. And international crimi-nal syndicates have been targeting the indus-try for years, looking to harvest personally

identifiable information for illegal purposes. But from a security perspective, insiders

represent the most challenging vulnerabilityto data security. For example, there’s BradleyManning, a nondescript intelligence analystin the U.S. Army who used his authorized access and a thumb drive to download and illegally disseminate a half-million classifieddocuments to WikiLeaks. Likewise, in a casecloser to home, former programmer SergeyAleynikov was convicted of stealing secrethigh-speed trading algo code. Although hisconviction was recently overturned on tech-nical grounds, the fact remains that Aleynikov,an insider, snagged the code.

Avoiding LockdownSo what can be done? How can the financialservices business ensure the safety and secu-rity of its most prized possession with success,without sacrificing the overall utility of whatit’s trying to protect?Sure, locking down the data improves secu-

rity, but it can also greatly decrease its utility.Similarly, increasing data surveillance — in-cluding active monitoring of access privileges,stronger user authentications and encryption

— can increase data security. But these tech-nologies, which are all effective, create com-plexity, inefficiency and increased overhead. Remember, security and accessibility are in-

versely proportional.Remember, too, that in this business, there

are few indicators of a problem before it hits.Normally, data breaches are uncovered afterthe fact, and while your gut instinct may be toclose down access and increase scrutiny, thatwill become increasingly difficult because thedemands for data continue to grow. While there’s no single answer to solve your

firm’s data security challenge, three truths exist: 1. We need to rely on a balanced approach

to data security that is grounded in both tech-nological innovation and strong human resources practices.

2. We need access to our data. 3. We have to find a way of granting access

so that the access we grant does not bite us inthe backside in the future. �

Various Tabb Group analysts will write the “Per-

spectives” column for Wall Street & Technology’s

digital issues in 2012. Founder and CEO Larry Tabb’s

byline will return in print editions of WS&T.

April 2012 19

Everyone in the global capitalmarkets industry lives and dies by their data.

April 2012 20

EDITORIAL

Editorial Director Greg [email protected]

Editor-at-Large Ivy [email protected] 212-600-3011

Senior Editor, Head of Video Melanie [email protected] 212-600-3041

Special Contributing Editor Larry Tabb [email protected]

Contributing Editor Howard A. Rubin [email protected]

ARTTony Vecchione Kristen Terrana-HollisIgor JovicicYujin ChangBigYellowTaxi.com212-375-9490

INFORMATIONWEEK FINANCIAL SERVICES

Editorial Director Greg MacSweeney [email protected]

Group Content Manager Les Kovach [email protected]

Online Editor Cara Latham [email protected]

Webmaster Vitali Zhulkovsky [email protected]

Business Manager Joe Donnelly [email protected]

READER SERVICES

Digital Subscription Packagewallstreetandtech.com/digital-subscriptionElectronic Newsletterswallstreetandtech.com/newsletter/subscribe

Issues Archivewallstreetandtech.com/issues

Editorial Calendarwallstreetandtech.com/edcal

Contact Uswallstreetandtech.com/contact

Print Subscriptionswallstreetandtechsubscriptions.com

ReprintsWright’s MediaBrian Kolb1-877-652-5295Email: [email protected]:wrightsmedia.com/reprints/?magid=2197

List RentalSpecialists Marketing ServicesSarah Orlowicz201-865-5800 ext. 2124Email: [email protected]

Back IssuesEmail: [email protected] (U.S.): 888–664–3332(Outside U.S.): 847–763–9588 READER ADVISORY BOARD

John A. Bottega, Chief Data Officer, Bank of America

Joseph Ferra, Chief Wireless Officer, Fidelity

Joe Gawronski, President, Rosenblatt Securities

Scott Ignall, CTO, Lightspeed Trading

Robert Palatnick,Managing Director/ Technology, DTCC

Steve Rapp, Managing Director,Allianz Global Investors Capital

Steve Rubinow, EVP & CIO,NYSE Euronext

Prashant Sarode, VP, Corporate & Investment BankingTechnology, Wachovia

Derek Stein, Head of BusinessOperations, BlackRock

Timothy M. Tully Jr., SVP & COO, BNY Mellon Wealth Management

EXECUTIVE VICE PRESIDENT,SALESMartha [email protected] 212-600-3015

SALES CONTACTS—INFORMATIONWEEK FINANCIAL SERVICESAdvertising Sales Office240 West 35th Street, 8th FloorNew York, NY 10001

National Sales Director Ben [email protected] 212-600-3171

Northeast David [email protected] 212-600-3118

West Matt [email protected] 212-600-3084

Southeast and Midwest James [email protected] 212-600-3375

SALES CONTACTS—EVENTSSenior Director, Events Robyn Duda212-600-3046 [email protected]

Senior Event Manager Mitzi Trafton212-600-3137 [email protected]

Senior Event Manager Joseph Marks212-600-3058 [email protected]

ACCOUNT SERVICES AND PRODUCTIONDirector, Program Management, Vertical Markets Michelle [email protected] 516-562-7928

Account Coordinator Amanda [email protected] 516-562-5583

Publishing Services Manager Ruth [email protected] 516-562-5111

AUDIENCE DEVELOPMENTAssistant Manager Adrienne Farquharson [email protected]

UBM TECHWEBCEOTony L. Uphoff

Chief Content Officer and Editor-in-Chief,TechWeb.com David Berlind

CIO David Michael

CFO John Dennehy

CMO Scott Vaughan

EVP, InformationWeek Business Technology Network Ed Grossman

EVP, Sales, InformationWeek Business Technology Network Martha Schwartz

EVP, Group General Manager, UBM Tech-Web Events Network Lenny Heymann

EVP, Sales, UBM TechWeb Events Network Marco Pardi

EVP, UBM TechWeb Light Reading Communications Group Joseph Braue

EVP, UBM TechWeb Game Network Simon Carless

EVP, Event Operations & Services Lori Silva

SVP, People and Culture Beth Rivera

VP, Editorial Director, InformationWeek Business Technology Network Fritz Nelson

VP, Audience Marketing Dan Melore

VP, Brand and Product Development, InformationWeek Business TechnologyNetwork John Ecke

VP, Performance Marketing and Analytics Thomas Smith

VP, InformationWeek Reports Art Wittman

UNITED BUSINESS MEDIA LLCSVP, Strategic Development and BusinessAdministration Pat Nohilly

SVP, Manufacturing Marie Myers

















mailto:[email protected]










Wst digital issue_2012_04

Technology

Transcript of Wst digital issue_2012_04