BankInfoSecurity.asia RSS Syndication

Attack Highlights Third-Party Risks

Hack of Online Billing Provider May Have Exposed 500,000 Cards
The hack of online billing provider WHMCS may have exposed 500,000 payment cards. Experts say the incident highlights the persistent risks third parties pose in cardholder data security.

Insider Case Exposes Security Lapses

Bank Manager Pleads Guilty to Theft
A former PNC Bank manager has pleaded guilty to bank theft - a charge that could lead to 10 years in prison and a $250,000 fine. What common security flaws allow such insider schemes to flourish?

Social Engineering: Mitigating Risks

Symantec Recommends Mix of Tech, Education
Why are socially engineered schemes causing so many headaches? Symantec's new Internet Security Threat Report shows attacks are growing. Here's a list of Symantec's recommendations to thwart risks.

Anonymous Hacks Justice Dept. Database

Bureau of Justice Statistics Information Leaked
The hacktivist group Anonymous says it has stolen 1.76 GB of data from a United States Bureau of Justice Statistics server and posted it online for download. What's the rationale behind this latest attack?

HKMA: United Nations Sanctions Ordinance

The Hong Kong Monetary Authority has issued a statement on the Chief Executive-in-Council approving United Nations sanctions on Libya and Afghanistan.

HKMA: Banking (Amendment) Ordinance 2012

The Hong Kong Monetary Authority is informing authorized institutions that on Feb. 29, 2012, the Banking (Amendment) Ordinance 2012 bill was passed by the Legislative Council.

HKMA: Statements Issued by Financial Action Task Force on Money Laundering

The Hong Kong Monetary Authority has issued an announcement regarding two updated statements by the Financial Action Task Force on Money Laundering.

ENISA: App-Store Security - The Five Lines of Defense

The European Network and Information Security Agency published a new report on app-store security where it advocates for a baseline set of "five lines of defense" against malware.

2012 Cloud Security Agenda: Expert Insights on Security and Privacy in the Cloud

What are organizations' top cloud security concerns, and how are security leaders addressing these concerns through policy, technology and improved vendor management?

This is the key question posed by the 2012 Cloud Security Survey.

No longer just an emerging technology practice, cloud computing today is embraced globally as a means of gaining efficient access to critical applications, processes and storage. It's now common for organizations to rely on cloud service providers for functions and business applications such as customer relationship management, messaging or storage via a public, private or hybrid cloud. Further, industry-specific cloud-based applications such as electronic health records or mobile banking and payment applications are emerging at an unprecedented pace.

But these engagements come with questions about risks:

What are your cloud service provider's security and privacy measures, and have they been audited?
Where geographically is cloud data being stored, and how do operational practices comply with government, industry and organizational privacy regulations?
How is a multi-tenant cloud environment managed, and in the event of system compromise - what will be the incident response escalation process?

Yes, cloud computing is about efficiencies and new technologies, but it's also about security, privacy and an organization's reputation.

The 2012 Cloud Security Survey was crafted with assistance from leading experts in cloud computing, security and privacy, with a mission to:

Chart the latest cloud trends, including types of cloud implementations most common by industry and region;
Gauge organizations' top cloud security concerns, from vendor security to data governance and breach preparedness;
Predict the top areas of investment for organizations most concerned about cloud security.

This webinar will draw upon survey results and expert insight from a special roundtable panel to discuss:

Top Security Concerns - Are organizations more concerned about where their data is stored, or whether a malicious insider might be a threat to it?
Success Factors - On a scale with cost savings and availability of services, how does security now rank among elements critical to a successful cloud computing implementation?
Protective Measures - What are some of the practices organizations are employing, from instituting more stringent contracts to enforcing third-party audits and even participating in mock security exercises with cloud service providers?

2012 Faces of Fraud Survey: Complying with the FFIEC Guidance

A follow-up to ISMG's 2011 Faces of Fraud Survey, this webinar looks not only at the latest fraud trends and how institutions are fighting back, but also at their progress in putting together layered security controls in conformance with the FFIEC Authentication Guidance.

Given the persistence of fraud threats and the demands of the FFIEC Authentication Guidance, the 2012 Faces of Fraud Survey is crafted with assistance from leading experts in fraud detection and prevention, with a mission to:

Chart the latest fraud trends, including account takeover, skimming and payment card breaches;
Gauge institutions' preparedness to conform to the FFIEC Authentication Guidance, including where they are prioritizing their efforts;
Predict the top areas of focus for 2012, from real-time fraud monitoring tools to new layered security controls.

Mobile: Learn from Intel's CISO on Securing Employee-Owned Devices

At Intel, the BYOD trend started in 2009, when employees began using their own smart phones, tablets and mobile storage devices on the job. Rather than reject the trend, as many organizations initially attempted, Intel's senior leaders were quick to embrace it as a means to cut costs and improve productivity.

Since Jan. 2010, the number of employee-owned mobile devices on the job has tripled from 10,000 to 30,000, and by 2014 Intel CISO Malcolm Harkins expects that 70 percent of Intel's 80,000 employees will be using their own devices for at least part of their job.

The payback so far:

Better Productivity - Employees who use their own devices respond faster to communication and over a greater percentage of the day;
Improved Security - Mobility improves Intel's time to respond, contain and recover from incidents;
Greater Control - Because personally-owned devices are encouraged, Intel now has markedly fewer unauthorized devices on its network.

And while there are heightened risks that come with having employees carry sensitive data on their personal devices, Harkins says organizations must tackle these risks head-on. "Doing nothing is not an option" when it comes to BYOD, he says. "Employees will work around and unknowingly expose the enterprise."

In this presentation, Harkins tells how Intel came to embrace and benefit from the BYOD trend, including insights on:

Bottom-up Approach - Intel from the outset involved employees in mobile policy creation, making the process open to input and constructive criticism. The result: an effective Employee Service Agreement for personally-owned devices.

Risk Management - There is no 'one size fits all' so Intel developed a five-tier risk management model that provides enhanced security capabilities depending on the employee's access to sensitive data such as line of business applications, filtered e-mail and the corporate intranet.

Beyond Technology - Intel quickly discovered that BYOD impacts more than the IT and security groups. HR and legal play huge roles in helping to define policy, enforce compliance and ensure adequate attention is paid to details regarding privacy, appropriate use and software licensing.

Using the NIST HIPAA Security Rule Toolkit for Risk Assessments

The National Institute of Standards and Technology, a non-regulatory agency of the Department of Commerce, is responsible for providing standards and technology to protect against threats to the confidentiality, integrity and availability of information and information systems. NIST's Computer Security Division is positioned to ensure that new technologies are selected, deployed and operated in a manner that reduces risk.

The Health Insurance Portability and Accountability Act Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity. Covered entities include hospitals, physician groups, health plans and claims clearinghouses. Soon, the rule also will apply to business associates - business partners that have access to sensitive patient information. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.

To help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environments, NIST has developed a HIPAA Security Rule Self Assessment Toolkit.

In this session, Kevin Stine, manager of the Security Outreach and Integration Group within NIST's Computer Security Division, will:

Introduce participants to NIST and its role in information security;
Provide a detailed overview of the toolkit application;
Discuss how the toolkit can be used to support an organization's risk management process, help improve security safeguards and aid security assessment and compliance activities; and
Identify additional NIST information security resources, such as risk assessment and security control guidelines, which can help organizations to manage risk and safeguard health information.

Why Boards of Directors Don't Get It

IT risk management, cyber insurance, privacy - these are hot topics for security leaders, but not for their boards of directors. Why do senior executives still fail to see IT risks as business risks?

How to Respond to Hacktivism

Hacktivist attacks will increase, and researcher Gregory Nowak says organizations can take proactive steps to reduce exposure and protect brand reputation. Why, then, are many organizations failing?

4 Security Priorities for Banks

From mobile and the cloud to DDoS attacks and risks surrounding big data, what should banks and credit unions do now to mitigate exposure? Gartner's Anton Chuvakin offers his top recommendations.

Understanding 'Big Data'

Banks have a lot of data, but how well is it integrated? How much are institutions gleaning from the data they house? State Street Corp's chief scientist says financial services could be doing more.

Fighting Hackers With Public Relations

Understanding Hacktivists' Goals is Key to Thwarting Attacks
By understanding the motivations behind hacktivism, companies can learn why good public relations can play an important role in thwarting attacks or minimizing their impact.

Global: A Lack of Breach Transparency

Processor Promised Updates, But We've Heard Little
Global Payments has been less than forthcoming with information about its data breach. How could this lack of transparency hurt the processor, and what's the lesson for others?

The Business Case for Continuity Planning

Small, Mid-Size Enterprises Especially Need to Develop Strategy
Why do so many small and mid-sized enterprises continue to believe that business continuity planning is just for the big guys? And how do we go about convincing them otherwise? Here are some tips.

Big Data for Fraud Prevention?

Tracking Customers, Not Accounts, Could Reduce Fraud
Do banks and credit unions use all the data they collect? One credit reporting bureau says they could be doing more with their data to track and prevent fraud.