BankInfoSecurity.com RSS Syndication

ATM Crime Boss Sentenced

Bulgarian Crime Head Pleads Guilty to Skimming Scheme
The FBI says Bulgarian fraudster Dimitar Dimitrov led ATM skimming rings that ranged from New York to Las Vegas, and now a federal judge has sentenced him to prison. Is the sentence appropriate?

Cybersecurity for the C-Suite

CMU Launches Executive Master's in Information Assurance
"This is a unique program that fits the specific needs for upcoming and current IT security leaders and adds high enrichment to peer support and the learning experience," says Dena Haritos Tsamitis.

Tips to Fight Debit Fraud

ABA Says Better Detection Tools, More Education Needed
Losses linked to debit fraud are increasing, says Jane Yao of the American Bankers Association, and the industry is in a perpetual state of catch-up. A new study tells how institutions can fight back.

Cybersecurity Center of Excellence Launched

Promoting Quick Adoption of Information Technology Tools
The National Institute of Standards and Technology is establishing the National Cybersecurity Center of Excellence, a public-private collaboration aimed at accelerating the widespread adoption of integrated cybersecurity tools and technologies.

NCUA: A M Community Credit Union, Kenosha, Wis., Placed Under Conservatorship

The National Credit Union Administration, working cooperatively with the Wisconsin Office of Credit Unions, assumed control of service and operations at A M Community Credit Union headquartered in Kenosha, Wis.

FinCEN: Guidance to Financial Institutions on Providing Services to Foreign-Located Money Services Businesses

FinCEN is issuing an advisory to financial institutions regarding their obligations under the Bank Secrecy Act when providing financial services to foreign-located money services businesses.

OCC: Deadline to Request Review under Independent Foreclosure Review Extended to July 31

Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System announced that the deadline for submitting requests for review under the Independent Foreclosure Review has been extended.

FDIC: SCB Bank, Shelbyville, Ind., Closes

SCB Bank, Shelbyville, Ind., was closed by the Office of the Comptroller of the Currency, which appointed the Federal Deposit Insurance Corporation as receiver.

The Great Application Security Debate: Static vs. Dynamic vs. Manual Penetration Testing

Software applications are an integral part of 21st century business processes. The majority of software is still installed in-house, either as specially developed custom applications or commercially acquired packages. However, the proportion of software procured as a service is on the rise, as is the use of mobile apps and open source components. In addition, more and more in-house applications are being web-enabled and exposed to the outside world.

Regardless of its origin, the vast majority of software will contain flaws which can constitute a security risk, especially for those applications that are web-enabled. The cost of fixing a flaw increases the later that they are found in the development, acquisition and deployment life-cycle. There are a number of measures that can be taken to mitigate the problem and reduce the overall cost of managing software whilst ensuring better security. Increasingly, businesses are recognizing the benefits of outsourcing at least some of the effort through the use of on-demand software testing services.

This webinar explores how businesses are deploying software and what measures are in place for checking the security of applications. This webinar will present new research conducted amongst US and UK enterprises from a range of industries and assesses the scale of the software security problem, the ways in which it can be mitigated, the extent to which this is being achieved, the costs involved and how these can be minimized.

2011 was the Year of the Breach. Some of the world's best companies and brands were attacked making securing your enterprise applications a key information security imperative.
As applications become more mission critical to the enterprise, so too does the need to secure them.
Learn how enterprises can leverage the various application testing approaches in their application security programs.

The Fraud Dilemma: How to Prioritize Anti-Fraud Investments

In light of increasingly sophisticated fraud techniques - everything from account takeover attempts to ATM skimming and increasingly sophisticated phishing attacks -- financial institutions are under constant pressure to protect customer assets.

Further, embodied by the FFIEC Authentication Guidance, they face heightened regulatory pressure to assess risks, deploy layered security controls and to improve customer awareness of this ever-evolving threat landscape.

And a single misstep could result in a data breach that carries heavy financial, regulatory, customer, shareholder and reputational implications.

Among the anti-fraud options available to banks:

Device authentication/identification, which has a wide spectrum of approaches, some better than others.
Malware detection and mitigation, operating either from the cloud or on a user's device to reduce Man-in-the-Browser fraud from compromised endpoints.
Anomaly detection, which can take the form of simple rules to complex cross-channel behavioral analysis.
Transaction verification, which can be rules-based or triggered by anomaly detection and can then take several forms (token, SMS, phone verification, dual authorization).

So, how does an institution go about evaluating all of these options and deciding which fits its own risk profile best?

In this panel discussion, banking/fraud expert George Tubin will lead a lively discussion of today's top fraud threats and solutions. Among the topics to be tackled:

Regulatory Requirements - What are the basic expectations for assessing and mitigating fraud risks?
Investment Planning - What is your institution's fraud loss profile, and how can you best match mitigation approaches to your identified risks?
Selling the Solution - Once you've identified your anti-fraud solutions, how do you demonstrate value to stakeholders, and then win support for a prioritized investment plan?

BYOD: Manage the Risks and Opportunities

From home computers and laptops to cellphones and PDAs, employees have always lobbied to introduce consumer technologies in the workplace.

But with the advent of smart phones, tablets, portable storage and a variety of laptops - powerful computing devices that often rely on unsecured wireless networks - the push today is even greater. Example: Intel, the global computer technologies manufacturer, reports that connected mobile devices grew from 10,000 to 30,000 over the first 10 months of 2011. And by 2014, Intel expects 70% of its employees to use personal devices for some aspect of their job.

So, it's no longer a question of whether to allow employees to use their own devices - no corporate policy can stem the tide of consumerization. The questions now are about:

Inventory - How do you properly account for all of the consumer devices introduced by your employees? Know how to lock down your corporate wireless networks and desktop computers, so you'll also know when employees are trying to access corporate resources via connecting new devices.
Security - How do you protect your systems and data from unauthorized access - and in the event of lost or stolen devices? From identification to proper authentication, appropriate access control, data storage and detecting un-authorized activities - all controls implemented by an organization on 'corporate-owned' resources over the last decade can potentially be rendered useless on an employee-owned device. Learn the importance of each control and the implementation challenges in a large-scale environment.
Privacy - The controls you place on an employee-owned device could potentially compromise the individual's privacy (knowing which sites they visit, or whom they e-mail in their off-hours, for instance). How do you achieve the right balance to protect the enterprise's security and the employee's privacy?
Compliance - Certain international regulations and standards spell out standards for how data is collected and stored, as well as how it must be made available for legal requests. Are you prepared to address these and other top-level compliance issues when it comes to employees storing enterprise data on their own devices? Learn how to weigh the risks and benefits.
Policy - Beyond making employees aware of your policy, how do you enforce it? Awareness is key - make sure employees understand your policies around device usage, access, software licensing and other critical issues. But you also need to articulate specific areas of non-compliance and then monitor appropriately for violations subject to disciplinary action, including termination.
Opportunity - Beyond securing devices, BYOD is an opportunity to improve data and access security in the enterprise, web, mobile, and SaaS applications. The opportunity is for organizations to still have strong security and authentication, but in a way that is "outsourced" to the device owner for all of their applications. This outsourcing can save the company IT budget, as well as reduce help desk support.

In this session, mobile security experts will discuss these topics and more, sharing insights on how today's leading-edge organizations are embracing BYOD as a means of improving employee productivity and creating new business value.

Fundamental Security: The Power of GLBA and FFIEC Compliance

The adage "Compliance doesn't ensure good security, but good security almost always ensures compliance" continues to ring true in 2012, as financial institutions seek to comply with the updated FFIEC guidance on online banking.

"Layered security" is a requirement of the new guidance released in 2011, but what does that really mean to banks and credit unions that are preparing for examinations? While financial institutions with an establised GLBA information security program and culture most likely were compliant with the new requirements before they were published, many banks and credit unions are still ill prepared to meet the examiners - and as a result, may lack fundamental security controls.

Consider the core requirements of GLBA's Safeguards Rule, which requires institutions to:

Develop a written information security plan;
Appoint at least one employee to manage the safeguards;
Conduct a risk assessment of on each department handling private information;
Develop, monitor, and test the information security program;
Amend safeguards as necessary with changes in how information is collected, stored and used.

Risk assessments, security controls and monitoring all are core components of the updated FFIEC Authentication Guidance, as well.

In this session, George Tubin, noted expert in banking security, fraud and compliance, will discuss the key elements of GLBA and the FFIEC guidance with an eye toward offering new insights on:

Strategies for ensuring both security and compliance;
A practical approach to layered security;
Regulatory trends - what to expect next for guidance.

Following Tubin's presentation, Jeff Multz, Director of North America Midmarket Sales for Dell SecureWorks, will discuss the banking and security trends Dell SecureWorks is seeing and how institutions can respond to them.

Privacy Bill of Rights: Not Be-All, End-All

The Obama administration's Consumer Privacy Bill of Rights should be seen as a vital document to help shape an expansive and globally accepted privacy framework in the United States, privacy and data security lawyer Lisa Sotto says.

What to Expect at RSA Conference

This is the first RSA Conference since 2011's high-profile security breaches. How did those incidents influence this year's agenda? Hugh Thompson explains in an exclusive event preview.

Mobile Security: Enabling BYOD

Mobile security is a new discussion track at RSA Conference, but it's long been a hot topic for CISOs. Entrust's Dave Rockvam discusses BYOD and how organizations are securing personally-owned devices.

The Book on Insider Threats

The insider threat: It's a top challenge for any organization, and it's a hot topic for RSA Conference attendees. Dawn Cappelli and Randy Trzeciak preview their new book, The CERT Guide to Insider Threats.

7 Levels of Hackers

Applying An Ancient Chinese Lesson: Know Your Enemies
Not all hackers are the same, and that presents problems in defending against them. Understanding each type of hacker can help organizations better prepare for digital assaults.

Anonymous Set to Do Real Damage?

Report: Gen. Keith Alexander Fears Attack on Electric Grid
Concerns expressed by the National Security Agency director come at a time when Congress is split over the role government should perform in determining the security of the mostly privately owned national critical IT infrastructure.

How Encrypted Keys Can Leave Bad Taste

RSA Challenges Conclusion of Number Generation Study
RSA Chief Technologist Sam Curry defends the company's approach to public-key cryptography after researchers suggest a flaw in its encryption algorithm, contending the problem exists elsewhere in the security chain.

Low-Tech Fraud Targets Banks, CUs

Prelim Survey Results Reveal Startling Fraud Trends
What are the top two fraud schemes hitting banks and credits unions the hardest? The early responses from our ongoing 2012 Faces of Fraud Survey just might surprise you.