Are You Keeping Up

Are You Keeping Up?

“The way to keep up is to stay ahead.”

-Anonymous

by Dr. Glenn Gearhart, CEO

ACAP Security Inc.

July 2005

Coupling business and technology is never easy

To be of maximum benefit to the company, IT solutions must be assimilated into the company’s day-to-day operations and long-term strategies. Every business has problems. But each business is unique and its problems are equally unique. In order to properly address and solve the many challenges of communications and data base security will require a fine balance, or point of equilibrium, between people, processes and technology. This is ever more important as companies seek solutions to the mandates of the Gramm-Leach-Bliley Act.

The Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) directs the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to review their regulations and guidelines to ensure that banks and other financial institutions have updated policies, procedures and controls to prevent unauthorized disclosure of customer financial information and to deter and detect fraudulent access to confidential financial and personal data. The GLBA applies to not only banks, but also securities firms, insurance companies and all other companies providing or receiving other types of consumer financial products, services or data.

The GLBA, also known as the Financial Modernization Act of 1999, has three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions. The Act gives authority to eight federal agencies to administer and enforce the Financial Privacy and the Safeguards Rules. The Financial Privacy Rule governs the collection and disclosure of customer personal financial information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Pretexting provisions are designed to protect consumers from companies that obtain their personal financial information under false pretenses.

The Situation Today…and Tomorrow

Communication, data and information security continues to operate in an increasingly difficult and changing environment. Security threats and techniques continue to increase each year at what many consider to be at an alarming rate. An analysis by Carnegie Mellon University indicates the number of security incidents increasing from a reported 21,000 incidents in 2000 to over 137,500 incidents reported in 2003. The trend is expected to continue at the same rate of increase. Companies must find and implement ways to secure their information and data programs or risk serious competitive disadvantage, possible legal and regulatory censure, negative public relations publicity and significant dollar losses.

Additionally, according to a recent SANS Institute study, more than 422 new Internet security vulnerabilities were discovered during the second quarter of 2005. Companies that do not properly address these new vulnerabilities will face a heightened threat that remote, unauthorized hackers can penetrate their computers for identity theft, industrial espionage and for distributing spam or worms.

A Closer Look at the Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act is much more expansive than merely invoking tighter communication and data security. Officially signed into law on November 12, 1999, the Act was enacted as ‘financial services modernization’ legislation and goes beyond the well known security and privacy regulations. The Act expands the definition and powers of financial holding companies; further defines the roles of the federal and state regulatory agencies; eliminates several ‘loopholes’ of existing laws; modifies certain aspects of the Federal Home Loan Bank System; addresses Automated Teller Machine (ATM) fees; and, finally, establishes broad privacy and data security regulations.

The Act directs the Federal Deposit Insurance Corporation (FDIC) and other banking agencies to update their regulations and audits to ensure that financial institutions have the procedures and controls to prevent unauthorized disclosure of customer financial information and to deter and detect fraudulent access to data and information.

The FDIC Financial Institution Letters (FIL)

The FDIC has issued two Financial Institution Letters of interest and relevance to the GLBA. The FIL-39-2001 is ‘guidance on identity theft and pretext calling’, and summarizes federal laws that pertain to identity theft and pretext calling. The FIL-66-2005 was issued by the FDIC on July 22, 2005, to financial institutions recommending an effective spyware prevention and detection program based on an institution’s risk profile. The Letter discusses the risks associated with spyware from both a bank and from a consumer perspective and provides recommendations to mitigate the risks.

Spyware refers to software that collects information about a person or organization without their knowledge or consent and reports the data back to the originator. The guidance of the FIL recommends practices that banks should employ to prevent and detect spyware.

FIL-66 talks about the immediate dangers represented by various forms of security vulnerabilities and points out how identity theft, phishing scams, and other forms of security breeches present significant confidentiality, integrity, availability, and liability exposure for both the bank and the consumer. The FDIC issued FIL warns financial institutions to seriously consider new and enhanced security strategies for their information security programs and data management services.

“Investigating the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer’s password and account numbers.” -FIL-66-2005

The BSA brings in another security issue associated with terrorist financing and money laundering. One of the prevailing responses to BSA regulations and the FFIEC examinations associated with compliance is the concept of—

Know thy customer:

“Management should have a thorough understanding of the money laundering or terrorist financing risks of the bank’s customer base. Under this approach, the bank will obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customer’s occupation or business operations.” - FFIEC, BANK SECRECY ACT/ANTI-MONEY LAUNDERING EXAMINATION MANUAL, Page 38, June 2005

To maintain compliance of this FFEIC “Know thy Customer” requirement, it is not only a requirement that the bank initially obtain information on a customer, but it is also necessary for the bank to “Know with Certainty” that the party making online banking transactions is “in fact” the true customer and not some fraudulent impostor.

In the payment transaction environment, both the regulators and the public are beginning to suggest that it may be necessary for the bank to “Know with Certainty” that the party who is making an online purchase transaction is not some fraudulent imposter.

One Size Does Not Fit All

Henry Ford, in referring to his Ford motor cars, is quoted as saying, “You can have any color you’d like as long as it’s black.” You can’t argue with Mr. Ford’s success, but was he a man attuned to a changing market and an ever expanding online commerce and banking marketplace? No. The one-size-fits-all cookie-cutter approach will not work as banks respond to the cyber-crime threats, FFIEC examination guidelines, and the FDIC mandates.

A recent survey of U.S. Internet users reported that over 60% of the survey respondents believed it to be unacceptable for a bank to not respond to phishing schemes that use the bank’s identity as the means of gaining the victim’s trust. Almost 96% of the respondents claimed that banks need to use technology to provide protection to their banking customers.

Quick-fix and prepackaged solutions are not the answer and only serve to compound the problems. While there are many good and talented companies jockeying for position to offer a standard upon which companies can build a secure network, most utilize expensive hardware and require dedicated personnel to maintain and administer the programs. The optimum answer lies in programs that are relatively inexpensive to implement and simple to administer so that you will be positioned to react to today’s and tomorrow’s growing cyber-crime threats.

An Action Plan

In business, luck is the “employee” that can’t be hired. You can’t depend upon luck to get your company through the turmoil’s of the online environment. The successful company must have a strategic and associated action plan to counter the many threats presented in the online commerce world.

Begin today to seek out and select the best alternatives for securing your communications and data base systems. Look for alternatives that have a low cost and ease of implementation. Look for alternatives that provide for multi-factor authentication. Look for alternatives that are available today but can be customized for your particular situation.

Look for alternatives that use new technology to provide you with an advantage over the threats of loss from security vulnerabilities. The attackers are getting more sophisticated and devious. New technology is the only means of “keeping up” and staying ahead. In today’s IT environment, no one can defeat a 2005 attacker with 1999 technology, and probably not even 2004 technology.

Compliance Budget Payoff

Technology can be a major budget item in regulatory compliance. Some report that up to 40% of their compliance budget is being spent on technology. Committing those funds wisely is important to assure an effective compliance payoff.

Access Control and User Authentication

The Air Force recently notified 33,000 personal, mostly officers, that a security breach exposed personal data to an intruder. The Air Force explained a “malicious user” got into a database by using “a legitimate user’s login information” to access and/or download individuals’ personal information. This report is not an isolated event. These types of security breaches are occurring almost daily.

Improved online access control and user authentication is one of the online operational elements which provide security vulnerabilities. That is why the FDIC recently issued FIL-66-2005. It is also one of the reasons the FFEIC just issued the Bank Secrecy Act/Anti-Money Laundering Examination Manual.

One of the fundamental responses to compliance with the Bank Security Act is to know your customer. Whether the application is “Know thy Customer” in an online banking transaction, or a “Know thy Customer” in an online payment transaction, strong access control and user authentication is now mandatory. It is also quite clear that just a user name and password is rapidly becoming a weak link in the security chain.

Access Control and Authentication

One recent entry into addressing the access control and authentication issue is ppn Technology™. This technology is unique in that it provides the instant ability for any originating source to extend a secure pipeline to anyone with a computer and Internet access. This secure pipeline does not use the World Wide Web, the SSL infrastructure, or an Internet browser. By actively bypassing these established infrastructures, ppn eliminates many potential security vulnerabilities.

Once the pipeline is established, data can be transferred securely between the originating party and any party attached to the ppn technology pipeline. To this secure pipeline one can add various types of access controls and authentication technologies. These may include user names and passwords, secure PIN pad entries, finger print entries, many types of biometric sensors, special questions, etc.

This technology, available commercially as “PIN-SECURE,” is unique because it allows the rapid creation and termination of a secure network without new computer hardware or devices and with little capital expenditure or manpower resources. It is easy to maintain and to train personal in its usage. But maybe a more important point is that it is rapidly deployable, works with any common computer and operating system, and, most important, it is compliant with the GLBA and the FIL-66 and FIL-103 requirements. Need more be said?

By Glenn Gearhart, CEO, ACAP Security Inc., a provider of higher level security solutions to the financial industry. glenn@acapsecurity.com.

White Paper: 072005 ACAP Security Inc.