Forum for Information Security

Just while we were on the topic of financial institutions and security breaches, VISA and MASTERCARD disclosed recently that up to 40 million subscribers may have had their details ‘exposed’ by hackers who got into Card Systems Inc (an Atlanta, GA based transactions processing company) through open back doors. CardSystems tried initially to ‘hush’ it up, VISA and MASTERCARD got mad, and the rest is well, take a guess…

In this instance, it all came down to one individual with unauthorized access.

There you have it - one person can cause everything to come undone. In my opinion, its practically next to impossible to stop the one individual who’s capable and has done his homework, from getting into systems - it is certainly possible these days with our know how to come up with an effective ALERT and RESPONSE mechanism. Its not much good to shrug and say ‘but I didn’t know much about it…’

CNN’s take on the episode: http://money.cnn.com/2005/06/17/news/master_card/

Goes to show - even if you have strict Security Standards,like Visa and Mastercard already do, its one thing implementing security in your own backyard and another to get a supplier / partner to implement and enforce the same high standards.

This is actually a big deal. The media from Moscow to Medina had a field day - and the companies didn’t quite know where to hide. And PR people are scrambling to stop the blood letting.

More later. Although I would place a safe bet on Card Systems being flooded with class action lawsuits and probably having to seek Chapter 11 sometime this year because of the compensation amounts, contract termination fees etc which are all very likely to hit them.

Let me know what you think of it all,

RiOn

The issue of identity theft is now the biggest official cybercrime segment, report watchdogs and security agencies.

Here’s the latest
http://deseretnews.com/dn/view/0,1249,600145529,00.html

Would you believe it? Employees at Bank of America and Wachovia (two of the largest banks in the US) stole tens of thousands of client records and offered them for sale to third parties - in clear violations of the institutions’ code of conduct and security policies. Bank Am spends 250 Million USD each year on security, and employs hundreds of people whose sole job is to ensure information security.

Many banks today already have internal systems and controls in place which are set up on a ‘need to know’ basis - i.e. information that an employee sees has a direct relation with his / her job function, and only that information is disclosed. Additionally, there are strict background checks and induction training programs which iterate and emphasise security policies, employee codes of conduct, etc.

But do they work?

Are bank procedures reliable?

Can we rely on banks (or for that matter anyone) to put in place ‘adequate’ safeguards to protect our personal information?

We already have an answer to the question above…can we trust banks to be honest and sincere when it comes to disclosure, especially when it comes to security breaches and other events which may affect their business. I.e. banks don’t like bad news, and if there’s something that they like even less, its to be the bearer of ill tidings.

Which brings us to Compliance, one of the focus areas for this discussion forum. The Office of the Comptroller for Currency (OCC) has legislation in place which forces banks to disclose security breaches and to take corrective steps, etc. Just to give some teeth to the legislation, one of the penalties listed is ‘loss of license’… says it all, doesn’t it?

Bottom Line: Privacy of Information is going to be a BIG BIG thing if it isn’t already.

If you’ve got any feedback / comments - just go ahead, post ‘em!

Rion

Sometimes there just seems to be too many standards, and organizations either have to rely on intuition or the advice of their ‘consultant’ to go with one or the other. My guess is that on an operational level, most companies see compliance with standards or a quality system as a distraction, at best. Some probably view adopting a standard as a better way to market themselves and gain credibility. In my mind, some recent security breaches in the BPO industry have prompted industry watchers to question whether companies are really serious about implementing the security policies and processes (which they already have or are in planning mode). Most have heard that a well known financial services BPO was in the news because of an employee coordinated fraud that resulted in financial losses to several US based customers of its principal, a leading bank. What many people don’t know is that this BPO was the first in the industry here to attain BS7999 certification. A couple of questions come to my mind - was this certification relevant to the needs of the business? If so, then were there problems with the implementation that lead to such a blatant security breach….If not, then why was it adopted in the first place - if it couldn’t prevent such lapses. Again, another BPO was recently dragged into the public eye when one of its employees allegedly sold thousands of client records to a third party media outfit in a sting operation. The company backtracked, the employee was fired - but are there any safeguards in place to prevent other records being stolen, or for that matter, other companies getting their ‘fingers burnt’?

I don’t think so. Nasscom is making some noises, the PM’s office is ‘outraged’ and has since chaired a meeting with Government and industry representatives to ‘ensure that this doesn’t happen again’…

But how? There will be resistance from many if mandatory policies (which require systems and support) are forced down the industry’s palate. And again, there is a the question of which policies are applicable and how does one go about creating a basic Universal Set of Policies for the Outsourcing industry and then move forward to customizing the policies where applicable.

Existing standards like BS7799, COPC, etc can and should, of course be referred to when policies are defined and designed for a specific industry sector - but there are dangers to adopting one standard as a whole, because there may well be a few ‘blanks’ and ‘gaps’ - areas it does not address, and in terms of coverage.

That, my friends, is the interesting question.

Have a good one,

Rion