Financial services firms share security tactics

Visa, JPMorgan Chase, and Experian among companies adopting more stringent corporate defense mechanisms

Some of the top players in the financial services arena-- such as Visa, JPMorgan Chase and Experian International -- are expanding their tactics for preventing customer data loss.

IT security managers convening at two interrelated conferences in New York this week said their firms are adopting both new network defenses and organizational structures to lower risk of a data breach. Some say the very survival of their businesses may be at stake, since news reports about incidents are leading to customer loss and million-dollar lawsuits. California was the first state to require public disclosure of a data breach, and now there are now about 30 other states and localities that do as well.

“When an event becomes public, the stock price tilts, there’s brand damage and finally decreased revenues,” said James Christiansen, chief information security officer at Experian International, speaking at the Summit on Preventing Data Leakage.

Experian, a global company with over $3.1 billion in annual sales from consumer credit reports and other business data and analytics, was able to cite its rival, ChoicePoint, as the industry’s bad boy poster child at present. ChoicePoint last year acknowledged a loss of 145,000 customer records and is still fighting lawsuits about it. In the hope of avoiding a similar fate, Christiansen acknowledged Experian has racketed up its defenses in several ways.

For one thing, “We just won’t accept data that isn’t encrypted anymore,” said Christiansen. In addition to encouraging employees to report any suspicious events, about eight months ago Experian also started using a data-leak prevention appliance to monitor employee e-mail, file transfer and instant messaging.

"The first time you use it, it’s like turning on a light in a kitchen at night and catching the cockroaches running,” said Christiansen. Experian doesn’t block suspicious network behavior but does investigate data transfers that may violate corporate policy, such as failure to use encryption. Most of the time these incidents are mistakes by employees that require training re-enforcement.

According to Christiansen, cybercrime that targets sensitive customer financial data is lucrative and well-organized, something that hit home by working with the U.S. Secret Service on what’s called the Project Harvest research online with others in the industry.

Required procedures Amendments to the U.S. court system's Federal Rules of Civil Procedure call for businesses to retain and be able to retrieve electronic documents.
AmendmentEffect on IT
Rule 16(b): A description of all electronically stored information must be presented within 99 days of the beginning of a legal case.E-mail archiving and retention software and policies should be put in place.
Rule 26(a): Electronically stored information, including e-mail, must be searched without waiting for a discovery request.IT should put in place e-mail archiving and retention policies so information can be discovered rapidly.
Rule 26(b): A party need not provide discovery of electronically stored information . . . if there is an undue burden or cost.Requires the organization to prove that putting in e-mail archiving software is an onerous expense.
Rule 26(f): Requires litigants to discuss any issues relating to preserving discoverable information.Requires legal counsel to know how e-mails are being retained and how they can be searched and retrieved.
Rule 34(b): Requires requesting party to designate the form in which it wants electronically stored information to be produced; requires the responding party to identify the form in which records will be produced.IT must be aware of how e-mails are stored — on disk or tape, for example — and how they will be retrieved.
Rule 37: Establishes a safe harbor provision for deleting records.Lets IT establish policies for the deletion of e-mail.

He said he sees that thieves around the world are selling software financial-theft Trojan programs for $1,000 to $5,000, a credit card with PIN for $500, and change of billing data for $80 to $300, and $7 to $25 depending on volume for stolen credit card numbers with security codes. “It costs $7 for a PayPal account logon and password,” he added.

With the stakes ever higher, card-services giant Visa International has begun an ambitious retooling of its network authentication process to combine physical and logical security information to deter potential network misuse.

The project involves combining information taken from Visa’s physical-security badge readers worn by employees and cross-checking real-time physical location with network authentication information to make sure there’s an acceptable match.

“We’re taking the next step,” said Phil Maier, vice president of information security in the emerging technology and network group at Visa USA’s technical arm, Inovant, who spoke at the FinSec conference. “The badge ID has to have a link to the domain ID [on the computer]."

If the physical and logical thresholds don’t match up — say, activity is occurring at a restricted computer when the badge reading shows the employee is not physically there, or an employee is viewed as physically present but an authentication process is occurring remotely — the session should not be allowed since it raises security questions.

To do this, Inovant is working on a home-grown coding project that has the company’s badge-reader system linked into the corporation security information management system from Intellitactics.

To have this and probably any security monitoring work correctly, it’s necessary to time-synchronize all computers precisely using the Network Time Protocol based on the government-supported Atomic Clock, Maier added.

The various data-breach disclosure laws that now mandate the public be informed about incidents is driving change not just in technology implementation but in how organizations work to communicate between IT departments and upper management.

Anish Bhimani, managing director at JPMorgan Chase, who spoke at FinSec, said the desire to avoid becoming another data-loss news story has prompted some changes, including adding laptop encryption and possibly adopting “tapeless” data centers for the long term.

“We used to think more backups is better but that’s not exactly the case,” said Bhimani. Another process change involves automated scanning for 40,000 servers for penetration testing instead of having people do it manually.

A chief concern involves making sure JPMorgan Chase’s 3,500 third-party providers also follow specific security practices, noting it’s difficult to define everything that can go wrong.

One of JPMorgan’s “outside service providers,” as Bhimani refers to them, recently misplaced some data that was recovered. “We looked at everything except what went wrong,” said Bhimani.

One major cultural change at JPMorgan Chase, a huge firm with 170,000 employees, has been to “focus on security metrics” by “focusing on the results, not activity,” he noted.

Instead of just issuing data-filled reports to management, the focus is being refined to target concrete results. Weekly meetings are now required where IT staff discuss risks, exposures and compliance with unit CIOs, and unit CIOs huddle together on their own and with CEOs more frequently.

The goal is to figure out “how do you actually improve the risk posture of the organization with the data you have,” said Bhimani. JPMorgan Chase is also trying organizational change that involves assigning more security experts into the business divisions instead of technology units.

“The CISO role will now be the ‘deputy risk manager,’” said Bhimani, adding the IT department will be split from risk management “so we can focus on maturing the discipline of IT risk.”

“The business needs to be able to take risks to make money, and our job is to help them find a way to do that,” said Bhimani. Another change for JPMorgan Chase will be a “zero-based budget” where you start each year with no specifically allotted spending for security and go up. “You start to think about doing things differently.”

Learn more about this topic

A new sheriff in town: monitoring outbound content

Credit card companies revise security standard

Chase card services dump customer details in landfill

   
Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies