From skimming and POS attacks to ACH fraud and payment card hacks, 2010 was “The Year of Fraud,” and the year’s incidents have left banking institutions and their customers anxious for new solutions to prevent fraud in all its forms.

In response to the growing fraud threats – and to the demand for new solutions – Information Security Media Group just concluded its latest survey, “The Faces of Fraud: Fighting Back.”

This is the Executive Summary of the survey results and what they suggest for fighting fraud in 2011.

One of the most telling responses of the survey is to this question:

When is a fraud incident involving your organization usually detected?

In other words, despite the availability today of world-class fraud detection technology, despite broad awareness of the current fraud threats and incidents – nothing spreads faster than word of a breach – and despite what we’ve all learned about customer confidence and loyalty in the wake of fraud incidents such as the Heartland Payment Systems breach …

More than three-quarters of financial institutions learn of fraud incidents when notified by their own customers.

This response underscores the need for better fraud detection – before the incidents strike the customer — and it sets the tone for the survey results, which break down into four main themes:

The Faces of Fraud: Today’s Top Threats – What are today’s top threats? Which threats do institutions feel most prepared to face? What impact have we seen from highly-publicized ACH/wire fraud incidents?

Cross-Channel Fraud: The Great Mystery – Industry analysts tell us that cross-channel fraud is the growing trend. That no longer are fraudsters targeting just ATMs or payment cards or checks – they’re seeking to compromise your customers in every way you interact with them. But how prepared are institutions to measure and respond to these cross-channel threats?

Resources: The Ongoing Challenge — It’s been a tough two years for banking. As a result of the global recession and U.S. financial crisis, human and fiscal resources have been hard to come by for banking institutions. Yet, the survey results show encouraging trends on both fronts.

Need for Awareness, New Tools – If there is one overriding theme of this survey, it’s this: Respondent’s recognize that awareness programs – for employees and customers alike – as well as fraud detection and prevention tools, are their best weapons to fight fraud. Their challenge is to find the right tools and take the right approaches to awareness.

Download the Executive summary report to get an insight for the above.

http://docs.ismgcorp.com/files/handbooks/Fraud-Survey-Summary-2010/Fraud-Survey-ExecSummary.pdf

Source: Bankinfosecurity

Now why would somebody read a confidential document during his commute to office on a public transport? Did the classification serve any purpose..? I was getting curious about this and asked him “any urgent review going on…?” He said, “No, why”..? I said, I could see the document classified “Confidential”. He has his explanation as “It is just an old document, maybe sometime in 2006”. Well why the document not re-classified if it was old…?

Urgency is one big enemy of security and so is labeling to a certain extent.

In another instance, there was an organization which has many branch offices and they have physical mail that is exchanged between these branch offices. However the recommendation for exchanging documents that was classified as “Top Secret” was to put the document into an envelope and label that as “Top Secret” and then put that envelop into another one and label it as “Personal”. The classification levels in this organization were first “Top Secret” and then “Confidential”. Now how would this serve the purpose?

The mails are exchanged through outsourced mailman (or even it would have been an internal employee) and the mailman would be curious with the label Personal itself. Once he intends to open it, he will be more curious or happy since it to be labeled “Top Secret”.

Do we need to restrict labeling for physical documents that reside within the organization premises only..?

For example: in the first instance, what if the person removed the label and printed the document. I would not even bother to look into the document that he was reading and have a conversation about this with him.

In the second instance, as far as the document is moving from one office to another, remove the label and deliver it personally (I meant only for “Top Secret” document). Once it is in the destination office, can’t it be labeled back..?

I feel that labeling of physical documents should be primarily used just for identifying the way it can be stored and protected and not while in physical transit. Let me know your views.

Now, let’s look at what is the definition of information assets. Information assets are basically data that is in transit or at rest and also that are available on papers. Having this in mind, I think it is easier to assess the C-I-A values of these assets. Let us take an example:

Contract documents is an information asset or let’s take the file server in an organization, the “data” in the file server is an information asset. How much impact the organization would have, if the information in the document is exposed to unauthorized persons..? – if the impact is less, confidentiality value is less and if the impact is high, confidentiality value is high. Similarly, this is applicable for Integrity and Availability. If the impact is high by losing the integrity or availability, it will be rated high or else low. After determining the C-I-A values the asset value is derived by either taking the highest value or with some simple calculations.

Let’s consider the C-I-A values for a hardware asset. The confidentiality value of the hardware asset is derived by the information that it holds and hence I feel that there would be duplication if we consider the confidentiality value here. We are considering the hardware asset as a whole and hence integrity of the server is not applicable here. Availability value is what we need to consider for an hardware asset.

As we have looked into the hardware asset, the same applies to software and service assets. Now let us look at the people asset.

If we are trying to consider the C-I-A values of a person, let’s say the CEO of the organization, yes he has confidential information. But how do we assess the confidentiality value? It is hard to determine the information that he is holding in his memory and it might also be varying constantly. Which means you cannot determine the “C” either as high or low at given point in time. I am not quite sure about the integrity aspect and coming down to the availability value; this definitely needs to be assessed.

Again, the availability value of people asset according to me should always be set to high, irrespective of his designation, age, gender etc. Why?

Controls are implemented based on the derived risk value. Risk value is proportionate to the asset value, which means if the asset value increases, so does the risk value. In this context, let us take an example:

Contract document (Information Asset) C-I-A = 5 * Threat = 3 * Probability = 3 = 45 (Risk Value)

IT Manager (People Asset) A = 3 * Threat = 3 * Probability = 1 = 9 (Risk Value)

In the above scenario, the information asset has a risk value higher that the people asset. If there is a fire break out in the organization, which of these assets will be well protected or rescued? People will always be considered first during a disaster and hence the asset value of people should always be rated as high. In this case you may ask, we already know that people is first, then why should be even consider listing people asset in the risk assessment exercise? Well, Your thoughts

I would even look to see why we need to consider hardware, software and service assets for the assessment, because all the values are anyway dependent on the information it holds or transmits.

Your thoughts again.

The Parkerian Hexad attributes are the following:

• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Possession or Control

Suppose a thief were to steal a sealed envelope containing a bank debit card and (foolishly) its personal identification number. Even if the thief did not open that envelope, the victim of the theft would legitimately be concerned that (s)he could do so at any time without the control of the owner. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Authenticity

Authenticity refers to correct labeling or attribution of information. For example, if a criminal forges e-mail headers to make it look as if an innocent person is sending threatening e-mail messages, there has been no breach of confidentiality (the thief uses his or her own e-mail account), possession (no information has been taken out of the control of the victim), or integrity (the e-mail messages are exactly as intended by the criminal).

What is breached is authenticity: the e-mail is incorrectly attributed to someone else. Similarly, misusing a field in a database to store information that is incorrectly labeled is a breach of authenticity; e.g., storing a merchant’s tax code in a field labeled as the merchant’s ZIP code would violate the authenticity of the information.

Utility

Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form.

Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Source: www.wikipedia.org

Having said this, I would like to discuss the possible controls that can be implemented to mitigate risks for the above 3 attributes.

It is important for every organization to constantly carry out risk assessment in their organizations to ensure that they are protected from new threats. Today terrorism has become a major threat for organizations as well and hence it is definitely required for organizations to include terrorism as a threat in their risk assessment exercise.

A constant risk assessment exercise does not only help in identifying and protecting against the latest threats, but also looks into the processes and controls that was defined and implemented years ago. Though the processes and controls might be working well, it might not include the risks due to the latest threats and if risk assessments are not conducted on a regular basis, these new threats might go unnoticed.

Hence organization are encouraged to have the risk assessment exercise as an annual activity and also when there is a major change within the organization. It is also important to keep a tab on the new threats that need to be included in their risk assessment exercise.

Now the next arising question is, what are the risks of having these armed CISF securities in the campus?