From skimming and POS attacks to ACH fraud and payment card hacks, 2010 was “The Year of Fraud,” and the year’s incidents have left banking institutions and their customers anxious for new solutions to prevent fraud in all its forms.

In response to the growing fraud threats – and to the demand for new solutions – Information Security Media Group just concluded its latest survey, “The Faces of Fraud: Fighting Back.”

This is the Executive Summary of the survey results and what they suggest for fighting fraud in 2011.

One of the most telling responses of the survey is to this question:

When is a fraud incident involving your organization usually detected?

In other words, despite the availability today of world-class fraud detection technology, despite broad awareness of the current fraud threats and incidents – nothing spreads faster than word of a breach – and despite what we’ve all learned about customer confidence and loyalty in the wake of fraud incidents such as the Heartland Payment Systems breach …

More than three-quarters of financial institutions learn of fraud incidents when notified by their own customers.

This response underscores the need for better fraud detection – before the incidents strike the customer — and it sets the tone for the survey results, which break down into four main themes:

The Faces of Fraud: Today’s Top Threats – What are today’s top threats? Which threats do institutions feel most prepared to face? What impact have we seen from highly-publicized ACH/wire fraud incidents?

Cross-Channel Fraud: The Great Mystery – Industry analysts tell us that cross-channel fraud is the growing trend. That no longer are fraudsters targeting just ATMs or payment cards or checks – they’re seeking to compromise your customers in every way you interact with them. But how prepared are institutions to measure and respond to these cross-channel threats?

Resources: The Ongoing Challenge — It’s been a tough two years for banking. As a result of the global recession and U.S. financial crisis, human and fiscal resources have been hard to come by for banking institutions. Yet, the survey results show encouraging trends on both fronts.

Need for Awareness, New Tools – If there is one overriding theme of this survey, it’s this: Respondent’s recognize that awareness programs – for employees and customers alike – as well as fraud detection and prevention tools, are their best weapons to fight fraud. Their challenge is to find the right tools and take the right approaches to awareness.

Download the Executive summary report to get an insight for the above.

http://docs.ismgcorp.com/files/handbooks/Fraud-Survey-Summary-2010/Fraud-Survey-ExecSummary.pdf

Source: Bankinfosecurity

The Parkerian Hexad attributes are the following:

• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Possession or Control

Suppose a thief were to steal a sealed envelope containing a bank debit card and (foolishly) its personal identification number. Even if the thief did not open that envelope, the victim of the theft would legitimately be concerned that (s)he could do so at any time without the control of the owner. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Authenticity

Authenticity refers to correct labeling or attribution of information. For example, if a criminal forges e-mail headers to make it look as if an innocent person is sending threatening e-mail messages, there has been no breach of confidentiality (the thief uses his or her own e-mail account), possession (no information has been taken out of the control of the victim), or integrity (the e-mail messages are exactly as intended by the criminal).

What is breached is authenticity: the e-mail is incorrectly attributed to someone else. Similarly, misusing a field in a database to store information that is incorrectly labeled is a breach of authenticity; e.g., storing a merchant’s tax code in a field labeled as the merchant’s ZIP code would violate the authenticity of the information.

Utility

Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form.

Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Source: www.wikipedia.org

Having said this, I would like to discuss the possible controls that can be implemented to mitigate risks for the above 3 attributes.

In a normal scenario, everyone uses a template that captures assests under different cateogories, viz

• Information Asset – deals with electronic and paper based data
• Hardware Asset – includes all your hardware, cupboards, safe, etc
• Software Asset – includes all software’s used or implemented in the organization.
• Service Asset – services that a department avails from the organization
• People Asset – talks about people / employees

 Now the discussion went like this:

 We capture service assets and also get the availability value of that asset from each department to determine the asset value. Now, a disruption in service is caused to one or more of the following:

• A failure of hardware
• A failure of software
• A failure of people

One or more of the above failures will cause a service disruption and we are already capturing the availability values of these parameters under hardware asset, software asset and people asset respectively.

The question arise was is it not a duplication of effort and capturing of availability value in the above case. If yes, why do we do this?

Now in security perspective:

1. Hardware is identified / recorded only if the end user has a direct interaction wit that server. For example: File Server
2. If it is a service availed by the end user, he/she is unaware of hardware that is used for providing that service. Hence he will only term that as an service and will not be captured as a part of hardware asset.
3. When it comes to the IT department, they will identify all the hardware that is available under their control. Now they will identify the hardware, but will be unable to determine the availability parameter of the service provided through that hardware from a business perspective.

Hence it is required to capture the service assets from various departments while we carry out a function based risk assessment exercise.

Further, it is not only about failures that are looked into while capturing the service assets. As a part of the control recommendations, based on the inputs from various user departments, it could also be possible that the recommendation will be to provide the service on a fail over module or utilize and load balancer etc.

Now, looking at the other aspect of capturing service assets would be to understand the services availed from the organization, where, the organization has procured it from a third party. For example: An internet connection from the ISP.

We will not be capturing the hardware, software or people asset outside our organization, but still will be using a particular service. There might be one piece of asset that is connecting between the organization and the ISP, but after that we have no controls. Hence we will require to capture the service assets which will help in defining SLA’s with the vendors and procure adequate service.

 Looking forward for your thoughts.

While looking at various aspects of data loss, the end reason always point to “PEOPLE”. The above statement holds good not only because there are data loss (which is now the high rated security risks), even if you look at any frauds that has happened in the recent past, everything has been manipulated by “HUMAN”. No matters what standards are adopted, what stringent rules are set in an organization, frauds still happen.

In an organization that is financially in very good position, has all the best technological gadgets implemented to ensure no frauds or data loss happen. The organization is certified against 7799, 27001, PCI DSS, you name it. They have the best security professionals and chief executives to run the organization, who are on their toes to identify what new is going to come and how they can protect their organization from different attacks. On the other hand we would be having an employee sitting beside his cubicle or on the next floor using one of the USB data card to connect his/her PC directly to the internet.

We all are aware of the rules of driving, but sometime we tend to break those by not knowing the consequences or maybe the law is liberal. Again the law made by people might be stringent but it is made liberal by the people practicing the same. We still break the rules on the road by knowing that the consequences would affect us directly. Now how would one not break a rule, if they know that the consequences might not affect them directly, but the organization would suffer.

I think we are all done with standards, compliance, certifications, awareness etc. We need to have a cultural change. None of the standards or compliance requirements talks about how to bring this paradigm shift of culture in an organization. It is never easy as the parameters that need to be considered to get a cultural change are too many from people to geographic locations to business verticals etc. Looking forward for something that would help us bring this change.

“In the past battle was happening between human face-to-face using weapons. Now it has changed to battle fought using technology, never to forget, it is still between human.”

All the while we have been hearing and believing that ISMS implementation in any organization requires management approval without which it would be a failure. True!!!

For any project in an organization for that matter, management approvals are a must cause for a project to kick-start and complete with desired results, requires resources, budget, tools etc. These can be achieved only if the project manager shows the management that there is value created by doing this project which could favor the organization. The value could be of many ways which ultimately boils down to making profits or avoiding monetary/image loss.

The above typically is considered as a top-down approach. It is, in most cases, difficult to get management approval for an Information Security Management System (ISMS) implementation project, unless it is strongly triggered by the internal management or clients or compliance requirements. Here I would like to mention two different approaches which can influence the management in providing approval and the required support.

1. Department level implementation
2. Incident Management

In the department level implementation, we need to identify those departments whose managers understand and have an interest in implementing and practicing information security practices within their department. It would be great if we get a department which is the core to the organization. If not, I think we should just proceed and provide those departments with some sort of incentives in implementing and practicing information security practices. Now the ISO has a job to do. He/She will require understanding and collecting information such as the improvements from implementing controls in that department and how that has helped the department in securing its information. Such information should be propagated to the entire organization which will help other department managers to understand the importance of implementing information security practices and the benefits of the same.

For example: We can always show that there was a virus outbreak in the organization and yes this department was not effected with that virus outbreak because they had implemented anti-virus software and applied strict access controls to their data. The amount of time saved by the department was X days etc. This is just an example to portrait to the management; please do not create a virus outbreak in the organization. J

Another approach would be to talk to the IT department. The language that the management understands is numbers in terms of money. The moment you show them that they will make a loss of X amount due a risk in the organization, they will jump on their toes to see if they can mitigate that risk. The best way to this approach is to have a person in the IT department to just document all the incidents that happens in the organization. This could mainly be IT related, but doesn’t matter. The job of the ISO would be to determine the amount of time lost in bringing back business to normal after the incident has occurred and created the damage.

Let us take an example and get this information.

A development server crashed in the organization: OK. The IT team is on the job. The parameters that can be checked are as mentioned below:

1. How many members from the IT team is working on this incident
2. What was the reason for this incident
3. How much time did it take to recover from this incident
4. Which departments were effected? How many employees are there in those departments?
5. What is required to ensure this does not happen again?

Let us answer these questions

1. Two Server Administrators with hourly charge of $30
2. Lets say a wrong configuration in the server
3. It took about 4 hours
4. Two departments with 7 employees each were effected. They were unable to carry out their work for the time the server was down.
5. Develop configuration documents and ensure that any configuration change is down with reference to these documents. The Server Administrators need to be trained.

What is the loss to the organization?

1. $30 per hour with two server administrators working for 4 hours  — $30*2*4 = $240
2. Two departments with 7 employees with $40 per hour for each employee – $40*14*4 = $2240
3. Total loss = $240 + $2240 = $2480
4. Cost involved in ensuring that this does not happen again. I will leave it to you to work it out.. J

I would also probably look at the cost incurred if those department employees have to work overtime to cover the lost time of productivity. This would be an addition of $2240. But let’s not get that deep.

The question that would arise here is “We need to pay the server administrators anyway. So how does it matter?” – Consider if this recover had to be done by a product vendor. We would have probably ended paying double the cost.

But the idea here is to get this cost across to the management who understands these numbers. If such incidents can be captured in an organization and convert the same into numbers, this would be the best way to project to management and get in their approval. In that sense this can be sold even to your department managers and then ask them to implement best practices.