Financial services firms share security tactics

Financial services firms share security tactics
Financial services firms share security tactics 

By Ellen Messmer
Network World

Some of the top players in the financial services arena-- such as Visa, 
JPMorgan Chase and Experian International -- are expanding their tactics 
for preventing customer data loss.

IT security managers convening at two interrelated conferences in New 
York this week said their firms are adopting both new network defenses 
and organizational structures to lower risk of a data breach. Some say 
the very survival of their businesses may be at stake, since news 
reports about incidents are leading to customer loss and million-dollar 
lawsuits. California was the first state to require public disclosure of 
a data breach, and now there are now about 30 other states and 
localities that do as well.

When an event becomes public, the stock price tilts, theres brand damage 
and finally decreased revenues, said James Christiansen, chief 
information security officer at Experian International, speaking at the 
Summit on Preventing Data Leakage.

Experian, a global company with over $3.1 billion in annual sales from 
consumer credit reports and other business data and analytics, was able 
to cite its rival, ChoicePoint, as the industrys bad boy poster child at 
present. ChoicePoint last year acknowledged a loss of 145,000 customer 
records and is still fighting lawsuits about it. In the hope of avoiding 
a similar fate, Christiansen acknowledged Experian has racketed up its 
defenses in several ways.

For one thing, We just wont accept data that isnt encrypted anymore, 
said Christiansen. In addition to encouraging employees to report any 
suspicious events, about eight months ago Experian also started using a 
data-leak prevention appliance to monitor employee e-mail, file transfer 
and instant messaging.

"The first time you use it, its like turning on a light in a kitchen at 
night and catching the cockroaches running, said Christiansen. Experian 
doesnt block suspicious network behavior but does investigate data 
transfers that may violate corporate policy, such as failure to use 
encryption. Most of the time these incidents are mistakes by employees 
that require training re-enforcement.

According to Christiansen, cybercrime that targets sensitive customer 
financial data is lucrative and well-organized, something that hit home 
by working with the U.S. Secret Service on whats called the Project 
Harvest research online with others in the industry.

He said he sees that thieves around the world are selling software 
financial-theft Trojan programs for $1,000 to $5,000, a credit card with 
PIN for $500, and change of billing data for $80 to $300, and $7 to $25 
depending on volume for stolen credit card numbers with security codes. 
It costs $7 for a PayPal account logon and password, he added.

With the stakes ever higher, card-services giant Visa International has 
begun an ambitious retooling of its network authentication process to 
combine physical and logical security information to deter potential 
network misuse.

The project involves combining information taken from Visas 
physical-security badge readers worn by employees and cross-checking 
real-time physical location with network authentication information to 
make sure theres an acceptable match.

Were taking the next step, said Phil Maier, vice president of 
information security in the emerging technology and network group at 
Visa USAs technical arm, Inovant, who spoke at the FinSec conference. 
The badge ID has to have a link to the domain ID [on the computer]."

If the physical and logical thresholds dont match up say, activity is 
occurring at a restricted computer when the badge reading shows the 
employee is not physically there, or an employee is viewed as physically 
present but an authentication process is occurring remotely the session 
should not be allowed since it raises security questions.

To do this, Inovant is working on a home-grown coding project that has 
the companys badge-reader system linked into the corporation security 
information management system from Intellitactics.

To have this and probably any security monitoring work correctly, its 
necessary to time-synchronize all computers precisely using the Network 
Time Protocol based on the government-supported Atomic Clock, Maier 

The various data-breach disclosure laws that now mandate the public be 
informed about incidents is driving change not just in technology 
implementation but in how organizations work to communicate between IT 
departments and upper management.

Anish Bhimani, managing director at JPMorgan Chase, who spoke at FinSec, 
said the desire to avoid becoming another data-loss news story has 
prompted some changes, including adding laptop encryption and possibly 
adopting tapeless data centers for the long term.

We used to think more backups is better but thats not exactly the case, 
said Bhimani. Another process change involves automated scanning for 
40,000 servers for penetration testing instead of having people do it 

A chief concern involves making sure JPMorgan Chases 3,500 third-party 
providers also follow specific security practices, noting its difficult 
to define everything that can go wrong.

One of JPMorgans outside service providers, as Bhimani refers to them, 
recently misplaced some data that was recovered. We looked at everything 
except what went wrong, said Bhimani.

One major cultural change at JPMorgan Chase, a huge firm with 170,000 
employees, has been to focus on security metrics by focusing on the 
results, not activity, he noted.

Instead of just issuing data-filled reports to management, the focus is 
being refined to target concrete results. Weekly meetings are now 
required where IT staff discuss risks, exposures and compliance with 
unit CIOs, and unit CIOs huddle together on their own and with CEOs more 

The goal is to figure out how do you actually improve the risk posture 
of the organization with the data you have, said Bhimani. JPMorgan Chase 
is also trying organizational change that involves assigning more 
security experts into the business divisions instead of technology 

The CISO role will now be the deputy risk manager, said Bhimani, adding 
the IT department will be split from risk management so we can focus on 
maturing the discipline of IT risk.

The business needs to be able to take risks to make money, and our job 
is to help them find a way to do that, said Bhimani. Another change for 
JPMorgan Chase will be a zero-based budget where you start each year 
with no specifically allotted spending for security and go up. You start 
to think about doing things differently.

All contents copyright 1995-2006 Network World, Inc.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods