Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Hacking syndicates threaten banking

From: InfoSec News <isn () c4i org>
Date: Wed, 6 Nov 2002 00:27:53 -0600 (CST)
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,75584,00.html

By DAN VERTON 
NOVEMBER 04, 2002

The number of organized hacking syndicates targeting financial
institutions around the world is growing at a disturbingly fast rate.  
And so is the number of banks willing to pay these high-tech
extortionists hush money to protect their reputations, according to a
security expert at The World Bank.

Cases in which banks, brokerage firms and other financial institutions
have quietly paid hacking syndicates extortion money are "extremely
widespread," said Tom Kellermann, senior data risk management
specialist at The World Bank in Washington. Kellermann, who
co-authored a study on the electronic security risks facing the global
financial community, presented the findings during an Oct. 29 online
seminar sponsored by Cable & Wireless Internet Services Inc. in
Vienna, Va.

The 127-page study details the growing security challenges facing the
financial sector as a result of the industry's unprecedented
dependence on the public telecommunications system, rapid adoption of
wireless systems and outsourcing of operations to third parties.

And the growing dependency on Internet technologies that are linked to
sensitive back-end systems, such as customer databases and real-time
stock data, has made online extortion a major "safety and soundness
issue" for the financial markets, Kellermann said.

80% Go Unreported

Kellermann cited reports from Framingham, Mass.-based IDC and
Stamford, Conn.-based Gartner Inc. that indicate that roughly 80% of
cybercrime incidents in the financial sector go unreported to law
enforcement agencies.

Moreover, he contends that IT employees keep many of these incidents
from senior banking executives "due to the reality that they may be
fired." Banks don't report these incidents mainly because they want to
maintain customer and investor trust, according to Kellermann.

At the same time, massive underreporting has created a vicious
catch-22 for an industry that continues to struggle with dwindling
budgets. "It has a magnifying effect because there's no actuarial data
to justify the extra expense on security," said Kellermann. "We are
losing this war."

Budget issues have also led banks and other financial companies to
outsource operations. But that can have disastrous consequences for
hundreds of banks at once if the hosting company doesn't implement
proper security protections, Kellermann said. He cited an incident
last year in which hackers penetrated the systems run by S1 Corp., an
Atlanta-based provider of electronic finance services to the financial
industry. The incident led to the compromise of more than 300 banks,
credit unions, insurance providers and investment firms
simultaneously.

Coverups Not Common

Security experts and banking officials contacted for this story agreed
that the vast majority of incidents go unreported. However, they said
they aren't convinced that internal coverups by bank IT personnel are
widespread.

"I don't think that security incident coverups are common," said Joe
Busa, an IT manager at Citizens Bank in Providence, R.I. "It is very
hard to cover a mistake completely from your peers."

According to Gartner analyst John Pescatore, all publicly traded
companies are required by the Securities and Exchange Commission to
report all events that could have a material effect on the business.  
However, "there have been very few computer security incidents serious
enough to be classified as a material event," said Pescatore.


12 Layers of Adequate Security

1. Chief security officer 
2. OCTAVE methodology* 
3. Authentication 
4. Firewalls 
5. Intrusion-detection systems 
6. Virus scanners 
7. Policy management software 
8. Vulnerability testing 
9. Encryption 
10. Proper system administration 
11. Active content filtering 
12. Incident response plan/ continuity of operations

* Operationally Critical Threat, Asset and Vulnerability Evaluation
  methodology for conducting threat assessments. Developed by CERT
  Coordination Center, Pittsburgh. See
  http://www.cert.org/archive/pdf/OCTAVEthreatProfiles.pdf

Source: Tom Kellermann, senior data risk management specialist, 
The World Bank



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: