2014 Momentum Webinar Series:Security and ComplianceIn the Interconnected Age
Alan Akahoshi
June 24, 2014
Introduction
Alan Akahoshi is a lead security product manager at Digital Insight. With 22 years of network communication, applications and security experience, Alan has safeguarded systems for the nation’s leading technology companies. His previous roles include program manager for Microsoft's hosted services group, and product manager for Symantec's consumer business unit.
Agenda• The Internet of Everything (IoE)
– Ecosystem
• FFIEC Guidelines for your customer digital channel
– Coverage
• A security model for protecting your Customer
– Closing the gap
Have you ever received an email fromyour refrigerator or television set?a. Yes
b. No
c. Is that possible?!
Poll Question 1 : Current Events
>750K malicious emails sent by botnet.It’s enough to give you chills.
“In this case, hackers broke into more than 100,000 everyday consumer gadgets, such as home-networking routers, connected multi-media centers, televisions, and at least one refrigerator, Proofpoint says. They then used those objects to send more than 750,000 malicious emails to enterprises and individuals worldwide.”
IoE = User x (Devices x Networks x Services)
The connected state or the “Internet of Everything”
Networks(Places)
Services(Transactions/Interactions)
Devices
Data DataData
DataData
Data
Source: http://www.businessinsider.com/the-internet-of-everything-2014-slide-deck-sai-2014-2?op=1
An explosion of interconnectivity
Cyber Security is the biggest concern
Source: http://www.businessinsider.com/the-internet-of-everything-2014-slide-deck-sai-2014-2?op=1
• “Six degrees or less,” you are connected to a vulnerable element in the IoE ecosystem.
For Financial Institutions, Security must extend beyond
your purview.
youyou
OLB OLB
Gotcha!
• The Heartbleed bug is a vulnerability in the OpenSSL cryptographic software library that existed since 2012 and was not uncovered until early this year.
And the effects may be devastating
Reputation takes years to build, and only moments to lose.
In IoE, controlling borders and layering security isn’t enough.
You need to dramatically change your security strategy.
• Federal rules and regulations– Federal Reserve Board
• Regulation E (Electronic Fund Transfers, 12 CFR 205)
– Uniform Commercial Code• Article 4A, Funds Transfer (2012)
– Dodd-Frank Wall Street Reform and Consumer Protection Act
• The FFIEC prescribes recommendations for federal examinations of financial institutions .– E-Banking– Information Security– Supplement in 2011
In a highly regulated industry, how do you respond to IoE?
• 2001: Electronic Banking
• 2005, 2011: Internet Banking
• What does it protect?
– Customer data (privacy)
– Fund movement (anti-fraud)
• How does it protect?
– Periodic risk assessments
– Multi-factor authentication
– Layered security controls• Access controls (limits)
• Monitoring
– Customer awareness
FFIEC Internet Banking Guidelines (2011)
Networks(Places)
Services(Transactions/Interactions)
Devices
Data DataData
DataData
Data
What the FFIEC doesn’t cover
Financial Institution Best PracticesHow do you provide an effective and secure digital banking experience?
Please select the best statement that applies to your institution:
a. The security of my solution is most important.
b. The security of my solution is important, but it should minimally impact my customer user experience.
c. My customer user experience is most important.
Poll Question 2 : Security vs. Ease of Use
• Includes Prevention
• Includes Monitoring
• Includes Remediation
• Is multi-faceted, multi-layered to provide maximum protection – a system of redundancy
An effective security program framework
Prevention
MonitoringRemediation
• In order to secure the online and mobile banking ecosystem, you need to consider the multiple layers and what it is you are protecting.
• Adopt solutions using the “lenses” of your security program
– Prevention, monitoring and remediation
User protection
• User credentials
• User devices
• User applications
• User assets ($)
• Malware detection/removal
Network protection
• Network providers(public, private, mobile)
• Data exchange (privacy encryption)
Service protection
• Online banking applications
• Mobile banking applications
• Data handling and storage (privacy)
• Service availability
Business protection
• Employees
• Business assets ($)
• Data governance
Protection layers in order to manage risk
• Identity Verification (Account Origination)– Required by Section 326 of the USA Patriot
Act (FFIEC 2005)– Reduce the risk of
• Identity theft• Fraudulent account applications (international
money laundering and terrorist financing)• Unenforceable account agreements or
transactions
• User Verification (Authentication, Authorization and Access Control)– Layered “what you can see” & “what you can
do”– Reduce the risk of
• Unauthorized account access (privacy; protecting data)
• Account takeover• Fraudulent activity
Prove you are who you say you are
P
MR
User
Network
Service
Business
• User verification methods– Something the user knows
• “Shared secret”, password, PIN
– Something the user has
• ATM card, smart card, scratch card
• Mobile device, FOB token, USB token
– Something the user is
• Biometric hardware (fingerprint, face, voice, retinal/iris, etc.)
– Other factors that complement authentication
• User device identification
• User location / network
• User internet protocol address
Authentication, Authorization and Access Control
P
MR
User
Network
Service
Business
• Layered Security Controls
– Measure the level of risk and match protection methods
• Consumer Banking
– Accessing banking account information
– Accessing personal account information
– Money movement activity
• Bill payment
• Intrabank funds transfers
• Interbank funds/wire transfers
• Business Banking
– Frequent and higher $$$ amounts money movement activity
• ACH file origination
• Frequent interbank wire transfers
Not all online activity or actions are equal
P
MR
User
Network
Service
Business
What is your greatest mobile security concern? (Select one) a. Application security
b. Device data leakage
c. Device loss or theft
d. Malware attack
Poll Question 3 : Mobile Risk
• Mobile devices, networks it connects to,services it accesses, and data shared…– 63% of smartphone users access
their bank or credit union institution– 61% of smartphone owners who
don’t use mobile banking cite “security” issues
• Mobile Apps vs Mobile Web• Secure communication channel
(data privacy)• Complex device identification,
geo-location and reputation– Assurance to tie this to a user– Monitoring
Mobile is personal, an extension of You
P
MR
User
Network
Service
Business
Source: Deloitte, May 2014, Mobile Financial Services: Raising The Bar on Customer Engagement
• It’s never a question of ‘if’ I get hacked,but ‘when’ I get hacked…
– Hackers are continuously finding and exploiting the weakest link
• Effective monitoring is key todetecting fraud and preventing attacks
• Complex analytics of user, device and system data, and behavioral modeling provide intelligent detection
• Mitigation processes
Hackers hack and they will continue to hack
P
MR
User
Network
Service
Business
How do you provide customers/members with tools and tips to safeguard their online and/or mobile banking experience? (select all that apply)
a. Online Banking Application
b. Mobile Banking Application
c. Email
d. Text/SMS
e. In-Branch
f. Other
g. We do not provide any tools or tips
Poll Question 4 : Education Programs
• Customer Awareness & Education
– DOs and DON’Ts
– Alerts and Notifications
• Attacks, risks etc.
• Internal Training
Secure people, not just the technology
P
MR
1. Be vigilant.2. Protect your devices.3. Protect your passwords.
• Create password groups.4. Do not share your passwords.
5. Use trusted applications from known and trusted sources.
6. Access trusted websites.7. Be careful of email content,
even if it’s from a known person.
* Feb 1st – National Change Your Password Day
User
Network
System
Business
What you can do . . .
Effective security strategy – elements forprevention, monitoring and remediation
Multi-factor authentication
Layered security controls
Transaction monitoring
Marketing programs for customerawareness and education
Annual risk assessment
Security and Compliance Checklist
User
Service
Business
Network
www.digitalinsight.com
Thank you!
October 2014: Trends in Delivery: Channel
Convergence and Funding Innovation David Potterton, Cornerstone Advisors
Visit Us: