The Credit Union Technology Ecosystem
Download
Report
Transcript The Credit Union Technology Ecosystem
The Challenge of the
Credit Union
Technology Ecosystem
CUNA Directors Conference
October 1, 2003
Bob Ferderer – CUNA Mutual Group
VP Internal Operations & Security
Agenda
• Technology Trends
• Regulatory Environment
• Security Considerations
• Privacy Implications
Access
Technology Trend 1
• The Internet is Everywhere
The Digital Divide aside - we will be online everywhere, all
the time.
UCLA Report estimates that 72% of all Americans were
online in 2001 (10 hrs/wk)
• Broadband
Dialup is still restricting effectiveness
Cable and DSL growing to 18% of households now and
50% within 4 years
Watch Starbucks and others for wireless broadband
• Interactive TV
Watch the game manufacturers and Microsoft
• Wireless
The rest of the world has “got it”
Cell phones are coming on strong with features
Shopping
Technology Trend 2
• 2001 Brought Legitimacy - 2003
Established It
Convenience, wider choice, competitive prices, easy access
win
• Consumers Still Leary
Some lack confidence and fear identity theft and security
• Auctions
eBay is thriving - others are trying to emulate
• Content on demand
Music, games, movies – in spite of the industry lawsuits
Napster was deemed illegal but the business model is
expanding
• Dynamic Pricing
Comparison shopping is the model – for simpler consumables
Discounting is everywhere
Finances
Technology Trend 3
• One-stop Financial Shopping
Very complex and not practical in the short term
Financial data consolidation will continue
Simple models still prevail – lending applications, term
insurance, etc
• Infomediaries Are Still Struggling
Regulatory constraints on banks and credit unions removed
No one has yet created the “Holy Grail” financial
supermarket
Internet is widening the choices not narrowing them
“Clicks and Bricks” are winning – Branches, ATMs and the
Interenet
• Aggregator Value is Questionable
Off-line personal control - Quicken, Money
Online .coms - Yodlee and OnMoney
Information Management
Information Trend 4
• Information Characteristics
Volume of information available is overwhelming
Expensive to store
Difficult to analyze
Critical to protect
• Extended Personal Information
Aggregated financials
Bill payment patterns - presentment challenging
Purchase patterns
Automated location identification - RFID’s
• Click Stream Data
Behavior inferences
“Cookie” tracking
Huge amounts of data and abuse potential
Privacy
Technology Trend 5
“Using the net and preserving your privacy are
becoming mutually exclusive activities”
Peter Carbonara - technology 2000 - Money
• 90% of online consumers want the right to
control how their personal information is used
• 80% of Net users want privacy policies that
specifically prohibit the sale of their data to
anyone
• 32% of online users lie to Web sites about their
personal data
Forrester Research - 2000
Regulation Environment
The good news is that they are all
“substantially similar”
Gramm
Leach
Bliley
The foundation
for any good
privacy program is a well
Act
managed security practice
HIPAA
Patriot
Act
State
Insurance
Regs
CUSO
SEC
NCUA
748
Credit Unions
Business
Partners
FTC
California
Notification
Statute
Identity Theft
Technology Trend 6
• The facts:
27 million victims in last 5 years
Consumer cost was $5 billion
Financial institution cost was almost $48 billion
• FTC received 161,819 complaints in 2002
Double 2001 – the trend is bad
• The targets:
Credit card fraud – 42%
Phone or utility fraud – 22%
Bank (and credit union) fraud – 17%
FTC Press Release – 9/3/2003
“Now we know. It is affecting millions of
consumers and costing billions of dollars”
Howard Beales – Director of Consumer Protection - FTC
Identity Management Challenge
Wireless Devices
Federating you in a
Net Fabric
The Web
Real Time
Enterprise
Personal Devices
Professional
Services
Your
Identity
Consumer Devices
Commodity Services
The Underground Internet
Technology Trend 7
• The world of “darknets”
Gated communities that run on the Internet
Open only to “members”
• Private file-sharing networks are good – well most of them
Freedom of speech for dissidents in China, Turkey and Iran
Corporate security – protect proprietary information
The debate
is just– legitimate
starting sharing
on what
should
Copyright
protection
of limits
music, video
and
software be placed on private networks.
• The good, the bad and the ugly
Financial institutions use to protect transactions
Music and movie fans use to swap files
Criminals and terrorists use to hide activities
• The technology
Software to control membership – generally password or digital keys
– easily downloadable
Encryption similar to credit card transaction protection
What is changing in our business?
ABC CU
Our
Employees
Credit Unions
and how they
do business
and where they work
and what they expect
Everything
,
Our
Partners
Consumers
what they expect and where
they shop
Our Vendors
Our Consultants
the number of them
and where they are
and the way
they do business
The Connectivity Dichotomy
The Good
News
The Internet
opens more
doors than ever
before.
The Bad
News
Credit Union
The Internet
opens more
doors than ever
before.
Raising
thesolving
Importance
We are
moreof:
Internal policies and
procedures
business
problems
than
Prevention and detection
Checking ever
all the doors
– even the inside doors
before!
External attack and penetration
Ongoing monitoring
We are plenty busy these days
• Security risk – hard to measure
– Example 200 CU’s
– 36M attacks
– 0.7% severe
• Volume tripled in last year
–
–
–
–
Increase in hacker automation
More hackers
More systems infected
Variants from copycats
The Infection Challenge
• 24 Days for Companies and Users to Protect 50% of the
Hosts for Code Red
• 11 Hours for NIMDA and a bit less for MSBlaster
Internet Business Risks
Industries Targeted
6%
7%
Fin Ser
23%
5%
IT
Services
6%
M fg
Food/DrugRetail
7%
Retail
18%
Government
Health
14%
Other
14%
Emergency Categories
9%
27%
18%
Extortion
Stalking
Info Theft
Fraud
10%
9%
18%
9%
Former Empl
Hacker Intrusion
DoS
Source: Internet Security
Systems, Inc - 2Q 2002
Different Security Approach
Fundamental Change Required
• In the past system access was restricted to:
Employees
Some Partners
• People we knew and trusted
We need a different set of principles,
processes and technologies to ensure that
our networks remain protected
• E-Business assumes broader access by:
Employees
Trusted partners
Many unknown others
• People we don’t know
Perimeter Erosion
• Companies are opening their networks
and systems
Consultants
Partners
Vendors
Employees (commuters & remote users)
• Highest perimeter erosion risk to a
company
Employees with DSL & cable modem unprotected access
Personal use with corporate assets – kids playing games at
home
Partners accessing sensitive information
Unprotected wireless
The Hacker’s Tool Kit
• Laptop and a Pringles can
Low cost laptop
High gain antenna
Duct tape
• Transportation
Drive around
Point and shoot
• Unfettered Access
Free Internet access
Uncontrolled network access – most places
Conduits to the Inside
Wireless Environment
Radius > Active
Directory
Wireless
Access Point
Authorization
Corporate
Intranet
No association
due to lack of
EAP
Authentication
Physical Security
Wireless - Easy & Painful
• Setting up these components to make a viable
network can be incredibly easy
This is very compelling
And if you think about security, very, very disconcerting
Connectivity, ease of use and cheap
trumps security every time
Recent Prices
Access point - $128.00
Laptop card - $69.00
• Security is turned off out of the box – you must
turn it on
Old Rules - New Ways
All businesses must enhance the touch and trust
they have with their customers in this new
electronic enabled marketplace.
Protect Your Customers
. . . And Touch
Them Gently
What determines our risk?
• Our business
Large - small - cash
• Our security posture
Firewalled - patched - virus protected
• Our visibility
Politically - geographically - economically
• Our connections
Internet - modem - partners - employees
• Our response capability
Detection - reaction
• Our policies
Social engineering - employee awareness
• Luck
Security Program Framework
Key
Reasonable
Needs
Inadequate
Improvement
Business Initiatives
& Processes
Technology
Strategy & Usage
Vulnerability & Risk
Assessment
Policy
Security Model
Security Architecture and Technical Standards
Administrative and End-User
Guidelines and Procedures
Enforcement
Process
Monitoring
Process
Training and Awareness Program
Senior Management Commitment
Security Vision and Strategy
Recovery
Process
Information Security Management Structure
Source: Pricewaterhouse Coopers
Social Engineering
Social Engineering Is The Most
Powerful Tool in Hacker's Arsenal
© National Security Institute, Inc.
• Hacker and virus tools have come together
Blended threat
• Employee Awareness
Opening attachments
It is
very difficult
for companies to
Participating
in surveys
Just going to certain sites
defend
against social engineering
• Verification Process for Sensitive Questions
because
most people give others the
Internal and external
the
doubt
and naturally
• benefit
Monitorof
and
record
calls
Call
want
tocenter
help.processes
“People, essentially,
• become
Strong ID’s
and Passwords
a company's
weakest link.”
Positive identification
No sharing
Kevin Mitnick - Convicted Hacker
The “Big Six” of Security
• Policy, standards and awareness
Security is everybody’s job
Data stewardship by the business
• Authentication and access discipline
Capability enabled
Strong passwords
• Security issue reporting process
Train employees to recognize breaches
Call centralized help desk
• Security architecture
Network and application design (domains, firewalls & authorization)
Telephone lines and pcAnywhere
• Hardware and software setup
Templates for equipment (clients, servers, etc) installs
Application development process with vulnerability scans
• Monitoring and vulnerability checking
Attack and penetration studies
Logs, scanning and detection monitoring
The Importance of Policy
• Visible Executive Support
• Establishes Usage Guidelines
• Defines Expectations
• Ensures Enforcement
• Provides Foundation for Legal
Action
Managing Security Risk
• Prevention
Firewalls
Encription
VPN’s
Strong Authentication
Content screening
Anti-virus
Configurations
• Detection
Firewall features
Intrusion detection
Network and system scanners
Misuse pattern detection
Assessment/Self Assessment
• Recovery/Response
Alarms
E-mail, pagers
Restrict accounts (shut-down)
Automated recovery (web pages)
Managed Security Program
Gap Analysis
• Penetration Study
• War Dial Test
• Key Processes
• Activity monitoring
Ensure the Basics
• Management Support
• Security Policies
• Virus Protection
• Maintenance Currency
Detection Process
Prevention Process
• Strong Authentication
• Firewalls
• Secure Builds / DMZ
• Encryption
Recovery Process
• Intrusion Detection
• Availability / Log Monitoring
• Misuse Pattern Detection
• Network / System Scanners
• Alarms / Paging Process
• Restricted Accounts
• Automated Recovery
• Forensics
Test
Test
Virus protection
Test
Penetration Test Performance
Review Policies
Policy Development and Review
Management / Board Support
Authentication, Authorization and Accounting Process (Passwords)
Technology Inventory and Maintenance Currency
Training and Awareness
Implement DMZ
Where do you start?
Evaluate Encryption
Enhance Monitoring
Alarms and Recovery
Privacy Data Definitions
• Personal Financial
Information
• Public Data
–
–
–
–
–
Name
Address
Phone number
Personal e-mail
Age/Sex/Race/
Heritage
– Marital status
• Non-public
Identifiers
– SSN
– Account
numbers (CMG,
3rd party
providers, credit
unions, credit
card)
– Policy numbers
(CMG, 3rd party
providers)
–
–
–
–
–
–
–
–
Brokerage balances
Account balances
Mortgage balances
CC balances
Salary
Type of product/policy
Coverage amount
Beneficiary
• Personal Medical
Information
– Medical history
– Diagnostic and treatment
information or codes
– Medical care provider
identity information
– Claims and benefits paid
– Claim history
– Co-pay information
“Privacy Pyramid”
Privacy Privacy
Compliance Compliance
Reporting Auditing
Business
Developed
Operational Procedures
Privacy
Management
Structure
Privacy Policy
Information Security Foundation
Management Commitment
Management Vision
Compliance
CUNA Mutual Group Proprietary
© CUNA Mutual Group 2002; All Rights Reserved
Policy and Standards Relationship
Legal
Guidelines
Policies
Standards
Administrative
Privacy
Access Controls (T)
Disclosure of Confidential
Information (T)
Information Classification (S)
Records Destruction
Physical Access Restriction
Storage and Protection (T)
Transmission Protection (T)
Administrative System
Modification Procedures
Employee Background
Checks
Employee/Contractor Nondisclosure
Monitoring and Response
Security Violations (T)
Customer Data Safeguard
Protection Training (T)
Auditing Business Processes
& Remediation (T)
Service Provider Oversight
Customer Compliance
Notices
Physical
Corporate
Physical
Security
Access Restrictions by
Location
Physical Security System
Modification Procedures
Data Loss Procedures
Service Provider
Arrangements
Monitoring Systems &
Procedures
Security Breach
Response Programs
Technical
Corporate
Information
Security
Access Controls
Activity Logging
Computer Viruses
Encryption
Incident Response Handling
Intranet / Internet Registration
Controls
Intrusion Detection
Modems
Network Hardware
Passwords
Portable Computing
Equipment
Remote Control
Sanitation & Disposition of
Electronic Media
System Modification
Procedures
User ID’s
Voice over IP
Wireless Data Network
Connection
* Retired 10 Standards
Corporate
Technology
Usage
CUNA Mutual Property
Need To Use
Productivity
No Right to Privacy
Company Business
No Detailed Standards
* Retired 4 Elements
Key
• No Change
• Change
• New
Security Program Progress Tracking
Business Initiatives
& Processes
Technology
Strategy & Usage
Vulnerability & Risk
Assessment
Policy
Security Model
Security Architecture and Technical Standards
Administrativeand
andEnd-User
End-User
Administrative
Guidelinesand
andProcedures
Procedures
Guidelines
Key
Enforcement
Enforcement
Enforcement
Process
Process
Process
Reasonable
Monitoring
Process
Recovery
Process
Needs
Inadequate
Improvement
Information Security Management Structure
Training and Awareness Program
Senior Management Commitment
Security Vision and Strategy
Discussion
How much is
enough?