Embed Size (px)
Citation preview
International e-Financial WorldExpoNovember 19, 2004
Al DeckerExecutive DirectorEDS Security & Privacy Services
International e-Financial WorldExpoNovember 19, 2004
Al DeckerExecutive DirectorEDS Security & Privacy Services
Current Developments in Privacy and Enterprise Risk Management
2
• Introductions
• Key trends in the management of risk
Challenges and opportunities
Best practices across the banking and financial services industry
• Dialogue on current issues
Identify theft
ATM fraud
PIN losses
Web-based fraud
Over-the-counter check fraud
• Next steps
AgendaAgenda
3
The complexity of managing corporate risks is greater today than ever beforeThe complexity of managing corporate risks is greater today than ever before
• Cyber-crime/terrorism
• Money Laundering
• Privacy Issues
• Identity Management
• Counterfeit schemes
• Physical security
• E-Commerce fraud
• Fraudulent financial reporting
• Intellectual Capital Safeguards
• Investor confidence
• Liability
• Business Continuity
• Identity Theft
• Reputation loss
• Compliance with regulations
Phishing-related fraud cost banks and card issuers an estimated $1.2 billion last year. Sept, 2004 CIO
$10b to Credit Card fraud (Meridien)
$15b to Check Fraud (FBI, Meridien)
4
Attacks from anywhere around the globe have become increasingly easy to launch and more destructive Attacks from anywhere around the globe have become increasingly easy to launch and more destructive
Sniffers
Auto Probes
Denialof
Service
Stealth Attacks
Distributed attack toolsStaged attack
Cross site Scripting
Low
High
1980 1985 1990 1995 2000
Intruder Knowledge
Attack Sophistication
Password GuessingDisable audits
Exploit vulnerabilities
Self-replicating code
Password cracking
Back doors
Sweepers
Session Hijacking
Virus management remains the number 1
“pain point” Gartner, 2004
5
How do Security and Privacy differ? How do Security and Privacy differ?
Privacy
Security
AuthenticationAccess controlsAvailabilityConfidentialityIntegrity checksRetentionStorageBack-upIncident responseRecovery
HandlingMechanisms
“Right” of an individual
Fairness of Use
-Notice
-Choice
-Access
-Accountability
-Security
ProtectionMechanisms
6
Leading companies are seeking effective risk management solutionsLeading companies are seeking effective risk management solutions
• Examining vulnerabilities across every aspect of their organizations including:
-Internet-exposed systems -Affiliates
-Wireless -Call centers
-Financial systems -Data
• Creating multi-vendor strategies for managing risk
• Linking all aspects of fraud prevention, monitoring and detection into an overall enterprise-wide risk management architecture
• Working with industry groups, government agencies, law enforcement and consumer groups to share information and devise solutions
• Creating a global risk management program with consistent practices and policies
7
In 1998, Doerig defined “100 Financial Services Risks”In 1998, Doerig defined “100 Financial Services Risks”
100 Risks
In Financial Services
Regulatory
Interest
FX
Market
Strategy Documentation
Control Procedures
Control Environment
Outsourcing
Initiatives Overload
Flexibility
Event RisksInfrastructure Shutdown
Centralization Decentralization
Balance Sheet Structure
Data Integrity
Value Proposition
Take-OverRisk Ratings
Theft / Crimes/ Fraud Supervisory
Syndication Emerging Markets
Risk Capacity
Risk Control
Project
Insurance
Risk Culture
Future Commitments
Cadence of Change Channels / Internet
Change Management Competition
Motivation
Concentration
Deal Breakup
Political
MIS
Revenues
Critical Size Staff / Team Hackers
Know Your Client
Partnerships-Alliances Financial Models
Bridge FinanceLarge exposures
Catastrophe Settlement
Systems
Social Unrest
Refinancing
Compliance
New Business
Proportionality Intrusion
Transparence Cross Border
Counter party
Custody
Globalization
Legislation
Innovation
Collateral
Insider
Liquidity
Team Departures
Credit Spread
Pricing
Business Volume
Netting
AL Management Volatility
Priority Setting
Brand
Rogue Trading
Netting
Risk Appetite
Operations
Operations
Systemic Character
Commodity
Style
War
LegalKnow-How
Segmentation Culture
Project
Cadence of Change
Internet
ChannelsHans-Ulrich Doerig Vice Chairman of the Executive Board and Chief Risk OfficerCredit Suisse Group
Chart indicates Risk variety.All 100 risks have at least an "operational touch".
The greatest risk, however, is not taking one, as the chances for rewards move towards zero.
8
A logical bundling of risks is needed to set priorities
Enterprise Risk
Management
Credit RiskCredit Risk
Credit spread riskDirect credit riskCredit equivalent expenseSettlement risk
Business Event RiskBusiness Event RiskShift in credit ratingReputation riskTaxation riskLegal riskDisaster riskRegulatory risk
Execution orderProduct complexityBooking errorSettlement errorCommodity delivery riskDocumentation/contract risk
Exceeding limitsRogue tradingFraudMoney launderingSecurity riskKey personnel riskProcessing risk
Programming errorModel/methodology errorMark-to-market (MTM) errorManagement informationIT systems failureTelecommunications failureContingency planning
Communications failureTiming failure
TransactionRisk
OperationalControl
Risk
SystemsRisk
ProgramRisk
Op
erational R
iskO
peration
al Risk
StabilityStabilityMarket SensitivityMarket Sensitivity
Equity priceEquity priceEquity price volatilityEquity price volatilityEquity basis riskEquity basis riskDividend riskDividend risk
Interest rateInterest rateYield curve riskYield curve riskInterest rate volatilityInterest rate volatilityInterest rate basis spread riskInterest rate basis spread riskSpread riskSpread riskPrepayment riskPrepayment risk
FX rateFX rateFX volatilityFX volatility
Profit translation riskProfit translation riskCommodity priceCommodity priceForward price curve riskForward price curve riskCommodity basis spread riskCommodity basis spread risk
Economic sectorEconomic sectorInstrumentInstrumentMajor transactionMajor transaction
Market liquidityMarket liquidityLiquidity riskLiquidity risk
CorrelationRisk
LiquidityRisk
Equity Risk
Interest Rate Risk
Currency Risk
CommodityRisk
PortfolioConcentration
Mar
ket
Ris
k
9
Financial Institutions should evaluate the changing landscape in the context of their specific risksFinancial Institutions should evaluate the changing landscape in the context of their specific risks
Identity theft/Phishing
ATM fraud
PIN losses
Web-based fraud
Over-the-counter check fraud
•Need to be tied to a business purpose
•Need to show value from reduction of loss or operational cost
•Need to be relevant
•Need to be cost justified
10
Identity theft is one of the fastest growing white collar crimes in the USIdentity theft is one of the fastest growing white collar crimes in the US
• An ABA Check Fraud Survey found that $3 out of every $4 lost by a community bank to check fraud was due to some form of identity theft
• 4 out of the top 5 consumer complaints regarding identity theft involve financial services
– New credit cards accounts opened
– Existing credit card accounts used
– New deposit accounts opened
– Newly obtained loans
• Consumers suffer much more from new account fraud than from payment (typically credit card) fraud
• Thieves have only a 1 of 700 chance of federal arrest
Gartner 2004
11
Phishing - one method to obtain personal informationPhishing - one method to obtain personal information
Increase in phishing attacks from December 2003 to June 2004:
1,126%
Phishing could SLOW the growth of e-commerce in the by
1 to 2 % in 2005
12
Other methods used to obtain identifying information Other methods used to obtain identifying information
• Pretext calling
• Stealing a wallet to use the information or provide contents to a crime ring
• Fish credit card or other information from dumpster
• Dishonest employees access computers connected to one of the credit reporting agencies
• "Insiders" use their access to personnel records to obtain SS numbers
• Underground bulletin boards
• Mail theft
• Change of address card diverts mail to the thief’s drop box. Postal Service has initiated changes to address this
• Application fraud - perhaps a pre-approved offer of credit retrieved from the trash with the victim’s identifying information – the credit card mailed to another address
• Web sites that sell individuals’ Social Security numbers for as little as $20
Most victims do not know how their identifying information was obtained
13
ATMs provide access to millions globallyATMs provide access to millions globally
• With the increase in ATMs, comes an increase in criminals looking to take advantage of the technology for personal gain
• ATM fraud is specifically a crime that would not have occurred but for the presence of the ATM
• Requires new strategies, processes and new laws to cover the crimes
1. ATM Card and/or PIN stolen
2. Active ATM card left in the machine
3. Deposit empty envelope
4. False reporting of transaction problem
5. Physical attack on the ATM
6. Robbery at ATM
7. Wiretap on communications links
8. Manipulation of ATM and/or its system software
9. Surveillance, photograph of PIN
14
Card fraud and PIN loss prevention strategiesCard fraud and PIN loss prevention strategies
• Authentication of identity before issuance of card
• Protection against stolen cards and PINs
• Protection against counterfeiting
• Lower transaction floor limits at which bank authorization is required
• Card Restrictions
• Terminal safeguards
• Improve cardholder verification
• Improved cryptography
• Fraud Detection Software
•Stored Value (Smart) Cards
•Debit Cards
•Credit Cards
Common Vulnerabilities
•Lost or Stolen
•Alteration and Counterfeiting
•Issuance (fraudulent application)
•PIN Fraud
•Misuse (Exceeding cash transaction and credit limits)
15
Web Based Fraud - US leads the world in eCommerce fraud with 47.8% of worldwide fraudulent transactionsWeb Based Fraud - US leads the world in eCommerce fraud with 47.8% of worldwide fraudulent transactions
• Two major threat types:
– Applications
– Networks
– IT, Business application owners, and fraud managers should work together to understand the threats
• Online banking fraud
– Identity Theft
– Friendly Fraud
– Internal Fraud (Can be the most costly to financial institutions)
• Combination of technology and sound banking practices are essential
– Identification, Authentication, Validation, Monitoring activity, Tracking losses, Training
• New account openings
• Post authentication setup
• Banking enrollment
• Bill payment services
Adopt a consistent and standard definition of “Internet Fraud”
16
Authentication is Key as access increases to more users, from more locations, using more types of devices Authentication is Key as access increases to more users, from more locations, using more types of devices
• Identity Management will be critical
– The ability to manage (create, modify, delete) all user accounts, user profiles, etc. that can be identified with each person across the heterogeneous IT environment via a combination of user roles and business rules
– The ability to automatically correlate data from HR, customer relationship management (CRM), e-mail systems (and other “identity stores”), and from the managed systems
• Access Management will be the foundation
– Manage (across multiple target systems) an access control policy (or policies), including both policy administration and enforcement.
17
The problem with access is managing the multiple identities from multiple channelsThe problem with access is managing the multiple identities from multiple channels
jbakerbigdaddy
jbaker257gonefishin
j_baker123456
•Identity Management will be critical•Access Management will be the foundation
Manage (across multiple target systems) an access control policies including administration and enforcement.
18
Privacy and Identity Management Survey Privacy and Identity Management Survey
Objective: To understand the evolving privacy and identity management requirements of consumers and Chief Privacy Officers
Consumers choose convenience over security, while still expecting security. Evidenced by:
•61% do not want to be forced to change passwords.
•57% do not want their accounts locked down after three failed attempts to log on or provide ID verification information.
•74% want to be transferred to a supervisor for assistance and access if they can convince the supervisor of their identity.
•88% of those that were open to biometrics cite convenience as the main factor in moving to biometrics so they will not have to remember passwords.
19
69% of consumers are open to using biometrics in Identity Management 69% of consumers are open to using biometrics in Identity Management
• Only 12% said no to biometrics; the remaining 19% are unsure.
• The consumers who will accept the use of biometrics gave these reasons;
88%
56%69%
0%10%20%30%40%50%60%70%80%90%
100%
Convenience,because I won’t have
to rememberpasswords
My information wouldbe more secure
Speed up mytransaction
20
Business issues will drive the identity and access management solutionBusiness issues will drive the identity and access management solution
• Regulatory Compliance– GLB, HIPAA, SOX
• Business Facilitation– Self-registration
– Portal and personalization
– CRM and retention
• Cost Reduction or Containment– Reduce/avoid staff
– Common IAM architecture
• Operational Efficiency– Improved SLA <24 hrs
– Productivity savings
– User convenience
– SecAdmin reporting
• Risk Management– Audit
Every enterprise will need a centrally managed user identity and access management system
21
Where to look for vulnerabilities Where to look for vulnerabilities
• People– New hires/terminations
– Employee fraud
– Unauthorized activity/employee misdeeds
– Loss or lack of key personnel
– Loss of laptops, PCs, PDAs
• Processes– New account opening and Account
maintenance, such as name or address changes and closings
– Credit and collections processing
– Compliance failures
– IT and business project/change management
– Business impact assessments
• Systems– Comprehensive security
management and monitoring
– Data encryption
– Systems development and implementation
– New technologies
– System failures/slow responses/ lack of market performance
– Systems security breaches
• External– Contractors/outsourcers
– Agents acting on behalf of the company
– Supply chains, partners
– Customers, consumers
22
Goal is to understand where problems can occurGoal is to understand where problems can occur
• Data During Collection– Agencies, mail– Call Centers – Internet sites– Mobile Hot Spots
• Data at Rest– Mainframe, Mid-Range, Servers– PCs, PDAs, – Wireless devices, including Cell Phones
and GPS enabled devices– Fax– POS, Kiosks– Internet accessible devices– Off-site storage and retention
• Data in Use– Service delivery via mail/email/phone– Service via branches, call centers and
operations centers– Collection and Recovery
• Data In Transit– Mail– Email– Fax– Wireless – Files via VPN– Files via FTP– Data via Courier
• Retiring Data– Shredding– Electronic “Shredding”
• Data at agents, outsourcers/suppliers
– Data During Collection– Data at Rest and In Transit– Data In Transit and when Retiring
23
A well-designed risk-management framework will include: A well-designed risk-management framework will include:
• Risk Management Strategy - Senior management must:
– Sponsor and determine its vision, goals and key performance indicators and effectively communicate these strategies
• Risk Management Program Development
– Create a office to oversee and drive initiatives
• Policies, Procedures and Standards
– Must be developed, implemented and communicated to effectively support the risk management program
• Operations and Management
– Processes created to effectively implement, maintain and monitor the policies, procedures and performance objectives
• Applications Infrastructure
– Ensure applications have measures that support transaction security and privacy
• Technology Infrastructure
– Information technology designed and configured to lessen the risks in processing environment
24
The future of Internet Security will need to address:The future of Internet Security will need to address:
New Attackers
• Professionals with Different motivations
New Threats
• Greater speed and destructive capabilities
New Platforms
-Web Services -Instant messaging (IM)
-Wireless -Broadband
-Peer-to-peer -Grid computing
New Solutions
• More proactive systems that provide first-strike protection
Exposing the Future of Internet Security
April 8, 2003 Robert Clyde
25
On the Horizon…. On the Horizon….
• Increased global and industry specific regulation
• Boards of directors and executive management will pay closer attention to their risk governance responsibilities
• ISO17799 will undergo revision as the de facto standard for defining an information security program/architecture
• Organizations will need to boil the myriad of standards and regulations requirements down into a common nomenclature
• This will drive a renewed interest in Generally Accepted Information Security Principles (GAISP)
• Increased focus on certification and accreditation of system security before production implementation
• IT Security Industry is fragmented but moving towards convergence due to market demands which should increase efficiencies and decrease redundancies
• Common Criteria product certification will be more widely pursued and recognized
• Development of a continuous assessment process to manage risk on an ongoing basis
• Privacy and Security institutionalized into business operations
26
We live in “interesting” times…..We live in “interesting” times…..
Bill Cheswick on who will win the virus wars
– “There will soon be a virus out there that the virus guys won’t be able to detect”
• Stephen Crocker on Denial of Service
– “I Think denial of service attacks are going to get worse - much worse.”
• Mark Graff on the frequency of Internet based attacks
– “Very, very soon, it will not be useful to talk about individual attacks at all, but rather about the cluster of pathogens that are trying to get into our networks.”
• And Bruce Schneier on present day security
– “No one can guarantee 100% security. But we can work toward 100% risk acceptance.”by Ed U. Kaishun
It only seemed like ye sterday that Atlanta Public Schools (APS)made headlines for negative reasons: disrepair of facilities, decliningstudent achievement, rising drop-out rate, etc. Remarkably, APS isnow continually featured in positive headlines. Since its nadir in thelate 1990’s, APS has taken steps to raise academic standards andexpec tations for Atlanta’s children, produce graduate s much better
AP RIL 2, 2001
FINAL
“Your Company” a victimof Cyberspace crime againThird time in Two Weeks Could it have been prevented
prepared for successful careers and low er the drop-out ra te to 10%.In a news conference last w eek, the Mayor publicly congratulatedthe APS faculty, the Atlanta School Boa rd, and the Superintendenton a job well done at the Fifth A nnua l Atlanta Public Educa tionSummit. Since the beginning of this year, APS has rece ived similaraccolades from the Georgia Board of Education, the Governor andthe Business Roundtable, an educational advocacy grouprepre senting 200 U.S. corporations.
This begs the question – H ow did this remarkable turnaroundoccur? We went looking for the answer to this question. Many inAtlanta point to the collective efforts of APS and the Metro AtlantaChamber of Commerce in 1998 as the watershed event.
In the winter of 1998, the Education Committee of the Chamberassembled a Specia l Task Force on Education. This task forceserved to identify how Atlanta’s business community could bestsupport A tlanta Public Schools in generating more employablegraduates.
According to Odie Dona ld, then cha ir of the EducationCommittee, “Unlike other efforts to narrow the gulf between APSand the Business Community, the Spec ial Task Force on Educa tionallowed both parties to w ork in true partnership for the benefit ofAtlanta’s children.” Adds Benjamin Canada, then APSSuperintendent, “APS was given a seat at the table, rathe r than be ing
trea ted a s a patient. As I look back on the early days of the Spec ialTask Force on Education, three significant things come to mind –strong leadership, unwavering commitment and accountability.”
As a result of APS’ remarkable achievements, the A tlantabusiness community has continued to signific antly support theschool district. Monetary, human and in-kind resources have beenstrategically allocated to e ffec t change. Additionally, ED UPACfunding has been earmarked to support the successful re-elec tioncampa igns of several school board members.
The initial ac tions of the Specia l Task Force on Educationserved a s a ra llying point to improve public education in Atlanta.Over the past five years, an expansive coa lition of organizations andeduca tional initiative s have complemented the effort. The resulttoday is sweeping changes in the city’s school district.
Annually, members of this education coalition come togethe r atthe Atlanta Public Education Summit, held by the Metro AtlantaChamber of Commerce. Important performance measures areanalyzed, improvements a re discussed and recognition is given toexemplary programs and coalition pa rtne rs.
$1,000 $1,100
$1,500
$2,200
$3,500
$0
$5 00
$1,0 00
$1,5 00
$2,0 00
$2,5 00
$3,0 00
$3,5 00
$4,0 00
1998 1999 2000 2001 2002
Online AttacksRevolution WithinPublic Schools
“Unl ik e other efforts to narr ow the gul f
between AP S [A tlanta P ublic Schools] andthe Busines s Comm unity, the Special Task
Force on Education al lowed both parties towork in true partner ship for the benefi t o f
Atlanta ’s c hi ldren”
— Odie Donald, President and CEO,BellSouth Corporation
“The tas k force adopted a dual focus.
Not only d id we concentrate on assistingthe Atlanta P ublic Schools in producing
more employable graduates, we a ls ofoc used on bringing forth m or e employable
AP S graduates”
— Gary Lee, Jr., former task member, retired VPand Executive Director of the UPS Foundation
“AP S [Atlanta P ublic Schools ] was g iv ena s eat at the tab le , rather than be ing
treated as a patient. A s I look back on theearly days of the Spec ia l Tas k Forc e on
Educ ation, thr ee signi ficant things cometo m ind — strong leadership , unwav ering
comm itment and accountabi lity”
— Dr. Benjamin Canada,Secretary of Education
by Jane Doe
This inaugural issue celebrates how
Atlanta Public Schools transformed itse lf intoa world-class school district. It may serve as a
template to othe r municipalities on how to
make significant improvements in publiceduca tion.
The va ried contributors to this specialedition of The Atlanta Journa l-Constitution’s
Guide to A tlanta Public Education reflect the
city-wide coalition re sponsible for theseremarkable results.
Contributors:
Atlan ta P ubl ic S cho ols
Atlan ta Boa rd of E duc ation
Metro A tlanta Cham ber ofCom me rc e
Atlan ta Com mi tte e for P ubli cE duc ation
Mayo r’s Renai ssanceCom miss i on
Atlan ta P artners for E du catio n
Atlan ta’s Bus in ess Com mu nity
Atlan ta’s No n-P rofi t Agen cies Public education in Atlanta: Much has changed in five years
Inside This Issue
Interv iew with th e Atlan ta Pu blicSch ools Superintenden t . . . . . . . . . . 3
“Revo lu tion within APS”:5 Year Ch rono lo gy of Events(19 98-Presen t) . . . . . . . . . . . . . . . . . . . 4
Per spectives: Stud ents, Faculty,Par ents, C ommunity Partner s . . . . 5
Washington Post
Bruce Schneier
Thank You!
