Cyber Security Institute


Wednesday, March 26, 2014

Banks Sue Target, Security Firm Over Data Breach | Fox Business

Target (TGT) and one of its security vendors, Trustwave, were hit with another lawsuit earlier this week over the wide-scale data breach at the retailer. Two banks, Trustmark (TRMK) and Houston-based Green Bank, are seeking damages of more than $5 million …



Thursday, July 18, 2013

Big banks staged mega-cyberattack drill last Thursday

About 50 institutions—including banks like JPMorgan Chase (JPM, Fortune 500) and Bank of America (BAC, Fortune 500)—participates in the exercise, called “Quantum Dawn 2.” To take part in the drills, each of the participating institutions will be running software developed by Cyber Strategies, a Northfield, Vt., firm that specializes in making cyber exercise software for financial institutions. Karl Schimmeck, SIFMA’s vice president of financial services operations, declined to share specifics of what exactly the simulated threats would look like, but similar drills in the past have looked like a giant, computerized version of roleplaying game Dungeons and Dragons.



Wednesday, July 17, 2013

As cyber attacks detonate, banks gird for battle

Banks large and small are girding for an elaborate drill this week that will test how they would fare if hackers unleashed a powerful and coordinated attack against them. Cyberattacks on the banking industry are growing more frequent and sophisticated and the list of assailants is ever-changing: crime bosses who want money, “hacktivists” who want to make political statements, foreign governments that want to spy on U.S. companies. Jamie Dimon, CEO of the country’s biggest bank, JPMorgan Chase, acknowledged that attacks are becoming more complex and dangerous, no longer carried out by “fairly simplistic” hackers commandeering people’s personal computers.



Friday, June 14, 2013

Varonis welcomes Bank of England’s high levels of concern on cyberattacks

“Our observations suggest that the vast number of breaches occurring on an almost daily basis indicates that businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data.” — David Gibson, Varonis Vice President . “In the results of a survey we released in April of this year (, we found that 91% of people trust businesses to keep their data safe – despite PWC reported data breaches for 93% of large organisations and 87% of small businesses being seen so far this year,” he added.


Wednesday, May 15, 2013

Beware The Coming SEC Regulations On Cybersecurity

Having been CEO of a public company and now as CEO of a global enterprise software company which provides cyber security and compliance solutions to many public companies, I can attest to the growing complexities and pressures of supply (threats and risk to operations) and demand (regulatory requirements) that must be managed on a daily basis. In his April 9 letter to the SEC Chair, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) urged the SEC to step-up the requirements on its guidance (issued in October 2011) for companies to disclose information about their ability to defend against attacks on their networks. “Investors deserve to know whether companies are effectively addressing their cyber security risks — just as investors should know whether companies are managing their financial and operational risks,” the letter said. From this experience I’ve learned that corporate risk is idiosyncratic and varies from company to company, but the SEC looks at it all the same.


Tuesday, April 30, 2013

Ramnit sleeping malware targets UK financial sector

“Trusteer’s security team recently analysed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam,” said a Trusteer spokesman. The malware reportedly avoids detection by going into an idle sleep mode until its intended victim logs into their online bank account, at which point it activates and presents them with a fraudulent phishing message. “While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account,” explained a Trusteer spokesman. Once connected to the account the malware enters its final stage, presenting its victim with a second bogus message designed to dupe the user into entering a code that will let the malware bypass the system’s final defence.


A New Source of Cyberthreat Updates

The FS-ISAC is now offering briefings on the latest trends and how to address them, says Bill Nelson, president. Through a new partnership with the cyber-intelligence firm iSIGHT Partners, the Financial Services Information Sharing and Analysis Center is providing its banking institution members with updates on cyber-attack trends, including data from international markets, says Nelson, FS-ISAC president. “iSIGHT is now providing briefings to our members about how these attacks can be detected and, in some cases, mitigated,” Nelson says during an interview with Information Security Media Group.



Sunday, April 28, 2013

U.S. response to bank cyberattacks reflects diplomatic caution, vexes bank industry

The United States, concerned that Iran is behind a string of cyberattacks against U.S. banking sites, has considered delivering a formal warning through diplomatic channels but has not pursued the idea out of fears that doing so could escalate hostilities, according to American officials. It also reflects the pressure the administration is under from banking industry officials, who want to know what amount of pain or damage will justify a government response. “We don’t have a clear view of what are the triggers — and we’ve asked,” said one industry official who has been involved in discussions with the administration and who spoke on the condition of anonymity. Administration officials say it is difficult and unwise to be too precise about potential responses because they do not want to set red lines that, if crossed, might obligate them to act.



Friday, April 26, 2013

US banking sector vulnerable to hackers

US authorities charged with overseeing the financial sector are worried about its vulnerability to cyberattacks, they said in a report. “Security threats in cyberspace are not bound by national borders and can range widely from low to high security risks,” wrote the Financial Stability Oversight Council in its 2013 annual report published on Thursday.


Friday, April 12, 2013

U.S. On Brink Of Major Cyber Attack From Another Nation - Perhaps North Korea

Philip Lieberman, author and CEO of security firm Lieberman Software, believes United States is on the brink of suffering a major cyber attack from another nation state that will severely damage the country’s national infrastructure. The security expert has spoken out as the U.S. falls into its latest bout of international confrontation, with North Korea threatening to launch nuclear attacks on the United States and old foe South Korea.   But far more likely than military engagement is the use of cyber weapons, and indeed, the North is already thought to have been behind crippling cyber attacks on the networks of South Korean banks and television stations last the month, reported ITProPortal.   The U.S. and the South have taken action to safeguard their digital infrastructures, last week signing a cyber alliance to increase the sharing of strategies and intelligence between the two nations, while President Obama has been busy bolstering the U.S. cyber arsenal and acquiring legal permission to launch cyber strikes this year.



Thursday, April 04, 2013

The New Normal: Wednesday Is DDoS Day At Citi

Speaking on Wednesday at an event hosted by Perdue University, Mamani Older told an audience at CERIAS 2013 that massive distributed denial of service – or DDoS - attacks have become “business as usual” for Citi, and that those launching the attacks have fallen into a predictable schedule of attacks. Just this week, American Express said that it, also, has been targeted by DDoS attacks, which harness infected or cloud-based systems around the globe to flood public facing systems with junk traffic, slowing down response times severely, or knocking the Web sites offline.



Wednesday, April 03, 2013

Cyberattacks on banks signal urgent need for security bill, lawmakers say

A seven-month long assault on America’s banking websites reached a new high recently, further proving that Congress needs to act quickly to pass cyber security legislation, the chairman of the U.S.  Mike Rogers, R-Mich., made the remarks to NBC News in response to an NBC News report which found that in the last six weeks, 15 of the nation’s largest banks have been offline for a total of 249 hours because of “denial of service” cyber attacks. National security officials told NBC News last fall that they believed Iran was behind the attacks, which has hurt bank sites including Wells Fargo, JP Morgan Chase, Bank of America, PNC and as recently as this week, American Express.


Hackers attacking US banks are well-funded, expert says

For the third time in the last half year or so, they have mounted DDoS attacks against prominent US financial institutions in order to protest the continuing online existence of a video that they feel vilifies Islam and offends Muslims. “We had a plan in place to defend against a potential attack and have taken steps to minimize ongoing customer impact,” stated an AmEx spokesperson following the start of the attack. Customers of the aforementioned institutions experienced extreme difficulties in accessing the sites and using them for their online banking needs, but things have returned pretty much to normal over the weekend. In the meantime, security professionals are pointing out that with every new phase of the operation the attackers have improved their abilities and refined their attack techniques.


Sunday, March 31, 2013

7 Duties for CISOs under FISMA Reform

A House panel approved and sent to the entire House of Representatives legislation to reform the Federal Information Security Management Act, the 11-year-old law that governs IT security in the federal government. The bipartisan Federal Information Security Amendments Act of 2013 unanimously passed the House Oversight and Government Reform Committee by a voice vote on March 20. The legislation, if enacted, would usurp the current FISMA law that heavily relies on a check-list approach to IT security that many people in government contend doesn’t truly show how secure agencies’ IT systems are. An agency’s chief information officer could serve simultaneously as CISO; however, the bill would require that information security be the CISO’s main focus.


Tuesday, March 26, 2013

Wells Fargo says cyber attack disrupting website

Wells Fargo & Co on Tuesday said its online banking website was experiencing an unusually high volume of traffic that it believes stems from a denial-of-service cyber attack. “The vast majority of customers are not impacted and customer information remains safe,” said Bridget Braxton, a spokeswoman for the fourth-largest U.S. bank by assets.  Customers who have trouble should try logging in again because the disruption is usually intermittent, she said.


Monday, March 11, 2013

Australian central bank computers hacked

Computer networks at the Reserve Bank of Australia have been hacked, some reportedly by Chinese-developed malware searching for sensitive information, officials said Monday. The central bank revealed the attacks after investigations by The Australian Financial Review found multiple computers had been compromised by malicious software seeking intelligence. The newspaper said in one attack a Chinese-developed malware spy programme was searching in 2011 for information on sensitive G20 negotiations, where Beijing’s exchange rate and currency reserves were on the agenda.


Tuesday, January 22, 2013

Two-thirds of banks suffered a DDoS attack in 2012

More than two-thirds (64%) of banks in the US have suffered at least one Distributed Denial of Service (DDoS) attack in the past 12 months, according to independent research commissioned by Corero Network Security.  IT and IT security managers at 650 banks responded to the survey, which also revealed that almost one in two banks (49%) of respondents had suffered multiple DDoS attacks in the past 12 months.  Surprisingly, however, 50% of respondents cited insufficient personnel and expertise and a lack of effective security technology as the key barrier impacting their ability to deal with DDoS attacks.


Friday, May 21, 2010

ID Theft Victims Spending Less In Cleanup Aftermath

Nearly one-third of all identity theft victims say they are unable to completely clear up damaged credit or criminal records in the aftermath of their identities being abused.  But the good news is they’re spending much less time and money cleaning up the fraud perpetrated against them in their names, according to a newly released report.  Most ID thieves (55 percent) used the stolen identities to open new lines of credit, followed by making purchases on stolen credit and debit cards, 34 percent.


Friday, July 27, 2007

Institutions Face Bewildering Web of Breach Notification Statutes: GAO Report

The latest disclosure of a data breach involving financial information points up the need for a comprehensive response program, including complying with federal and state notification laws.  As the number of reported breaches and the ensuing media coverage has escalated, state legislative and federal regulatory bodies have enacted a variety of requirements mandating responses to such events, including customer notification.


Friday, July 20, 2007

Compliance ‘Laggards’ Face Most Financial Risk from Data Loss, Report Shows

The latest report by the IT Policy Compliance Group finds that nine of ten companies are exposed to financial risk from data losses and thefts that can be cost-effectively avoided.  The report, “Why Compliance Pays—Reputations and Revenues at Risk,” finds the majority of the 475 firms surveyed must contend with six to 17 business disruptions and five to 22 instances of losses or thefts of sensitive information each year.


Friday, July 13, 2007

Financial Institutions Warned New Fast Phishing Kit Found

With the recently discovered “plug and play” phishing kit, a relatively “non-technical” person with the right information could launch a phishing attack against any financial institution.  No technical expertise is needed by the phisher, and it is far less risky as the remote host is only accessed once,” said Marc Gaffan, director of marketing with RSA’s consumer solutions group.  The new “plug-and-play” phishing kit reduces the time and effort required of the fraudster by automating the site installation process.  The “kit” is a single PHP code file, which is run on the compromised server once, and automatically creates the relevant directories and installs all of the files which are associated with the specific phishing site.


Friday, June 22, 2007

Online Attacks Increase at Financial Institutions

The RSA’s Anti-Fraud Command Center issued its monthly online fraud intelligence report for May, and the statistics point to attacks on U.S. nationwide banks account for 33 percent of all attacks on US financial institutions—that’s more than double since April.


Sunday, April 01, 2007

VoIP Offers Cost Savings But Also Presents Security Risks

Banks are attracted to Voice over Internet protocol (VoIP) as an alternative to traditional telephone networks because of the potential cost savings, including elimination of long distance charges and the need for only one network to manage both voice and data.  According to the FDIC, VoIP is susceptible to the same risks as data networks that use the Internet, such as exposure to viruses, worms, Trojans and man-in-the-middle attacks.


Wednesday, February 21, 2007

UK Bank Fined $1.9 Million for Losing Laptop

A major financial institution in the United Kingdom was slapped with a nearly $2 million fine for failing to adequately protect customer information.  The Financial Services Authority fined the Nationwide Building Society £980,000 for failing to have effective systems and controls to manage its information security risks.  The fine is directly connected to last year’s theft of a Nationwide laptop from an employee’s home.  During its investigation, the FSA found that the building society didn’t have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime, according to a release on its Web site.


Tuesday, February 20, 2007

CheckFree to Purchase Corillian in Bid to Expand Offerings to Banks

CheckFree to Purchase Corillian in Bid to Expand Offerings to Banks CheckFree/Corillian deal is just one more example of consolidation in bank tech space, say experts.  Atlanta-based e-commerce services provider CheckFree last week announced plans to acquire online banking solutions company Corillian (Portland, Ore.) in a deal worth about $245 million dollars.  The acquisition will bring together Corillian’s online banking platform and complementary suite of financial applications, and CheckFree’s electronic billing and payment, and online transaction services.  According to Steve Olsen, CheckFree’s COO, the union will help the company reach further into the online channel as it attempts to expand its client relationships and help those banks it serves do the same.


Thursday, February 01, 2007

Biometric Data Specification for Personal Identity Verification - NIST SP 800-76-1

The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems.  The Personal Identity Verification (PIV) standard for Federal Employees and Contractors, Federal Information Processing Standard (FIPS 201), was developed to establish standards for identity credentials.  It describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card1 itself.  It enumerates procedures and formats for fingerprints and facial images by restricting values and practices included generically in published biometric standards.


2007 Bank Technology Forecast: Challenges and Opportunities

The rapid progression of fraud schemes, regulatory initiatives, margin and cost pressures, customers’ demands, and the overall pace of change in technology inundated business and technology management in the global banking industry over the year.  The good news (for some) is that these challenges are setting up a clear playing field upon which the winners will be separated from the losers more so than at any time in the past decade.  Some of the more critical and far-reaching priorities bank technology and business leaders will need to address in 2007 are outlined below. 
Fraud-Detection and Security Technologies
Analytics for Marketing, Risk & Business Performance
Service-Oriented Architecture



Monday, January 22, 2007

Hackers to target mobile banking, study says

This year could see a sharp rise in hacker attacks on Internet-enabled smartphones as a number of new banking and payment initiatives enter the mobile channel, a research group warned Monday.  The Tower Group, a research and advisory company focused on the financial services industry, believes that many mobile commerce offerings now emerging from the financial services sector “lack a reasonable and justifiable focus” on mobile security.



Monday, January 01, 2007

Banks Starting to Embrace Concept of Financial Supply Chain Management

It was the talk of the town at the October 2006 Sibos conference in Sydney.  Yet beyond payments circles, few in the financial services industry may actually know what financial supply chain management is.  But all that is about to change, according to insiders, as the concept rapidly becomes the norm among banks that wish to maintain a foothold in an increasingly globalized world where their clients’ business dealings expand across borders and time zones.  Financial supply chain management is an outgrowth of the long-established concept of the physical supply chain in the trade business.  Rather than dealing solely with the actual physical/logistical aspects of trade, however, financial supply chain management, as the name implies, covers the payments side of trade, from the moment a purchase order is cut, to the time of settlement and everything in between.


Friday, December 22, 2006

Financial Institutions Face Tight Compliance Requirements in 2007

In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls.  Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.  These laws include both proactive components (having an information security policy, implementing access control technology) and reactive components (disclosure of security breaches).