Target (TGT) and one of its security vendors, Trustwave, were hit with another lawsuit earlier this week over the wide-scale data breach at the retailer. Two banks, Trustmark (TRMK) and Houston-based Green Bank, are seeking damages of more than $5 million … Link: http://www.foxbusiness.com/industries/2014/03/26/banks-sue-security-firm-trustwave-over-target-breach-report-343636749/
Category: Financial
Big banks staged mega-cyberattack drill last Thursday
An employee sitting at his desk might get a prompt saying, “this bank is having integrity issues with money,” or “you cant make trades over this technical system.” The employee then might role-play talking to an FBI agent — likely an actual one enlisted to help with the drill, said Dave Aitel, CEO of the security firm Immunity, who formerly worked as a research scientist for the National Security Agency.
The financial sector is hoping to prepare itself for a massive, disruptive attack — a growing concern lately, as “hacktivists,” organized cybercriminals and government-spnosored attacks become increasingly large and successful. Though still a far-off doomsday scenario, some security industry experts say the financial sector is vulnerable to cyber-terrorists aiming to damage the U.S. economy. That’s because banks and other financial institutions have to do deal with money flows in real time, with markets hanging in the balance.
Though some skeptical security experts dismissed Quantum Dawn as a PR stunt, SIFMA said the first run was useful in uncovering flaws in the industry’s cyberattack protocols. The trade group found that banks were largely good at sharing information with one another, but bad at making real-time critical decisions for mitigating the threats.
Link: http://money.cnn.com/2013/07/18/technology/security/bank-cyberattack/index.html
As cyber attacks detonate, banks gird for battle
JPMorgan and its peers like Bank of America, Citigroup and Wells Fargo have signed up for Thursday’s drill, which is being organized by Wall Street’s biggest trade group, the Securities Industry and Financial Markets Association, or SIFMA.
They’ll monitor a simulated stock exchange for irregular trading and will be pressed to figure out what’s going on and how to react while sharing information with regulators and each other.
But that was before a wave of cyberattacks last fall, when big banks were forced to temporarily shut down their websites after attackers bombarded them with traffic — akin to overwhelming a phone line with too many calls.
“If you went to banks three years ago, and said, ‘What are your top five risks?’, probably none of them would put cyber on there,” said Karl Schimmeck, SIFMA’s vice president for financial services operations.
The Office of the Comptroller of the Currency, which regulates national banks, recently held a call with community bankers to warn them that they’re not free from danger either: Since September, attacks have been increasingly aimed at businesses with fewer than 250 employees, the OCC says. Customers would have to go through certain steps to get their money back, like filing a claim, showing that they weren’t negligently tossing their account information around and giving the bank time to investigate.
A DRILL BY ANY OTHER NAME: As for the title of Thursday’s drill, the one that sounds more appropriate for an action movie than a bank security exercise, it came about during the creation of the original drill in 2011, which was organized by the Financial Services Sector Coordinating Council.
Varonis welcomes Bank of England’s high levels of concern on cyberattacks
David Gibson, vice president with the data governance software specialist, said that Andrew Haldane of the Bank of England is right to be concerned about the issue, as it is clear that cybercriminals are now after any customer data they can extract from financial services institutions like banks, in order to monetise their frauds.
The key question, the Varonis VP went on to say, is that it is clear that consumers value the security of their data very highly – as witnessed by the fact that 97% of survey respondents said they are more willing to do business with a company that protects their data.
“Our survey results (http://www.varonis.com/research/#maturity) suggest that the vast number of breaches occurring on an almost daily basis indicates that businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data,” he said.
“For this reason, all businesses – and not just banks – have a role to play in eradicating their bad digital habits and taking more control of their security by implementing basic security best practices – such as ensuring that staff only have access to the data they need, that all access to all data is monitored, and abuse is investigated,” he added.
Beware The Coming SEC Regulations On Cybersecurity
f the SEC requires details on the material loss from cyber-attacks, the actual reporting of such proof is going to be a tall order on a company that’s already strapped for specialized IT security talent and working at fever pitch to manage risk. Until then cyber incidents continue to financially drain private and public companies, IT must clean up the mess and put a lid on it in order to save face with stakeholders.
As corporate data theft continues and investors demand answers, here are recommended actions companies can take now within their IT departments to ensure they are prepared to not only answer to to the SEC and investors, but also better prepared for managing the risks associated with maintaining and relying on global computer networks:
It’s All or Nothing: With today’s emerging technologies such as cloud computing, mobility and virtualization, it’s important to have a complete view of your IT landscape.
Less is More: Those with experience with Sarbanes-Oxley understand that access and entitlements to financial reporting systems is a vital control to exhibit, mainly due to the potential impact of manipulation of those systems.
Most companies that have their data or systems compromised as a result of security incident know full well the costs of repair and remediation; costs of deploying cybersecurity protections (including software like my company develops), litigation costs and the worst: reputational damage to brands and stock price.
While companies are following the guidance, many that have been the targets of these successful attacks have denied any material impact in their SEC filings – the lack of these filings proves that.
Ramnit sleeping malware targets UK financial sector
But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user.
Trusteer said the malware’s authors have moved to further hide the malware from its intended victims, by making it alter the bank’s FAQ to make it seem as if the bogus messages are entirely legitimate. Anticipating that some suspicious users may reference the bank’s FAQ page, Ramnit authors took the extra step of altering the FAQ section to fit the new process,” said the spokesman.
“By changing multiple entries in the FAQ section Ramnit demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there.”
Link: http://www.v3.co.uk/v3-uk/news/2264999/ramnit-sleeping-malware-targets-uk-financial-sector