General

WSTA: Risk Management

The financial industry's risk management standards are high, and I attended this seminar by the Wall Street Technology Association to learn about them.

by Alex Goldman ISP-Planet Managing Editor [February 12, 2009]

On a snowy morning in January, the Wall Street Technology Association convened a panel of experts to discuss the topic of the day, risk management.

The panel was moderated by Jim Routh, Chief Information Security Officer of the Depository Trust and Clearing Corporation and board member of the WSTA. He pointed out that risks have grown as attacks have become more devious. "Now attackers use a browser injection. The injection is a downloader that pulls down more malware. It's designed to be undetectable by anti-virus software."

So what do you do?

Linda Cooper Angles of the Guardian Life Insurance Company said that you need to control every device on the network. You limit portable storage devices and you control what devices can connect in conference rooms.

Michael Lamberg of NYSE Euronext said that you need to enable people to come in from a kiosk or personal machine. He said that security experts will fear split tunneling in all of these situations: the internal network is exposed to the internet through a computer that has access through the firewall but is located outside your network.

Johna Till Johnson, president and senior founding partner of Nemertes Research, said that in conversations with practitioners she's finding that virtualization projects are underway with little or sometimes even no thought to the security consequences.

She added that some view Macintoshes as a solution to "Lenovo and Microsoft throwing up on their shoes" but that because Macintoshes are becoming more popular, she expects to see Mac Trojans in the near future.

You need a budget for security
Many companies are cutting or freezing their IT budgets, but the Bank of New York Mellon cannot, because of recent publicity surrounding a data breach.

The presence of Conroy (of Bank of New York Mellon) at the seminar was particularly valuable and shows the strength of the commitment of the U.S. financial industry to solving security issues by talking honestly about them.

Conroy notes that in most businesses, security projects are driven by compliance and auditing, which may not be the core concern of the security experts themselves.

Implementing security in a massive global organization doesn't happen overnight, even with a mandate. There was only so much he could say about the project, but he did describe its scope.

"We started with device management. We have over 100,000 IP addresses on 280 sites. We have 47 domains. We need to be able to check that anti-virus is running. We track identities back to payroll, which has the most up to date information. We use ArcSight and Symantec."

One way to handle remote devices, said Lamberg, is to limit the access given to them. Also (and this may seem obvious) you need to keep an eye on outbound traffic.

The human element
"I'm an engineer, but this is not a pure tech issue," said Cooper Angles. "You need to raise awareness and you need to have management buy-in."

Denis Brixius, CSO of The McGraw-Hill Companies, agreed. "People are carbon-based units and devices are silicon-based. You cannot patch carbon-based units."

But you can use technology to track people. Routh, the moderator, said that JP Morgan Chase has "perhaps the most massive endpoint and vulnerability management system."

Gabriel Lopez-Walle, of JP Morgan Chase, admitted that the project is huge but noted that the goals are basic:

1) Ensure all systems are patched

2) Check that anti-virus is up to date

3) Check that firewall is up to date

4) Check encryption

What makes all of this complex is the number of different devices from different vendors that the system has to work with. In spite of those obstacles, "it's working and it gives us a good view," he said.

Because she is a security analyst and not in charge of security for a bank, Johnson was free to point out the key flaw in any system: people who have the authority to override the safeguards. "Executives can take any laptops with them and any data. In practice, they rarely do it, but they could."

Johnson said that nobody should carry data into the U.S., because the government is authorized to examine and seize any data imported into the country.

Brixius noted that executives can copy data they need to take with them onto a disposable USB drive and destroy it before they return to the U.S. Then they will carry no data through customs. He added that as a publishing company (specializing in financial data) he has some road warriors with less technical knowledge than most Wall Street companies and who believe strongly in their First Amendment rights.

Routh, the moderator, said that the younger generation, those who went through college using Facebook, are accustomed to not just receiving information but also to publishing it. So how do you control that?

Lopez-Walle said that identity at the moment is a "certificate mess" and that people frequently lose certificates and passwords. Conroy said that users need to memorize so many passwords that they frequently re-use the same one.

Lamberg added that Gmail is not compliant with the data standards of the financial industry (for security and record keeping and privacy). Johnson said that everyone should read the Gmail privacy policy because information sent to a Gmail account is partially owned by Google.

Michael Kirkland, PR for Google, contacted us after the session and pointed out that business customers using Google's Enterprise version will be compliant. It's only those employees who use regular Gmail without permission who put their business at risk.

Routh concluded, "we spend a lot of time trying to persuade people to do things they don't want to do."

I would add that ISPs have similar issues.

—End