The President’s Identity Theft Task Force released their report and website on Tuesday with 31 recommendations to help reduce identity theft and fraud cases. This report has overarching recommendations such as consumer education and harsh punishments for criminals. I believe that some of these findings will eventually trickle down the grapevine and affect auditing guidelines of banking regulators. Most banks are doing many of the items listed on the report and GLBA audits should ensure that customer data is being adequately secured. But I did see some recommendations on the Task Force report that might create some extra work for banks……..

1) Reducing the unnecessary use of Social Security numbers (You’re not sending TIN’s through e-mail, are you?)
2) Guidance may be published soon to make disclosures of compromised customer information more uniform. This will need to be incorporated into Incident Response Plans.
3) General consumer education; maybe brochures or even Webinars could be posted on websites about protecting personal data from identity thieves.
4) Increased authentication mechanisms which may include additional verification at the time of account opening. You didn’t think Multi-Factor Authentication for Online Banking was going to be enough did you?
5) Increased training for private sectors needing to assist identity theft victims. Banks may need to keep materials relating to compromised customer accounts for investigative purposes or assisting law enforcement agents.
6) A uniform Identity Theft Report Form will be created that may change authentication procedures or account openings.
7) Another recommendation from the report mentions, “Initiating discussions with Financial Institutions on countermeasures to identity theft.� So be ready to get some additional input from regulators on fraud countermeasures, or attending mandatory training sessions for BSA or security officers.

There are some really great initiatives that the Task Force proposes, especially about trying to make it easier for victims to recover. I just hope the FTC can follow through and get these strategies in place ASAP before identity thieves get ahead of the curve….again.

A flash drive is described by Wikipedia as “flash memory data storage devices integrated with a USB (universal serial port) interfaceâ€?.   Memories on the flash drives can contain from 32 Megabytes to 64 Gigabytes.  They are very compact, lightweight, removable and rewritable. 

These devices can be used to upload data to a PC be it malicious or informative, copy information and move it from one PC to another, or copy data and take it offsite. 
This is becoming a problem for network administrators in financial institutions and other companies that store sensitive customer information. 

When a flash drive is plugged into the USB port, it is automatically recognized by the Operating System and will load the device driver and allow file transfers to occur with Windows Explorer or similar applications.

What to do?

   Setup training to make personnel aware of the positive and negative aspects of flash drives.

  Forbid the use of flash drives except for personnel that have been approved by the banks technology group or network administrator.  Incorporate guidelines for repercussions if employees are found using unapproved flash drives.

  No customer data is to be taken offsite unless for approved business purposes.  If the flash drive is taken offsite, ensure it is encrypted.  

  Personnel are not allowed to upload data from a flash drive to a PC from an unknown source without the network administrator or technology supervisor approval. 

Additional items to be considered:

  Financial institution can supply approved personnel flash drives.  The supplied flash drives will be encrypted and password protected

  Install software on the network that will detect and block any storage device that is not approved by the Information Technology Department.  Using Group Policies in Windows to disable USB ports is not a workable solution.

“Good security design takes time, and necessarily means limiting functionality. Good security testing takes even more time, especially if the product is any good. This means the less-secure product will be cheaper, sooner to market and have more features. “

Full Article Here

This article is another reason why Bruce Schneier makes alot more money and is far better known in the industry than I am. He takes a complex topic and relates it in very clear terms. Something I’m not nearly as gifted at.

Anyhow, this article is a good, quick read on some of the problems facing the Infosec industry. It illustrates the risks involved in selecting security products and underscores why due diligence in project and change management (especially in IT) cannot be over-stated. IT cannot be left on an island by itself. IT departments needs the assistance of experienced individuals in product-testing from across the enterprise and even from outside help.

So now that we are in the final stages of our newest version of RiskKey, we’d like to give you guys a sneak peek at some of the things we are bringing to the product in hopes that it allows the risk assessment process to be a much easier process than it has ever been.

A bit of background

RiskKey is a risk assessment app that we created a couple of years ago to do risk assessments for all of our clients when we do a FFIEC Audits for them (still do). We built it for our own use but after a while realized, “Hey, bankers could use this themselves for their own risk assessments other of IT!”

So we looked at our little application, gave it a real good scrubbing, took out the ‘hard-to-do, frustrating parts’ and threw in some ‘easy, fun, and collaborative parts’ and I think we have something that bankers (of ALL technical abilities) can use and make them feel like a rock stars!

The Goals

So when we were brainstorming on what we wanted this app to be, we came up with a few real important goals:

Simplicity – Risk Assessment is one of those processes that can be difficult and, in our opinion, gets over-complicated by many. So we took the opposite approach when building this application. We want an app that is more focused, without needless “features”, and that focused on ease of use! So for us, we side with the less is more approach.

Collaboration – We spent time with bankers understanding how they currently do their risk assessments and found that it usually ended up on one persons shoulders. So we wanted to build an application that would be flexible enough to use for a single person or scalable enough for multiple people to share duties in completing risk assessments across the financial institution. This will be perfect for audit/compliance managers that manage the audits but want others to do the risk assessments for their departments.

Community – Also with this app we want to build a sense of community and sharing. So we built the ability, within the application, to share risk templates between users of the system because we believe that if we help each other, we all can get things done faster and more accurately than if we did it by ourselves. So if you need to do a BSA risk assessment, just search among the community, use theirs, and that’s it. We dig that whole ‘collective intelligence’ concept.

Alright, more to come later, we are very excited about our product here and as soon as it is launched be sure to sign-up for a free trial. If you’d like to be contacted once it’s released, just sign-up and we’ll email you. Don’t worry, we won’t give out your email to anybody.