Top Ten 2011 Bank Information Security Issues
Our third year coming up with a “year-end article” for Dan’s New Leaf exudes a few new “controls” that we’ve implemented to mitigate “year-end article risk!” Yes, new controls!
I actually had enough foresight to poll my management team. I couldn’t be there for the brainstorming meeting, so they sent me an e-mail with “Top 10-ish” in the subject. I guess the “ish” part reflects that they proposed twelve different issues as the top ten concerns! This “ish” must have been included to address any accusation that we don’t know how to count!
So we pruned and combined, and then made a major decision. See, last year I predicted Mobile Banking would dominate 2011, not realizing that the supplement would be released in June. So, we decided that rather than incorrectly predicting what will happen in 2012, we are going to list the top ten things that happened in 2011, which should impact what we do in 2012!
Here they are!
Number 1: June 28th 2011
I’m sure everybody’s “top ten things in banking” list includes this one day, the day the supplement was released with very little warning and lots of teeth. The best way to sum this up is from a comment that was made during the Examiner Panel at the 2011 Indiana Bankers Association IT Security Conference held in Fishers, Indiana:
“We’re no longer just the eyes and ears of the federal government. This [supplement] makes us the eyes, the ears, AND the voice of the federal government.”
This person was referring to the way the supplement combines awareness training with guidelines for how we authenticate our customers. Proving that “2011 was the Year of the Supplement,” three implications of the supplement made our top ten list: 1) Customer Awareness Training (The Voice), 2) Authentication Risk Assessment, and 3) Detect and Response.
Number 2: Our Bank Becomes the Voice of the Federal Government
Customer Awareness Training. It’s finally a requirement!!! As much as Infotex has pushed for this particular business process since the turn of the century, we rarely saw the response that we are now seeing thanks to the June 2011 Supplement to the 2005 Authentication Guidance. We have already released a white paper on the subject, and we’ve been working diligently on a “customer awareness training strategy” boilerplate and hope to release one soon. We believe that by the end of first quarter 2012, you should have your strategy in place, and you should be starting to meet the tactical objectives of that strategy. It may be a subject of your next examination!
Number 3: Google Keeps Creating
The innovation at Google just keeps coming and coming, with the new Android Operating System and the September 2011 introduction of Google Wallet, a new standard competing with other major giants in the “wallet capabilities” space for mobile banking applications. Most human beings are now wise to the extreme search advantages that come with integrating a search engine with your browser, and Chrome is becoming as standard on endpoints as IE was five years ago. We predict that Google Wallet substantially impact mobile banking, and that small bankers may be offering wallet capabilities sooner than you think!
Number 4: Near Field Communication
As a person who saw first-hand the devastation caused by the “beta vs. vhs” format wars in the early 1980’s, I watch with great interest as the Mobile Banking marketplace tries to “discover” a standard that all will settle on when it comes to the mobile wallet. Google’s recent introduction of Google Wallet notwithstanding, which uses NFC as it’s architecture, we are seeing NFC as an up and coming buzzword, and I expose myself to reputational risk by predicting that NFC may become the standard that is adopted by most mobile banking application formats.
What makes NFC stand out to me includes not only the technology itself, which promises to offer tap-n-go convenience in the “point of purchase checkout process,” but also the organizations who are members of the NFC Forum, including: Microsoft, Sony, Visa, Mastercard, American Express, AT&T, Google . . . the list goes on.
Number 5: Fair and Partly Cloudy No More
Cloud computing, already hailed as the great ROI in business technology, expanded its appeal to the consumer market in 2011. Apple’s embrace, coupled with the cost and convenience advantages in almost every area of technology, has caused cloud computing to be the primary architecture for future development. Now: how will we bankers become the voice of the government with our Customer Awareness Training programs related to cloud computing? The risks we have identified apply to the consumer as much, if not more. How will these risks intersect with branchless banking? We believe that your customers storing data “in the cloud” may become an item on your next risk assessment!
Number 6: Mobile Malware
Not only does the notion of Zitmo (Zeus in the Mobile) frighten us bank information security officers, but the fact that 80% of smart phones have NO malware prevention software puts the notion of key loggers and text interceptors (can you say one-time-password) on the top ten radar. We’re seeing clients struggle with the risk management issues. The lack of control slaps them in the face, as they recognize that while customer awareness training may lower impact especially on the legal risk side, it does nothing to lower likelihood since we can’t force our customers to use good practices.
Or can we?
Can this three word question be explored in 2012? Are there ways we can coordinate a Contractual / Network-Access-Control approach to enforcing customer awareness controls?
Number 7: Authentication Risk Assessments
The propensity to require drill-down risk assessments as we were required to do for Red Flags, Social Media, and Mobile Banking was inherent in the June 2011 Supplement to the 2005 Authentication Guidance. If you haven’t already done so, you should inventory all “branchless banking assets” at the transaction level, calculate inherent risk as it pertains to authentication (using factors described in the original guidance), inventory authentication controls, and calculate residual risk. We’ve got a template, give us a call! We believe your examiners may be asking for this next year!
Number 8: Detect and Respond
One other far-reaching implication of the Supplement to the 2005 Authentication Guidance is the notion that we now need to detect anomalies in high-risk transaction assets and respond in some manner that will confirm authentication. We’re seeing smaller clients try to work out manual capabilities, but we believe the anomaly detection vendors cheered on June 28th, 2011. We think detect and respond may be a very hot topic in 2012.
Number 9: Gesture Recognition
Okay, this might not impact you in 2012 per se, but it’s so cool we included it anyway! Biometrics has been the ever-elusive but always-promising solution to authentication and 2011 shows us a bit of an advance with the new Android Operating System’s release. But biometrics will also be leveraged for regular input. Human gestures used as input, made popular in the gaming market with such systems as the Nintendo Wii and Microsoft’s Xbox Kinect, are seen as an innovation that will continue to evolve . . . revolt might be a better word . . . over the next few years. While we certainly don’t list gesture recognition as a control in our authentication guidance, we believe mobile biometrics and human gesture input may eventually cross over into banking applications. Imagine your customers logging into on-line banking with their Wii.
Imagine doing a dance to unlock your car.
Number 10: Event Log Management
Our final (and self-serving) declaration is that in 2011 we saw auditors and examiners take a more detailed look at how bank information security professionals are watching their event logs. Of course, this is also the year that infotex finished our own ELM Visualization Interface, which we believe will position us well to help you respond to this new challenge. And notice, I used “will” instead of “may” in that last sentence!
Well there it is, our top ten list for twenty eleven. And you can see that yes, we installed new “risk management controls” such as using “may” and “should” instead of “will” in our predictions (lowers likelihood), looking backwards instead of forwards as much as possible (lowers impact), and, of course, using “we” and “us” and “our” as much as possible (transfers risk)!
See, I’m a risk manager at heart, even when I write top ten lists!
Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex
“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”