Slideshow Cybercrooks Aim Small In Latest Breaches

  • September 27 2011, 11:00pm EDT
10 Images Total

Smaller Targets

Cybercrooks are switching from the sweeping Heartland-style breach of years past to a focus instead on smaller, more tactical attacks that are more difficult to spot and counter.

Inside Information Leaked

One of most recent bank victims is Citigroup, which in August reported a pair of data breaches. One exposed more than 92,000 customers in its Japanese card unit, when a person affiliated with an outsourcer illegally obtained inside information for a third party. But there was a bright spot to this unwelcome episode. Citigroup said that personal identification numbers were protected, so unauthorized use of the personal data to commit card fraud was unlikely.

Content Continues Below

Big Hits

Citigroup is just one of a number of major financial institutions and firms outside of financial services to experience data breaches in the past year, with targets ranging from other large banks such as Capital One Financial Corp. to retailers such as Michaels Stores and government institutions as large as the U.S. Senate.

Breach Black Eye

Each breach is a new black eye, giving assailants access to internal systems, where they can attach malicious software, find additional weaknesses to exploit, obtain information for whistle-blowing campaigns, or launch phishing attacks that dupe consumers and staff to turn over even more sensitive information. And leaks are particularly vexing since they are very easy to cause–a simple emailed attachment to an employee's home PC or mobile device, and a subsequent return email, can mistakenly compromise the PC, the attachment and the bank itself.

Cross Channel Protection

Create a cross-channel data protection plan. At Huntington Bank, chief information officer Zahid Afzal is busy working on a three-year information-control program, in which every aspect of how the bank distributes information will be examined across all mediums and channels. One of the goals is to strengthen controls and access surrounding data and usage that is consistent across all business lines and activities, so there aren't different approaches to data security for different locations or departments that could inadvertently present opportunities for unwanted exposure.

Content Continues Below

Curb Web Surfing

One theme that came up repeatedly among security experts is how easy it is for seemingly normal business activities of internal staff to accidentally expose an entire institution to a data breach. Email attachments, using personal mobile phones for work, and using home PCs for work can all indirectly place sensitive data in compromising venues. That includes Web surfing at workstations. Julie Conroy McNelley, a senior analyst at Aite, says banks should place restrictions on Web surfing for staff that come into contact with sensitive data, either for customers or internal data.

Protecting Login Credentials

According to the Verizon/Secret Service data breach study, 86% of records breached across all industries were the result of stolen login credentials. That places pressure on banks to enforce strong authentication for both employees and customers, pressure that supersedes any action by a regulator or standards body that recommends banks shore up authentication.

Consider Virtualization

Desktop virtualization projects that run a number of staff workstations off a single server in a centralized data center have lots of benefits in terms of energy use. But they can also concentrate leak and breach prevention in fewer locations."Virtualization allows you to take advantage of improved backup and recovery, and it extends the sophistication of the data center to the desktop," says Leda Csanka, vice president and CIO at Cetera Financial Group.

Content Continues Below

Password Problems

A common data security problem for business banking customers is passwords that give employees the ability to pay bills and access to additional sensitive data. Like a lot of breaches, the resultant leaks are accidental - the user doesn't know that he or she is creating exposure by accessing or sharing the wrong information. Jacob Jegher, a senior analyst at Celent, says banks can mitigate this risk by deploying an entitlement structure that sets up a hierarchy at different levels for corporate banking clients.

No Loudmouths

Kris Kovacs, IT manager at Coastal Federal Credit Union in North Carolina, says it is unwise to loudly announce to the world that your financial institution is solid and secure from data breaches, fraud or any adverse event connected to the unwanted exposure or loss of sensitive information. "Not making yourself a target is important. If you talk too much about how secure your institution is, you can become a target in a highly charged environment," he says. "You also risk giving away details about how you're protecting your data."