| EMERGING THREATS |
At Financial Information Security Decisions, many of the industry's leading information security
experts gathered to share vendor-neutral expertise and proven security strategies. If you couldn't
make it to New York City for this year's event, you can catch up here. Below you can download
speaker presentations from a selection of this year's sessions. Feedback on
Financial Information Security Decisions presentations can be submitted via
SearchFinancialSecurity.com.
Social
Networking and Security: The Business Risks of Employee Information Sharing
Employees are sharing large amounts of data about their personal and professional lives through
social networking sites. Some of this information may appear to have no value - someone's favorite
color, their address, the name of their boss, or the name of their childhood pet. However,
attackers have become increasingly sophisticated at mining and correlating this personal
information in creative ways, often putting the business at risk. Dr. Hugh Thompson exposes the new
risks to businesses that have resulted from employee information sharing.
Internet
Nails: Downstream Consequences of Bad Software Design
For want of a nail, the shoe was lost. For want of a shoe, the horse was lost. For want of a horse,
the knight was lost. We're used to dealing with the problems that are in front of us right now, but
never seem to have the time to stop and ask ourselves 'how did we get here?' Security luminary
Marcus Ranum discusses the downstream consequences of apparently simple decisions, and the
long-term costs that are associated as a consequence of failing to re-assess them before it's too
late.
Practical
Risk Management Approaches
Providing a foundation for risk governance within financial services organizations should be
treated as a key business initiative and successfully managing risk eases the compliance burden. In
this session, Eric Holmquist, with more than 27 years in the financial services industry, explores
practical approaches to key program elements that provide your organization with an enterprise-wide
approach to risk management.
Intersecting
State and Federal Data Protection Acts
The legal landscape for data protection has changed markedly in 2010. Massachusetts and Nevada have
passed new regulations requiring organizations that store, process or communicate personal
identifying information (PII) to notify victims in the event of a breach and implement
administrative and technical controls to prevent breaches. At the federal level, H.R. 2221, the
Data Accountability and Trust Act (DATA) cleared the House with a voice vote and in its current
form, requires similar controls. In this presentation, Richard E. Mackey Jr., vice president of
consultancy SystemExperts, discusses key requirements associated with the Massachusetts and Nevada
regulations and how these state-level laws affect NYC-based organizations, an introduction to the
federal DATA bill and what you can do now to prepare, and how organizations should construct a
security program to meet these requirements.
FFIEC
Guidance for Remote Deposit Capture: What is Expected of You
One of the most profound areas of operational risk for financial institutions is that of third
party risk. Organizations depend on these critical resources to support day-to-day operations, and
yet have virtually no control over how they are managed. Maintaining world-class vendor management
is critical to a sound risk management program. In this session, Holmquist covers essential
elements of vendor management, ensuring accountability and the importance of risk analysis of
service providers, among other topics.
The
Abridged Application Security Program
While much progress has been made during the past decade in the field, starting out a new
application security program today can still feel like an attempt at boiling the ocean. Open
discussion about popular practices and maturity models has now become commonplace, but mid-sized
firms have to be extra smart about how they deploy their limited resources to avoid being spread
thin over a large developer organization and a multitude of applications. In this presentation, Max
Caceres, vice president of D.E. Shaw & Co., discusses using a focused approach to start an
application security program that is integrated with the development organization from day 1, and
that can grow organically over time as the security organization matures.
Putting
'Information' Back Into Information Security
Although we call it "Information Security," for the past 20 years our profession has really been
about protecting the infrastructure, not the data. The notion of information centric security is
crucial for financials, not just encryption, but content filtering, data classification and DLP
because of regulations. After all, auditors don't care if it was a malicious attack or a common
mistake. In this session, Securosis CEO Rich Mogull explores how to reorient your security program
to protect the information itself, not merely the places where it's stored and used.
Cybercrime
and the Financial Sector: The Growing Link
As cybercrime routinely targets the financial sector, Erez Liebermann and Seth Kosto, federal
prosecutors focusing on cybercrime and white collar fraud, discuss law enforcement's response to
the growing threat and what corporations can do to assist and protect their systems. They also
examine recent cases prosecuted by their offices and across the country.
Protecting
Data and Transactions with Encryption and Tokenization
Driven in large part by PCI requirements and massive theft, organizations are rapidly adopting a
combination of new and old encryption technologies to protect data through transactions and
storage. In this session Mogull describes the latest data protection technologies, such as
transparent data encryption, tokenization, and format preserving encryption.
Managing
Actionable Threat Information for Financial Services Security Professionals
More than any other industy, information security professionals in financial services firms need to
be on the front lines of information about emerging threats. The only way to stay even with hackers
and their exploits, according to Nick Selby of Trident Risk Management, is through actionable
intelligence from reputable sources. What does threat intelligence mean? What does it comprise? The
past five years have seen the rise of new classes of commercial intelligence bringing rich,
contextual information that can help you see threats across stovepipes. From malware to botnets,
scams to physical threats, intelligence about competitors, to who is saying what about your
company, your product and your people, the problem is no longer, 'Where can I get threat
intelligence," it's "How can I manage it?"
This was first published in June 2010