internet threats and risk mitigation

WHITEPAPER

Internet - Threats, Risk Mitigation and Reputation Strategies

“The other side of the Coin”

Authored by:

Michael M. Kiefer, Senior Vice President

BD-BrandProtect

With insights from Susan Orr (www.susanorrconsulting.com), a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and

expertise.

2

Table of Contents

Introduction .............................................................................................................. 3

Types of Threats ........................................................................................................ 3

Is Regulatory Compliance Enough? ............................................................................... 5

Applying Best Practices ............................................................................................... 6

About the Author: ...................................................................................................... 7

Appendix: Examples of Online Threats .......................................................................... 8

3

It’s more than just reactively preventing unauthorized access to your data and meeting

regulatory requirements, it’s also about taking proactive steps to preserve your online

reputation.

Introduction

Over the last several years, financial institutions have spent billions of dollars and resources securing a perimeter defense system consisting of intrusion detection, intrusion prevention, firewalls, user authentication, and other layers of security all built to secure their financial systems. Due to the exponential increase in internal and external information security

incidents, these investments are necessary to protect an institution’s reputation and revenue. In addition, the federal government is using regulatory means to ensure the banks take responsibility for potential losses.

Of equal or even greater threat, however, are the social aspects of the Internet that cannot be controlled. For example, financial institutions need to be aware of the reputational risk that is inherent on the Internet. Each institution needs to do more than reactively protect its

data; it must also proactively safeguard its reputation online, where references to its corporate name alone can number in the millions. An institution must also guard against infringements against its logo, its trademarks or other graphic representations. This risk,

outside the firewall, is the other side of the coin. Given that criminals always go after the weakest link, layered security should be required – for both internal and external threats. Online customers with multi-use home systems are

easily compromised and are now used to either attack institutions or as harvesters of personal identity and/or online accounts. Years ago, it was easy for an organization to see its brand being used locally in the yellow pages, on community signage or in an advertisement. To address the issue, the organization simply called the company and asked

them to stop using their brand. Compliance was typically immediate. Today however, it’s not easy for an organization to find a Web site in China or Eastern Europe that is fraudulently using its logo, sending out e-mail messages and purportedly offering services

that unsuspecting consumers believe are being offered by their trusted institution. Over the last several years, the number of ‘phishing’ attacks on smaller financial institutions has escalated as the big institutions get better at fighting back. Still, they both have their

customers and their access devices located outside the multi-billion dollar security perimeter. Yet, 90 per cent of security budgets are dedicated to building and maintaining this perimeter while only 10 per cent is allocated to external threats, including the

protection of an institution’s online reputation. Would it not make sense to rethink this balance of spend in preventing both types of threats to security, given that criminals have moved to social engineering means?

Types of Threats

Most attacks to a financial institution’s Web site are referred to as phishing, which describes any attempt to criminally and fraudulently acquire sensitive information such as user

names, passwords and credit card details. This typically happens by masquerading as a trustworthy electronic entity such as a Web site. Two things have to transpire. One, an alternate Web site has to be created, and second, an e-mail has to be sent with a link to

that site. Newspapers are full of stories where this tactic has led to stolen account

4

passwords and credit card numbers, and ultimately, unrecoverable financial loss. This risk is an example of a social engineering nature that tricks customers into giving up their

confidential data. It is much easier to trick customers than break into an institution, given all the money spent on its perimeter. At the worst extreme, phishing schemes can become identity theft, a catch-all term for

crimes involving the illegal use of another individual’s information. Culprits can take over all the personal information related to an individual, including social security number, accounts and passwords, and credit card information; and in doing so, gain access to electronic funds. Both Javelin Research and the most recent FTC report estimate that identify theft has

become a $45 billion-a-year problem in the U.S. alone. Financial loss from criminal activity is only part of the equation. Increasingly, the

government and financial institutions are becoming worried about the more insidious forms of attack to corporate names and reputations. Hence, newfound importance is being attached to an institution’s reputation and how potential risks can be mitigated.

For example, if a customer logs on to an unauthorized Web site that falsely uses the name, logo, trademark or online brand belonging to that institution, it can result in a range of unintended consequences, mislead consumers and expose an organization to new forms of

liability. Possible scenarios include the following:

• Financial information. Someone uploads false financial data to an electronic information service provider such as Google, MSN or Yahoo, and then puts a hedge

play against their stock, or publishes damaging information that may divert investment from that stock.

• Job listings. Employment advertisements on job boards use recognized institutional names to capture identity data from prospective job applicants including names,

addresses, e-mail accounts, social security numbers and drivers licenses. • Online surveys. Fake e-mails sent from a Web site imitating a consumer research

organization lures recipients to a location which triggers malware. The malware turns

the user’s machine into a “zombie” or “robot” (where it surrenders control to another computer) and is forced to send out spam e-mails that may further propagate the malware.

• Financial services. An investment vehicle from a consumer’s favorite financial

institution may have nothing to do with that institution; it could be a link to a third-party Web site that is targeting the institution’s customer base.

The threats are varied and often escape detection. In each case, a major institution’s reputation is compromised and a customer is misled or defrauded. Please keep in mind that these threats can also occur to both non-online customers and non-customers such as investors. While threats come in a variety of forms, most represent some form of

“unauthorized linking”, the practice of trying to look legitimate or benefit from an association with an institution through improper use of a corporate logo or trademark. In many cases, the unauthorized use of a logo or trademark is innocuous - it could be a charity wishing to thank its corporate sponsor.

This false link, however, could also transport a customer to a link devoted to a competitor’s Web site, and that customer would never know it. Even worse, consumer traffic can be

5

diverted from its intended destination and be falsely connected to illegal or offensive activities, such as pornography and gambling.

Last summer, the U.S. Federal Deposit Insurance Corp., issued Financial Institution Letter (FIL 72-2007) titled “Best Practices for Preventing and Detecting Child Pornography from the Financial Coalition against Child Pornography”. The letter warns of what could happen in

the extreme. Referring to the activity of “remote merchant capture”, essentially advising institutions to get to know their online customers, to practice due diligence of that merchant (defined as any business entity that has an online retail operation) and then review all online Web sites and links before engaging that merchant’s business.

Adding new customers online carries its own risks, and increasingly, financial institutions will be called on to not only verify the legitimacy of each customer’s business but to potentially

detect undesirable customers. The implication is clear: If financial institutions take on the wrong customer, not only could they be propagating a crime, they could do irreparable harm to their business.

Is Regulatory Compliance Enough?

Constantly, the U.S. federal government is seeking ways to ensure the financial institutions

are better protected against online abuse, and in some cases, make them responsible for those losses. Increasingly though, regulatory bodies are attempting to address not only real but perceived or so-called “foreseeable” threats. For example, Section 501 (b) of the Gramm Leach Bliley Act mandates federal regulators to not only implement guidelines that

financial institutions must safeguard the security and confidentiality of all customer records, but also protect against foreseeable threats to the security of customer records. In other words, a financial institution may have to do more than protect its own data and

records. Its concerns may also extend to the Internet, where for example, the potential exists for its images and logos to be abused. Over the last few years, the number of phishing attacks on community institutions has continued to escalate in both intensity with

pharming and severity with malware. Generally, the larger financial institutions are aware of the threats to their names and their brands. They have tens of billions of dollars invested in their brands and don’t want to be

known as unsafe partners. But smaller institutions are less aware. It’s unlikely online reputation damage alone could put any institution out of business but negative publicity could cost in the form of lost customers, reduced market share or stock devaluation. It was

too expensive years back to reproduce an annual report with adjusted numbers or issue a press release on earnings windfalls or shortfalls. Today, criminals use the Internet to sway opinion one way or the other, hedging markets with false information for personal gain.

But one thing is clear, when identity theft or fraud occurs, the consequences become apparent rather quickly and must be dealt with. And rest assured, there are hard costs involved. If infractions occur, all parties must be notified, a cease and desist order may need to be issued and possibly legal fees that must be taken into consideration. However, if

the damage is to a reputation, these consequences become less clear and more difficult to measure. Further, if a customer or business partner is involved, there may be some expectation that the institution make good even though it is not at exact fault.

6

The costs that are not known are the soft ones: damage to reputation, loss of new or potential customers or declining market share. Institutions do a lot of things because they

must, whether it’s for liability or regulatory reasons. But while there may not be a law or legal requirement to protect your brand, it could cost you business today and in the future. Applying Best Practices

By some estimates, 90 per cent or more of financial institutions in the U.S. do not manage their online reputations. This may be due to the difficulty of protecting a brand in the electronic world. If an “imitation institution” is built somewhere in a downtown area

complete with a sign with a well-known brand name, it would be shut down in a matter of days if not hours. However, if an “imitation institution” consists only of a Web site hosted in a foreign country, it could take much longer to shut down, or even worse, it could go

completely undetected. One could decide to Google the name of the false institution but that could generate a list of millions of links that change each week. There is no way of managing all of this without brand protection, an emerging category of

software that helps organizations gain control over how they are represented online, both by uncovering threats and mitigating the risks to their reputation.

Brand protection is a technique that uses advanced technology, round-the-clock monitoring, proven best practices and exhaustive human analysis to scour millions of domains, Web pages and Internet links to uncover potential infractions, and categorize and rank these infractions according to severity.

Several best practices can be implemented by financial institutions in conjunction with brand protection techniques. These include the following:

• Understanding all the competing URLs (Uniform Resource Locators, more commonly known as Web addresses, also a means of locating that address) that exist, as well as when similar domain names come into play. (For example, First Bank of America

could be falsely represented as First Banc of America.); • Engaging the Internet Service Provider. It is also in their best interest to participate

in risk mitigation activities and general enforcement of safe Internet practices. Service providers and registration firms don’t want the negative publicity, so work

with global law enforcement agencies to block unauthorized links or Web sites; • Establishing priorities. Risks vary greatly, so the key is discerning which are critical,

which are moderate or which can be deferred to a later time;

• Creating an “abuse box” or implementing some other formal method for reporting infractions that is accessible to customers, business partners and associates;

• Understanding that the threat is global, which means enlisting a service that operates 24 x 7. The bad guys are everywhere and tend to locate in countries with

no extradition policies should a case proceed to trial; • Enlisting a third party. One can deal with the problem by Googling every name, or

sound-alike name, but that can be labor-intensive. Or one can use a third-party that already has a comprehensive process in place and is able to do a broader sweep

more quickly and cost-effectively, also eliminating the reporting of “false positives”; • Security is obviously an IT function but mitigating reputational risk is everybody’s

business. The IT security manager will likely be kept busy just trying to log

7

infractions or incidents, while senior management needs to understand the big-picture issues while providing adequate resources and ongoing support;

• Please see examples in the Appendix

The bottom line is that smaller financial institutions need to socialize reputational risk at all levels (and departments) across the organization. Risk mitigation is at least initially a

management issue, which means management needs to be aware of it first, then incorporate it into IT, and then ask how this can be implemented from a systems and process point of view.

Online brand protection is an emerging technology, and as such, will continue to evolve. New forms of misrepresentation on a Web site can and will occur. Even the act of blogging, where critics may have negative comments, can be perceived as a threat to an organization

and could be looked as another area for potential risk mitigation. Regardless of the threats – from reputations that are being tarnished, to damage to a firm’s brand, to loss of confidence among customers, business partners and investors – an

institution’s brand image is one of the most valuable assets it can have and now tools are available to mitigate the risks posed by the Internet. As a banker once told me, “I can lose capital and people, but if I lose my reputation…I am done.”

About the Author:

Michael M. Kiefer, Senior Vice President, BD-BrandProtect

A recognized network and security expert and IT and risk visionary, Mr. Kiefer brings more

than 25 years of network, telephony, Internet and disaster recovery experience to his role at BD-BrandProtect, where he is responsible for revenue growth and building out a world-class team.

Prior to joining BrandProtect, Mr. Kiefer had been involved in the development of four successful network and security technology startups. One of these ventures, SecurePipe, was acquired in 2006 by ATW Corp after he led the delivery of the institution’s outsourced

network security solutions to over 1200 community institutions. Previously, he was President of AVAYA North America and directed over twenty five percent of Cisco Systems Global Business. He regularly speaks about IS and related regulatory

issues for the financial and technology industries, among others.

8

Appendix: Examples of Online Threats

Weblinking Issues:

In this example, clicking on Bank of forwards to the Web site Wellsfargo.com, which is a competing banking company.

9

Traffic Diversion Schemes - Appears in Same Color as Background:

The first screen shows what this web page normally looks like when first viewed. However, highlighting the page reveals text written in the same color as the background which is

invisible to the naked eye, as shown below.

10

Traffic Diversion Schemes - Framed Web site:

This example shows the corporate Web site for Bank of but within a frame on a third party Web site, Onechurchsource.com.

11

URL Infraction - Trademark appears in third party URL

In this example, the insurance company name is in the URL, but there is no mention of it on

the page, which contains some very explicit sexual references.

12

Example: Phishing

Participants in a Harvard University study failed to notice that the URL given for a Bank of

the West site was: www.bankofthevvest.com