U.S. Companies Kick Off Security Initiatives

As the year winds up, IT managers from Wall Street to the military say they’ve kicked off ambitious projects to bolster security within their organizations.

At New York-based investment firm Goldman Sachs, one project under the direction of Tom Quinn, vice president of information security, entails adding desktop software for digital rights management to restrict viewing, printing or changing financial data. Adding the DRM software made by Liquid Machines, and training employees to work under more restrictive file-sharing guidelines pose a challenge, Quinn acknowledged. But he foresees a broad benefit of policy enforcement through file encryption.

“What can we do to raise the bar? What can we do to help people not make mistakes?” said Quinn, the global head of application risk assurance at Goldman Sachs, a multibillion-dollar investment firm with 40,000 employees.

While employees are expected to follow policy guidelines today that govern sharing of electronic files, the addition of the Liquid Machines DRM software puts a tangible barrier in place that keeps data encrypted unless the recipient is authorized to view the information, change it or print it.

The Goldman Sachs DRM deployment commences this month with the integration of the Liquid Machines application program interface into the higher-risk banking applications so an authorized manager can control desktop services for DRM.

At first there will be only 100 employees working under the new DRM policy enforcement, but “we envision it on all desktops eventually,” Quinn said. He added it’s taken Goldman Sachs almost five years to prepare for a rollout of DRM.

In the U.S. Navy, the desire for improved mobile security in battle conditions is also prompting a new look at the possibilities for high-security authentication and access to the Department of Defense computer systems.

“We’d like to get rid of passwords and user names,” said Pete Butt, chief engineer at the Naval Air Systems Command headquartered in Patuxent River, Md., where testing and evaluation of network equipment for Navy use is done. “One of the biggest problems is there are so many of them, they have to be complex and no one can remember all of them.”

The Navy is eager to identify a mobile fingerprint-based system that would support both computer and building access. To that end, 30 end users at the Naval Air Systems Command are testing a handheld device called the Mobio made by startup Cryptolex Trust Systems.

“This is healthy technology we’ll probably end up using,” said Butt about the Mobio, which supports not only biometric scanning of fingerprints, but also one-time password authentication and VPN methods.

Mobio converts a fingerprint biometric to a so-called biocode that can be used to establish one-time single sign-on for applications by using the Cryptolex software programming interfaces.

“You could use the Mobio to log into the Web,” said Butt. “And we could use this to positively identify access to routing switches. We operate the backbone network for the Navy and run the networking systems.”

Navy personnel today make use of the military’s Common Access Card for computer access, “but with this, you’re still back to relying on those user names and passwords.” If the Cryptolex Mobio tests work out within the Navy’s research environment, the broader use would likely be the Navy Marine Corps Intranet serving hundreds of thousands of users.

As 2006 fades and 2007 looms on the horizon, the retail banking sector is yet another industry compelled to innovate in order to fight cybercrime.

BBVA Bancomer, the Mexican bank with about 10 million customers, found fraud was becoming a problem in its online banking service over the past few years. “It was easy for fraudsters to get passwords, mostly when customers were using public services, such as at hotels and airports,” said Gaston Huerta, Bancomer’s director of fraud detection.

For that reason, Bancomer began beta testing an online fraud-prevention service called Falcon Online Access under development by Minneapolis-based analytics software and services firm Fair Isaac.

The Falcon Online fraud-detection service includes software that is installed at the bank’s Web server used for online transactions, and monitors end users’ interactions. Falcon watches to determine signs of risk, such as if the remote computer used for banking appears to change, detecting a possible man-in-the-middle attack, or if the typist entering the account data is typing differently from the usual pattern.

If Falcon Online detects signs of possible fraud, it immediately sends a security alert to the designated security manager within the bank. “Once some suspicious operation starts to happen, we immediately verify the account and talk with the customer,” Huerta said.

The Falcon Online fraud-detection service has dramatically reduced the fraud problem over the past few months, said Huerta. “Most of the fraud we have seems to be perpetrated in Mexico,” he added.

In the United States, banks are also taking steps to counter online fraud, particularly since the federal government’s regulatory arm, the Federal Financial Institutions Examination Council (FFIEC), told banks they must show progress next year in authenticating customers online using more than just a simple re-usable password.

“We’re obliged to implement the FFIEC guidelines,” said David Vandeven, president and CEO at Missouri-based Midwest Independent Bank, a special-charter bank whose customers are not consumers, but 450 other financial institutions in Missouri and Iowa.

A bank password for Midwest Independent Bank can allow the user to access not just a separate account, but the primary banking funds-transfer systems such as Fedwire, Vandeven said.

To meet the FFIEC mandate that kicks in after December, Midwest Independent Bank is having its bank clientele begin using a photo-identification authentication method from PassFaces that requires the user to pick out the pre-selected images known only to them as part of the online access process.

“The reason we selected it is because it’s an intellectual solution not tied to a device and it affords a lot of flexibility,” says Vandeven.

Another bank, the Hampton, Va.-based Old Point National Bank with US$830 million annual assets, just adopted a similar image-identification system from RSA Security. The bank’s payments officer, Jean Parra, said the image-based identification for online has been tested, and notification of its requirement has been sent to about 9,000 bank customers.

Parra said the bank is confident the new online authentication system will meet with FFIEC approvals when the time comes for regulators to evaluate the bank’s efforts at meeting the new online banking authentication guidelines.

“We’ve been in constant contact with our FFIEC examiners on this and we believe this is suitable,” said Parra, adding, “but we are continuing to research the matter.”

By Ellen Messmer, Network World (US)

Keep checking in at our Security Feed for updated news coverage.