Pelle Braendgaard: Investment Banking Technology

Experts: Insider threat may be harder to detect

This article from Computer World is quite interesting, if initially slightly confusing. The headline seems to mirror the content but it sems to be challenged by the summary:

Recent findings that insiders constitute the primary threat to enterprise security are being challenged by experts who insist the greater threat to security remains external.

The article cites the CSI study and quotes NASA and US Dept. of Labour CIO's as saying that their main threats are external. However as a few security experts later in the article state the problem is probably that the internal threat isn't detected.

"I don't believe that many corporations know that the majority of attacks occur behind the firewall," said Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York. "And most still believe the firewall will stop them."

I think this rings particularly true with Financial companies. There might not be many such incidents yet, but when they happen they happen big and hurt alot more than an external attack through the firewall.

In addition I think we will start seeing much smarter hacker groups around, who will build up much greater inside knowledge of financial institutions. Just look at the hackgroups of the 80's who often had greater knowledge of the phone companies internal computer systems, than most people within.

Contracts Getting Tough on Security

Enterprise IT managers and CIOs, growing impatient with security vulnerabilities, are fighting back with language in contracts that holds software companies liable for breaches and attacks that exploit their products. ...

... For example, a Fortune 50 company recently wrote a clause into a contract with a major software company that holds the vendor responsible for any security breach connected to its software, according to sources familiar with the deal. [eWeek]

This is definitely a trend we will see continue. Not just for commercial software but also in internal and external agreements for software development or service providing.

For service providers, I would imagine that this would become addendums as part of their existing Quality of Service agreements. Some of these current agreements might already be good enough as they are to cover such events. But ofcourse as the service providers get hit by more and more of these issues, they will naturally want to pass the buck onto the software providers.

Open for Business (Identity management & open networks).

Nikolaj at Digital Identity mentions Consult Hyperion's whitepaper on identity management. Big points to him for also posting a link in the same article to Carl Ellison and Bruce Schneiers classic: What You're not Being Told about Public Key Infrastructure. Nice one.

[Digital Identity]

Cyber crime bleeds U.S. corporations, survey shows

Many sources have commented on the latest Computer Security Institue (CSI) survey, which was done in cooperation with the FBI. These surveys are quite interesting but I question the methodology used by the various respondents to the survey to get their answers.

For example the survey counts non work related web surfing as a Cyber Crime. It specifies that in the past year the average cost per respondent has gone from $357,160 to $536,000 a year. The survey claims the two main issues here being productivity and liability. While I can definitely see liability as being a potential issue, I'm quite unsure of the methods they use to quantify their loss of productivity. Howabout the increase of productivity of employees who are happy because their employer doesn't chose to treat them like children.

Another area that might raise a few eyebrows is the losses based on theft of proprietary information. The report says that respondents reported a total loss of $170,827,000 last year. Yet only 20% of respondents reported such infractions. Granted these can be serious issues, however the Tech industry has a history of overreporting the value of such crimes. Just remember the Kevin Mitnick case where companies such as Sun, Nokia etc. made outrageous claims on losses caused by him.

Much more serious in my view is Financial Fraud. The survey states that 12% of respondents had a loss on average of $957,384. Most of this from what I can acertain is basically traditional credit card fraud. However I do believe we will see a growth over the next year or two in losses based on investment banking systems. Just imagine how much money could be made if someone managed to create large false trades or spread disinformation on trade/news feeds. Not covered under Financial Fraud but equally an issue would be the cost of DOS attacks targeted at realtime trade feeds.

Wall Street Embraces Linux

Merrill (nyse: MER - news - people) is one of many Wall Street brokerages doing a large-scale Linux deployment in an effort to cut their costs and boost revenue...

... Merrill's plans, and others like it, are very significant because they are the first companywide--rather than departmental--Linux implementations. While not without risk, this lends an enormous amount of credence to the argument that Linux can be used in place of more established technologies like Unix. [Forbes]

Exploring XML Encryption

IBM Developer Works are running a good article on XML Encryption. Over the last year or so almost all the new feeds and systems I've linked in with on projects have used XML for interop. XML Security is going to be extremely important over the next year or two. It is particularly useful, because you can encrypt and sign individual elements rather than only full messages. The signatures will ofcourse verify the integrity of a message or element and the element by element encryption is useful for only allowing access to the part of the message you need in your subsystem.