Monday, March 12, 2007

Year ends with security undertakings

Goldman Sachs embraces DRM; military targets mobile security.

As the year winds up, IT managers from Wall Street to the military say they've kicked off ambitious projects to bolster security within their organizations.

At New York-based investment firm Goldman Sachs, one project under the direction of Tom Quinn, vice president of information security, entails adding desktop software for digital rights management (DRM) to restrict viewing, printing or changing financial data. Adding the DRM software made by Liquid Machines, and training employees to work under more restrictive file-sharing guidelines, pose a challenge, Quinn acknowledges. But he foresees a broad benefit of policy enforcement through file encryption.

"What can we do to raise the bar? What can we do to help people not make mistakes?" asks Quinn.

While employees are expected to follow policy guidelines that govern sharing of electronic files, the addition of the Liquid Machines DRM software puts a tangible barrier in place that keeps data encrypted unless the recipient is authorized to view, change or print the information.

The Goldman Sachs DRM deployment commences this month with the integration of the Liquid Machines API into the higher-risk banking applications so an authorized manager can control desktop services for DRM.

At first there will be 100 employees working under the new DRM policy enforcement, but "we envision it on all desktops eventually," Quinn says. He adds that it's taken Goldman Sachs almost five years to prepare for a rollout of DRM.

In the Navy

In the U.S. Navy, the desire for improved mobile security in battle conditions also is prompting a new look at the possibilities for high-security authentication and access to the Department of Defense computer systems.

"We'd like to get rid of passwords and user names," says Pete Butt, chief engineer at the Naval Air Systems Command headquartered in Patuxent River, Md., where testing and evaluation of network equipment for Navy use is done. "One of the biggest problems is there are so many of them, they have to be complex and no one can remember all of them."

The Navy is eager to identify a mobile fingerprint-based system that would support both computer and building access. To that end, 30 users at the Naval Air Systems Command are testing a handheld device called the Mobio made by start-up Cryptolex Trust Systems.

This is healthy technology we'll probably end up using," says Butt about the Mobio, which not only supports biometric scanning of fingerprints but also one-time password authentication and VPN methods.

Mobio converts a fingerprint biometric to a biocode that can be used to establish one-time single sign-on for applications by using the Cryptolex software programming interfaces.

"You could use the Mobio to log into the Web," Butt says. "And we could use this to positively identify access to routing switches we operate the backbone network for the Navy and run the networking systems."

Navy personnel today makes use of the military's Common Access Card for computer access, "but with this, you're still back to relying on those user names and passwords," Butt says. If the Cryptolex Mobio tests work out within the Navy's research environment, the broader use would likely be the Navy Marine Corps Intranet serving hundreds of thousands of users.

Banks fight cybercrime

As 2006 fades and 2007 looms on the horizon, the retail banking sector is another industry compelled to innovate in order to fight cybercrime.

BBVA Bancomer, a Mexican bank with about 10 million customers, found fraud was becoming a problem in its online banking service over the past few years."It was easy for fraudsters to get passwords, mostly when customers were using public services, such as at hotels and airports," says Gaston Huerta, Bancomer's director of fraud detection.

Bancomer began beta-testing an online fraud-prevention service called Falcon Online Access under development by a company called Fair Isaac.

The Falcon Online fraud-detection service includes software that is installed on the bank's Web server used for online transactions, and monitors users'interactions. Falcon watches to determine signs of risk, such as if the remote computer used for banking appears to change, detecting a possible man-in-the-middle attack, or if the typist entering the account data is typing differently from the usual pattern.

If Falcon Online detects signs of possible fraud, it immediately sends a security alert to the designated security manager within the bank. Once some suspicious operation starts to happen, we immediately verify the account and talk with the customer," Huerta says.

The Falcon Online fraud-detection service has dramatically reduced the fraud problem over the last few months, Huerta says."Most of the fraud we have seems to be perpetrated in Mexico," he adds.

In the United States, banks are taking steps to counter online fraud, particularly since the federal government's regulatory arm, the Federal Financial Institutions Examination Council (FFIEC), told banks they must show progress next year in authenticating customers online using more than a simple reusable password.