Layered Security: A Case StudyHow One Bank Tackled the FFIEC Authentication Guidance
"We already had one-time pass codes and for our corporate customers the requirement of using a secure token," says Donna Flynn, a vice president at Liberty Bank. "However, we weren't comfortable with the security out in the field with our customers."
In assessing risks, Liberty signed an authentication vendor to help outline a layered security strategy.
"We now have the added benefit of ... endpoint detection, which will basically not allow a customer to log into our system if there is any malware detected," Flynn says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
Heading in to 2012, Liberty Bank has decided not to add anything else to their layered security solution, which includes one-time pass codes, secure tokens and an endpoint security feature. "However, it's an ever-changing environment, so we always have to be aware and open to anything that we may need to implement going forward," she says.
During this interview, Flynn discusses:
- Why layered security should be considered from a holistic perspective, one that involves all banking channels, not just the online channel;
- Why institutions need to take hard looks at current security offerings to determine what they're missing;
- How the new endpoint security solution tracks and blocks key-logging, man-in-the-middle and malware attacks.
Flynn is vice president of cash management at Liberty Bank, Connecticut's oldest mutual bank, with more than $3.4 billion in assets and 43 banking offices throughout the state. At Liberty, Flynn oversees fraud-prevention measures across all cash-management operations, including online banking. She also is responsible for cash-management sales, product development and operations. Before joining Liberty Bank, Flynn held executive-level positions with Citizens Bank and Fleet Bank.
TRACY KITTEN: Could you tell our audience a bit about your institution, such as the breakdown you serve between retail and commercial customers?
DONNA FLYNN: We're a community bank headquartered in Middletown, Connecticut, servicing about a 190 customers, mostly consumer and micro-business. However, we do have about 300 corporate users, and when I say corporate users I mean they transact ACH and wires.
KITTEN: As you begin reviewing and accessing some of the online risks, what compliance gaps do you identify?
FLYNN: Our main issues were ongoing risk assessments, layered security and customer awareness.
KITTEN: You've noted in the past that Liberty targeted three key areas for improvement mentioned in the updated guidance, and of course that's the ongoing risk assessment, layered security and customer awareness. Can you tell us why these three areas needed improvement?
FLYNN: I think what's difficult for many community banks is trying to keep abreast of all the fraud trends, identifying new attacks and then updating the risk assessments to include the mitigating controls. As far as layered security, while we were reasonably comfortable with the tools we were using, we didn't have the confidence that our customers were actually protecting their systems. For customer awareness, we do have a security brochure but they do become outdated very quickly. We were looking for something more automated with real-time information that we could share with our customers.
KITTEN: What steps did Liberty take as it assessed those risks and then began reviewing different vendor solutions?
FLYNN: Well my team got together and we determined where are we today and where we need to be in order to be compliant. We also looked at all of our online channels, not just online banking. At that point, we put together a focus document so that we would be prepared when we met with vendors what we were looking for, what's on our wish list and who can help us achieve that.
KITTEN: Your institution ultimately opted for a solution provided by Trusteer. Can you tell us a bit about the process your institution used to determine the best vendor solution?
FLYNN: Using that point of focus, we were concentrating on what vendor is going to assist us and give us the tools that we need to remain compliant but also do it in a way that is easy for us to do. I think that's important, to look for a vendor to help you do that. I think recreating the wheel is not the solution for this. We looked at several different vendors and chose Trusteer for a couple of different reasons. One was their endpoint protection and the other is their real-time data.
KITTEN: What about ongoing risk assessments? How's Trusteer helping you there?
FLYNN: Trusteer has a really nice forensic tool that allows us to gather data for any type of malware, intrusion or anything that could be on our customers' computers and we can use that to update our risk assessment and also include the mitigating controls that we put in place.
KITTEN: You've mentioned layered security, but I would like you to elaborate on that a little bit. What improvements have you made in that arena?
FLYNN: With layered security, we already had one-time pass codes and for our corporate customers, the requirement of using a secure token. However, we weren't comfortable with the security out in the field with our customers. By using Trusteer, we now have the added benefit of the endpoint detection which will basically not allow a customer to log into our system if there is any malware detected.
KITTEN: This was something that I thought was interesting, the endpoint protection which basically blocks new attacks. Can you elaborate a little bit and tell us how this endpoint protection works and was this something that made the solution from Trusteer unique relative to other vendors?
FLYNN: It was a huge piece of our decision. The architecture is designed so that it prevents the computer from being infected. It actually monitors the HTTP traffic and removes any exploit code. It helps with key logging, man in the middle, man in the browser, phishing attacks, all of that. It's really beneficial for us.
KITTEN: It takes the guess work out of what the merchant has to do or what the commercial customer has to do.
FLYNN: It does, and I think regulators are looking to the banks to provide that to their customers and not just rely on the customers to be savvy enough to do it themselves.
KITTEN: What about additional authentication or identification mechanisms? Have you implemented anything else?
FLYNN: With the one-time pass code, the secure tokens and now with Trusteer implementing into that, we have not decided to add anything else to the suite at this time. However, it's an ever-changing environment so we always have to be aware and open to anything that we may need to implement going forward.
KITTEN: Are these authentication and layered-security controls being implemented for your commercial as well as retail customers?
FLYNN: For our retail customers, we have them use the one-time pass code and also Trusteer's rapport service. For our corporate customers, which is where most of the risk lies, they're using the one-time pass code, secure ID and rapport also.
KITTEN: Let's go back and talk a little bit about customer awareness and education. What new strategies have you implemented there and are you focusing different efforts for your corporate customers versus your retail customers?
FLYNN: We are. With our corporate customers, we're getting a lot more detailed. One of the other benefits in choosing Trusteer is they have a security [feature] that identifies new customers or any customers logging in from a different device and it presents them with a message that explains security threats and protection mechanisms. They also offer a security news channel where they deliver information to our customers on new threats and how to avoid them. We also have a general security brochure that we offer to all of our customers that talks about what is man-in-the-middle, what is man-in-the-browser and recommendations for how they should be securing their computers.
KITTEN: Going into 2012, what remaining areas do you feel you need to address fully to conform to updated FFIEC guidance?
FLYNN: Like I said previously, we're pretty comfortable where we are now. But it's an ever-changing environment so we always have to be on our toes. I think the biggest thing is just updating that risk assessment as needed.
KITTEN: As other institutions work to ensure that they're compliant and ready for these regulatory audits, what advice would you provide?
FLYNN: Take a really hard look at what you're offering now. Definitely do not ignore the guidance and I think we're all so busy trying to remain compliant in so many different areas of banking that if you can use a reliable vendor to assist you in being compliant, definitely do it.