of Sensei Enterprises Inc., a digital forensic IT and
information security firm in Fairfax, Virginia, USA.
For project contractors and vendors, “the scope
and time are both limited,” Mr. Crudgington says.
“You don’t just get our standard access policy and
elevated privileges. If the project is only for two
weeks, access is provided for two weeks and limited
to only what is needed.”
Mr. Crudgington’s security team adjusted its pro-
tocols to pare back system access for contractors. In
addition, access is provided with contractor account
syntax, so Woodforest can quickly tell whether
any network activity is coming from a contractor’s
The bank’s many security projects have realized
their intended benefits, Mr. Crudgington says. “We
track thousands of network events each month.
Due to our security posture, the seriousness with
which employees take security, and executive and
board support, we have been fortunate to avoid any
The Police, Not the Army
In April, Finnish security firm Codenomicon discovered a vulnerability in open-source encryption
code. The code had been widely used across the
Internet for more than a year, and hackers could
have exploited the vulnerability, called Heartbleed,
to gain access to staggering amounts of encrypted
data. Not only did security pros miss the
bug, but there’s no evidence that hackers
noticed it, either.
It may have taken more than a year to
discover the vulnerability, but once news
of the bug was released, project managers around the world flew into action.
One affected organization was Affini-tyLive, a software company based in San
Francisco, California, USA. Its development team was working on a tight
product-development deadline when it
learned about the Heartbleed vulnerability. Rather than wait for approval,
the team decided to halt all work on the
vital product-development project and
instead make patching Heartbleed its top priority.
“The team made a decision, and it was a defensible decision,” says Geoff McQueen, AffinityLive’s
founder and CEO.
rather than just doing the minimum to meet regulatory requirements.”
Mr. Crudgington has also overseen a project
that implements fraud-prevention tools based on
behavioral analytics—an effort aimed at recognizing
suspicious activity within the bank’s networks. That
way, even when hackers get inside, their work can
still be identified and remediated.
“If someone targets and attacks long enough,
you’ll get breached. Once that happens, the ques-
tion is how quickly you react,” Mr. Crudgington
says. “These tools are designed to shorten the period
between infiltration and detection.”
In addition to launching initiatives that react to
real or potential breaches, data-security project
teams also test their ability to respond to threats
that might happen in the future. Both Woodfor-
est and Midland are part of the Financial Services
Information Sharing and Analysis Center, through
which U.S. financial institutions share information
about attacks. The center regularly launches proj-
ects that simulate attacks so member organizations
can test their ability to defend themselves.
Project teams can’t just tend to their own
defenses, however. They also must consider the
data security of the contractors with whom they
work. For example, the point of entry for the mal-ware behind the Target breach was a heating-and-cooling-systems vendor.
“If somebody wants to hack a military contractor,
they’ll attack the law firm instead. They go after the
soft underbelly,” says John Simek, vice president
wants to hack
the law firm
—John Simek, Sensei
Enterprises Inc., Fairfax,
Trouble on the Rise
As the number of security incidents has risen
per organization …
… so has the average information security budget.
US$2.7 million US$2.8 million