Evolution of Cybersecurity

Editorial
November 30, 2017

Editor’s note: This story was originally featured in the November issue of DS News, out now.

Long before Darwin’s theories and his book Origin of the Species was released, humans realized that the key to survival was adaptation. When the environment changed, those who were able to change along with it survived, those who were not perished. In today’s age of electronic communication, virtual meetings, cyber wallets, and cyber terrorism, the validity of the statement is acknowledged, and the realization that companies need to be more vigilant protecting their electronic environments. Those companies in high-profile industries such as finance, aerospace, military, and others–including housing and mortgage servicing—need to be more aggressive as the risks are generally higher when handling and storing confidential data.

Cryptography Has a Limited Lifecycle

Given the massive data breach Equifax experienced recently, implementing encryption algorithms—or the process of transforming plain text into encrypted text for the purpose of securing electronic data when it is transported over networks—based on the lowest strength encryption that has not yet been exploited may not be the wisest course of action. It does not make sense to base security protocols on the lowest level of Federal Information Processing Standards (FIPS). If companies are adopting new controls based on today’s industry encryption standards, they should have a valid reason for doing so, and understand the implications of that decision. After all, the time involved in the decision-making process can be quite extensive. There is research that takes place to evaluate the issue, requirements and design, RFPs, testing, implementation, and more. This can be a costly process and companies should not exhaust all the time and resources necessary only to adopt algorithms that are here for a short period. They should be implementing protocols that will not be deprecated for at least the next eight to 10 years. This is one of the reasons why certifying authorities such as Verisign, Thawte, and others limit the number of years users may purchase a website certificate. Major institutions may only implement certificates whose expiration date is two years or less.

When implementing encryption algorithms, companies should consider the effective lifetime of those controls, also taking into consideration the possible time it would take to exploit them. Current standards, such as FIPS, which were developed years ago, are meant as guidelines for security compliance. Those new to security may reference these standards as a rough posture assessment of their systems but this will only lead to frequent changes of the system’s architecture when standards change. For example, FIPS 140-2, which is still used to ensure companies are following proper security precautions, was implemented in May 2001. While there were proposed updates to this standard, they were never adopted:

  • January 2005 – Federal Register announced development of FIPS 140-3 Cryptographic Modules
  • July 13, 2007 – Federal Register released the draft of Cryptographic Modules
  • December 2009 – a revised draft was released
  • August 2012 – there was a request for additional comments to FIPS 140-3

This process continued until the FIPS 140-3 update died, likely because some of the recommendations within it were out of date and already compromised. Still information security teams and the companies they work for are left with an antiquated standard of FIPS 140-2.

There have been thousands of security breaches and advances since that time, yet to be compliant, companies merely need to meet a 16-year old standard. To survive the onslaught of cyber attacks that continue to plague all industries, companies must be increasingly more vigilant. Do not wait for standards to be set for the industry but adopt tougher security protocols, encryption algorithms, and procedures before the current ones are exploited.

In an industry like mortgage servicing where the compliance and regulatory requirements have changed dramatically since the 2008 mortgage crisis—including increased oversight and reporting of breaches—what are companies that support the industry, like mortgage field services, to do? Adopt a security-centric view of the industry and monitor, adapt, and react quickly to changes. The mortgage field services industry has an opportunity to help lead the way for its mortgage servicing clients, rather than waiting for directions from them on security protocols.

Partner with Business/Operations

An important lesson that can be learned from larger corporations regarding security is that they have already adopted the practice of including security advisors at their decision-making tables. New initiatives should go through a threat management evaluation in the same way that they are evaluated for fiscal viability and feasibility. If adding that new functionality to an application could compromise security and expose the company to the possibility of a breach, is it really worth the consequences? Regardless of the answer, the important concept is the evaluation process. Companies need to understand and weigh the implications of their options, good and bad, to reach an informed decision. In many organizations, security is still viewed as a necessary evil, rather than as a welcomed partner. In part, this is because security is often seen as an obstruction to new functionality in information technology. When properly aligned with other business interests, the offering of alternative, secure ways to implement business objectives actually foster the collaborative and beneficial relationship.

Monitor and Stay Vigilant

A large part of the critical security process is staying up-to-date on the latest trends and vulnerabilities. In the past 10 years, there has been a growing segment of the information security industry that offers services ranging from incident response retainer to virtual chief information security officers (CISOs), and of course, monitoring needs. These external companies have highly qualified and experienced staff that can monitor network traffic reactions to possible intrusion. They offer an alternative to an in-house-developed Security Operations Center (SOC) for those organizations that do not have the expertise themselves.

Regardless of how monitoring is accomplished, it is imperative that it takes place. Internal monitoring via security information and event management (SIEM) can give a holistic view of a company’s network and systems, and alert security officers to anomalies and suspicious activity.

Monitoring of threat activity is as important as the monitoring of internal events. To determine if the various software and systems that are deployed within a company’s environment are vulnerable to attack, it must be aware of the versions of code and firmware it is running. Remember to review all of the company’s systems and software, old and new. While new code may have a few bugs, often-new vulnerabilities are found within very-old code that has been used successfully for years. There is greater risk with the older code because new software is regularly built on old code libraries and segments, and companies may be unknowingly susceptible to the exploits.

There are numerous services and websites that can be used to identify the latest breaches, attacks, and vulnerabilities. Some of these sites include:

  • US-Cert.gov
  • Exploit-DB.com
  • Sans newsbites and @risk
  • Nist.gov
  • ZeroDayInitiative.com (announcements for zero-day vulnerabilities are on their Twitter feed)
  • DataBreachToday.com
  • Snopes.com
  • Symantec.com
  • Various manufacturers’ sites

It is important to be aware of new vulnerabilities because once they are discovered, it is only a matter of time before they will be used by hackers to try and compromise unsuspecting networks.

React and Remediate

After implementing all of the proper controls and toughest encryption on the best gear available, it is time to rest easy, correct? Not exactly. As identified in monitoring protocols, there are vulnerabilities found in both new and old code daily. Subscriptions to the cybersecurity lists such as US-CERT and others confirm this, and set off a chain reaction of events that trigger the next course of action—remediation.

Once these vulnerabilities have been identified and posted, companies only have a small amount of time to patch their systems. This is the part where reaction time is critical. The longer systems remain unpatched from new vulnerabilities, the greater the odds that one of these vulnerabilities may affect the business. There are various published standards for remediation time based on the severity of the vulnerability and its prevalence in the wild. The times generally range from several days for zero- day vulnerabilities, and as the severity decreases, the time allowed to patch increases.

Depending on the complexity of applying the necessary patches, firmware, and updates, the company may be vulnerable for longer than necessary. In some cases, companies may opt to wait before applying the patches from fear that they may adversely affect their systems. This is a standard methodology adopted by information technology experts to watch new software and only adopt it once the bugs and inconsistencies have been worked out. But it is a dangerous gamble when racing a clock and betting on the fact that the company will not be targeted.

Adapt or Die

To make assumptions based on the idea that hackers only target large businesses and companies that have high-value data like the mortgage servicing industry is wrong. Examining recent attacks of “wannacry” and “notPetya,” the groups that released these did not target individuals but rather sent them out in a wide scope. The malicious actors themselves were unaware of how successful their worldwide cyber attack would be, and were not prepared for the fallout of the attack. Some of the 200,000 victims of the ransomware probably thought that they would have sufficient time to remediate their systems. This is why companies cannot afford to hesitate too long in this new cyber landscape. They should be fostering the security- lead decision-making process and implementing new procedures within these companies to facilitate more aggressive patch cycles, and decrease the amount of time to remediate new vulnerabilities.

Those in the mortgage field services industry know that their servicing clients are well aware of the same vulnerabilities when they are released, and how damaging they can be. These clients, as part of their own due diligence, are reaching out to their field services partners and requesting posture assessments of new threats. This is why field services companies and their security leaders should not only be first to evaluate, mitigate, and remediate environments, but also take the lead and proactively inform their servicing partners of their positions to demonstrate that they understand the risks, and take them seriously.

Exceptions to the Rule

As mentioned, there are times when it is necessary to maintain deprecated and sometimes older standards, but this should be done with full understanding of the risks involved. There also should be mitigating controls in place to monitor the systems and events for anomalous activity that could be indicative of intruders and malicious software. One reason to maintain old standards is the interoperability with outside parties that have a more complex environment, or are not as agile, and are currently on old standards. Of course while the current situation may dictate this position, companies should have a plan to migrate to supported protocols at the first opportunity. Another case may be to support a legacy framework within a company that is incompatible with the newest protocols. These are only a couple exceptions, and while each situation may be unique, reasons exist for not upgrading as quickly as needed. Those entities that are looking to subvert a company’s network and systems are counting on complacency.

The mortgage servicing industry and its field services partners can no longer afford to merely meet security compliance standards, but should aggressively be pursuing a more stringent security posture. When implementing cryptographic controls, companies should opt for the highest common level that their environment can support to afford the most time before change becomes necessary. The cyber landscape has changed from the targeted attacks, and companies need to become more adaptable in preventing them.

Source: DS News

Additional Resource:

DS News (Evolution of Cybersecurity PDF)

x

CHIEF EXECUTIVE OFFICER

Alan Jaffa

Alan Jaffa is the chief executive officer for Safeguard, steering the company as the mortgage field services industry leader. He also serves on the board of advisors for SCG Partners, a middle-market private equity fund focused on diversifying and expanding Safeguard Properties’ business model into complimentary markets.

Alan joined Safeguard in 1995, learning the business from the ground up. He was promoted to chief operating officer in 2002, and was named CEO in May 2010. His hands-on experience has given him unique insights as a leader to innovate, improve and strengthen Safeguard’s processes to assure that the company adheres to the highest standards of quality and customer service.

Under Alan’s leadership, Safeguard has grown significantly with strategies that have included new and expanded services, technology investments that deliver higher quality and greater efficiency to clients, and strategic acquisitions. He takes a team approach to process improvement, involving staff at all levels of the organization to address issues, brainstorm solutions, and identify new and better ways to serve clients.

In 2008, Alan was recognized by Crain’s Cleveland Business in its annual “40-Under-40” profile of young leaders. He also was named a NEO Ernst & Young Entrepreneur of the Year® finalist in 2013.

x

Chief Operating Officer

Michael Greenbaum

Michael Greenbaum is the chief operating officer for Safeguard. Mike has been instrumental in aligning operations to become more efficient, effective, and compliant with our ever-changing industry requirements. Mike has a proven track record of excellence, partnership and collaboration at Safeguard. Under Mike’s leadership, all operational departments of Safeguard have reviewed, updated and enhanced their business processes to maximize efficiency and improve quality control.

Mike joined Safeguard in July 2010 as vice president of REO and has continued to take on additional duties and responsibilities within the organization, including the role of vice president of operations in 2013 and then COO in 2015.

Mike built his business career in supply-chain management, operations, finance and marketing. He has held senior management and executive positions with Erico, a manufacturing company in Solon, Ohio; Accel, Inc., a packaging company in Lewis Center, Ohio; and McMaster-Carr, an industrial supply company in Aurora, Ohio.

Before entering the business world, Mike served in the U.S. Army, Ordinance Branch, and specialized in supply chain management. He is a distinguished graduate of West Point (U.S. Military Academy), where he majored in quantitative economics.

x

CHEIF INFORMATION OFFICER

George Mehok

George Mehok is the chief information officer for Safeguard. He is responsible for all strategic technology decisions, new systems deployments and data center operations supporting a national network of more than 10,000 mobile workers.

George has more than 20 years of leadership experience dedicated to high-growth companies in the mobile telecommunications and financial services industries, spanning startups to global industry leaders.

George played a senior role in the formation of Verizon Wireless, leading the IT product development and strategic planning team. He led the integration planning for the Verizon merger including: GTE, Vodafone-AirTouch, Bell Atlantic Mobile and PrimeCo.

As chief information officer at Revol Wireless, a VC-backed CDMA wireless communications network operator, George’s team implemented an integrated technology infrastructure and award-winning business intelligence platform.

George holds a bachelor’s degree in political science and economics from Eastern Michigan University and an M.B.A. from The Ohio State University. He is a board member of Akron University’s School of Business Center for Information Technology, in addition to an advisory board member for OHTec.

In 2013, George won the Crain’s Cleveland Business CIO of the Year award for his team’s work in completing a major acquisition and technology transformation at Safeguard. In 2015, George’s team was recognized by InformationWeek’s annual Elite 100 ranking of the most innovative U.S.-based users of business technology. The mobile inspection technology developed at Safeguard was selected as InformationWeek’s “One of the top 20 ideas to steal in 2015”.

x

General Counsel and Executive Vice President

Linda Erkkila, Esq.

Linda Erkkila is the general counsel and executive vice president for Safeguard, with oversight responsibilities for the legal, human resources, training, compliance and audit departments. Linda’s broad scope of oversight covers regulatory issues that impact Safeguard’s operations, pro-active risk mitigation, enterprise strategic planning, human capital and training initiatives, compliance and audit services, litigation and claims management, and counsel related to mergers, acquisition and joint ventures.

Linda’s oversight of the legal department along with multiple compliance and human capital focused departments assures that Safeguard’s strategic initiatives align with its resources, leverage opportunities across the company, and contemplate compliance mandates. Her practice spans almost 20 years, and Linda’s experience, both as outside and in-house counsel, covers a wide range of corporate matters, including regulatory disclosure, corporate governance compliance, risk assessment, executive compensation, litigation management, and merger and acquisition activity. Her experience at a former Fortune 500 financial institution during the subprime crisis helped develop Linda’s pro-active approach to change management during periods of heightened regulatory scrutiny.

Linda previously served as vice president and attorney for National City Corporation, as securities and corporate governance counsel for Agilysys Inc., and as an associate at Thompson Hine LLP. She earned her JD at Cleveland-Marshall College of Law. Linda holds a degree in economics from Miami University and an MBA. In 2017, Linda was named as both a “Woman of Influence” by HousingWire and as a “Leading Lady” by MReport.

x

VP, Finance

Joe Iafigliola

Joe Iafigliola is the vice president of finance for Safeguard. Joe leads the accounting and information security departments, and is a key leader in the management of SCG Partners, a middle-market private equity fund focused on diversifying and expanding Safeguard Properties’ business model into complimentary markets. He also leads the service supply chain including vendor sourcing, field quality control, and delivery, in addition to the quality assurance function for the company.

Joe has been in a wide variety of roles in finance, supply chain management, information systems development, and sales and marketing. His career includes senior positions with McMaster-Carr Supply Company, Newell/Rubbermaid, and Procter and Gamble.

Joe has an MBA from The Weatherhead School of Management at Case Western Reserve University, is a Certified Management Accountant (CMA), and holds a bachelor’s degree from The Ohio State University’s Honors Accounting program.

x

AVP, High Risk and Investor Compliance

Steve Meyer

Steve Meyer is the assistant vice president of high risk and investor compliance for Safeguard. In this role, Steve is responsible for managing our clients’ conveyance processes, Safeguard’s investor compliance team and developing our working relationships with cities and municipalities around the country. He also works directly with our clients in our many outreach efforts and he represents Safeguard at a number of industry conferences each year.

Steve joined Safeguard in 1998 as manager over the hazard claims team. He was instrumental in the development and creation of policies, procedures and operating protocol. Under Steve’s leadership, the department became one of the largest within Safeguard. In 2002, he assumed responsibility for the newly-formed high risk department, once again building its success. Steve was promoted to director over these two areas in 2007, and he was promoted to assistant vice president in 2012.

Prior to joining Safeguard, Steve spent 10 years within the insurance industry, holding a number of positions including multi-line property adjuster, branch claims supervisor, and multi-line and subrogation/litigation supervisor. Steve is a graduate of Grove City College.

x

AVP, Operations

Jennifer Jozity

Jennifer Jozity is the assistant vice president of operations, overseeing inspections, REO and property preservation for Safeguard. Jen ensures quality work is performed in the field and internally, to meet and exceed our clients’ expectations. Jen has demonstrated the ability to deliver consistent results in order audit and order management.  She will build upon these strengths in order to deliver this level of excellence in both REO and property preservation operations.

Jen joined Safeguard in 1997 and was promoted to director of inspections operations in 2009 and assistant vice president of inspections operations in 2012.

She graduated from Cleveland State University with a degree in business.

x

AVP, Finance

Jennifer Anspach

Jennifer Anspach is the assistant vice president of finance for Safeguard. She is responsible for the company’s national workforce of approximately 1,000 employees. She manages recruitment strategies, employee relations, training, personnel policies, retention, payroll and benefits programs. Additionally, Jennifer has oversight of the accounts receivable and loss functions formerly within the accounting department.

Jennifer joined the company in April 2009 as a manager of accounting and finance and a year later was promoted to director. She was named AVP of human capital in 2014. Prior to joining Safeguard, she held several management positions at OfficeMax and InkStop in both operations and finance.

Jennifer is a graduate of Youngstown State University. She was named a Crain’s Cleveland Business Archer Award finalist for HR Executive of the Year in 2017.

x

AVP, Application Architecture

Rick Moran

Rick Moran is the assistant vice president of application architecture for Safeguard. Rick is responsible for evolving the Safeguard IT systems. He leads the design of Safeguard’s enterprise application architecture. This includes Safeguard’s real-time integration with other systems, vendors and clients; the future upgrade roadmap for systems; and standards designed to meet availability, security, performance and goals.

Rick has been with Safeguard since 2011. During that time, he has led the system upgrades necessary to support Safeguard’s growth. In addition, Rick’s team has designed and implemented several innovative systems.

Prior to joining Safeguard, Rick was director of enterprise architecture at Revol Wireless, a privately held CDMA Wireless provider in Ohio and Indiana, and operated his own consulting firm providing services to the manufacturing, telecommunications, and energy sectors.

x

AVP, Technology Infrastructure and Cloud Services

Steve Machovina

Steve Machovina is the assistant vice president of technology infrastructure and cloud services for Safeguard. He is responsible for the overall management and design of Safeguard’s hybrid cloud infrastructure. He manages all technology engineering staff who support data centers, telecommunications, network, servers, storage, service monitoring, and disaster recovery.

Steve joined Safeguard in November 2013 as director of information technology operations.

Prior to joining Safeguard, Steve was vice president of information technology at Revol Wireless, a privately held wireless provider in Ohio and Indiana. He also held management positions with Northcoast PCS and Corecomm Communications, and spent nine years as a Coast Guard officer and pilot.

Steve holds a BBA in management information systems from Kent State University in Ohio and an MBA from Wayne State University in Michigan.

x

AVP, Mobile and Analytics

Jason Heckman

Jason Heckman is the assistant vice president of mobile and analytics for Safeguard. He is responsible for both Safeguard’s mobile development and strategy as well as the company’s data warehousing and business intelligence. Jason oversees the design, development and release of all Safeguard’s internally developed mobile applications. He also oversees the development and delivery of operational and analytical data technologies throughout the organization.

Jason joined Safeguard as manager of mobile in 2012. During that time he led the development and integration of Safeguard’s mobile applications across the company’s vendor network to provide real-time data from the field. In 2014, he was promoted to director of mobile applications and named assistant vice president in 2017.

Prior to joining Safeguard, Jason was the director of application development and business intelligence for Revol Wireless, a privately held wireless provider in Ohio and Indiana.

Jason holds a bachelor’s degree in business management from Case Western Reserve University in Ohio.

x

AVP, Business Development

Tim Rath

Tim Rath is the AVP of business development for Safeguard. He is responsible for developing innovative growth strategies for Safeguard and developing and overseeing potential partnerships, mergers and acquisitions.

Tim joined Safeguard in 2011 as project director and has filled numerous roles within Vendor Management, most recently serving as director of vendor management, a role he assumed in 2011.

Prior to Safeguard, Tim worked as director of supply chain at PartsSource Inc. in Aurora, Ohio, a provider of medical replacement parts, procurement solutions and healthcare supply chain management technology services. He also has held sales positions with Rexel, ComDoc, and Pier Associates, all based in Ohio.

Tim holds a degree in marketing and sales from The University of Akron in Akron, Ohio. He also earned his FAA Certified Commercial UAS (Drone) Pilot license in 2017.