19 January 2014

Target's Security Breach Stresses the Need for Better Cyber Security

Thu Jan 16, 2014

Target's recent credit card security breach that affected 70 million customers was a huge hit to the retailing giant at the most inopportune time. To the retailer's credit, it took this matter extremely seriously by quickly informing customers and offering 10 percent discounts to anyone who came into its stores the weekend before Christmas.

The bigger issue for the retailer is everyone coming in with their two cents on what Target should have done to prevent this breach, including two U.S. senators seeking investigations from the Consumer Financial Protection Bureau and the Federal Trade Commission. There are also potential class action lawsuit filings against the retailer in California and Rhode Island.

Yet in the ensuing and understandable media melee, one crucial point has largely been missed: the makeup of the criminals that perpetrated the act. Though not much has been disclosed, there's little doubt in my mind that this was not the work of some part-time hacker living in his mother's basement. While there are always lessons to be learned to make things better, we as security experts must openly acknowledge that cybersecurity is a war where the enemy is a formidable, organized and very sophisticated threat.

Data breaches like the one Target suffered are typically conducted by organized crime syndicates or similar groups with a sizeable level of cleverness. They have a vast number of highly-skilled resources at their disposal from virtually every corner of the globe and strike with keen precision. They have a network like no other and when these criminal organizations hit, they hit hard. The Ponemon Institute's 2013 Annual Cost of Cyber Crime Study noted that the financial impact of cyber attacks is up nearly 78 percent.

Corporations, security experts and consumers need to act accordingly by taking cybercrime more seriously. It's no longer a question of if, but when an attack will occur and how best to ensure it doesn't infiltrate sensitive accounts. The first line of defense is also no longer the individual, as it once was. That's because consumers no longer "own" their data. Information is moving so fast that these folks have their account information, address, phone numbers and other sensitive data on many servers they neither see nor control.

Organizations that house this data must recognize that they bear the responsibilities of protecting the information. It's a daunting task to be sure, but one where investments in security will prevent costly loss of revenue and litigation in the same manner that Target is now struggling to deal with.

The key is to fight the cyber enemy with the same level of sophistication and respect that they have for their intended victims. This is a clever enemy before us, but one that can be defeated if we understand the size and scale of the threat. The advantage we as information assurance experts and corporate executives have is possessing tried and true methods to thwarting such threats, with elements that include:

Categorizing information for its value to others. Ensure a keen understanding of what kind of data may be of interest to would-be cyber criminals. Prioritize it by the need to protect it. This will serve as a foundation for developing strategic information assurance initiatives against a fixed budget.

Fully understanding the user base. Identify people and activities to develop potential threat profiles. It will help in focusing efforts to thwart attacks that occur from or are caused by improper activities from within. Training and awareness of employees is also a key aspect here. Surprisingly, many people who hold high-level security clearances will keep their passwords on a piece of paper in their notebook, or unencrypted in a document on their phone or computer.

Monitoring systems. Identify all entries and exits; be they printers, thumb drives, network boundaries, etc. Watch happenings at these key points as well as system wide. More importantly, don't just track the raw activity levels, but trends as well. Develop baseline metrics to identify abnormalities quicker and take action in a more rapid fashion.

Let's make 2014 the year we get the upper hand in this emerging cyber war.

http://www.reuters.com/article/2014/01/16/idUS259157097320140116

No comments: