Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/3/2014
03:03 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The View From A High-Value Data Breach Target

Financial services, retail, media, and healthcare industry representatives share their biggest threats and strategies for combating them.

2014 PRIVACY XCHANGE FORUM — Scottsdale, Ariz. — Members of some of the juiciest targets of cybercrime -- financial services, retail, media, and healthcare -- here today shared what they consider the biggest cyberthreats to their industries and how they are fighting back.

Michael Young, vice president and product team manager for financial services firm EverBank, says the biggest threat to his industry is less about direct cyberattacks on banks than it is on customer account theft, identity theft, and payment card fraud. "Account takeover is the number one threat the financial services industry" faces, Young said. "People get in and steal your user ID and password and transfer money out of your account."

Even with the recent news of the attack against JPMorgan Chase, he says, financial services firms are less likely to get hacked directly because they can at least control how they protect their systems and networks. "That seems to be where we have the most control. It's the other three [account theft, identity theft, and payment card theft] where we don't."

Young said JPMorgan's hack didn't result in the typical privacy breach of data. "There was no release of secure data" reported, he said. "Account takeover and ID theft fraud is not by hacking into bank networks."

Financial services firms aren't storing their information in the cloud, of course, but in their own secured environments where they can control it. "They're not putting it in the cloud, which is the next big thing and the next big and scary thing from a financial perspective" in security, he said.

Young noted that while banks under the FFIEC guidelines must provide multi-factor authentication for online banking, credit unions only recently have begun to do so. The problem with two-factor authentication is that some forms can be -- and have been -- bypassed by cybercriminals: "Some of the ways it's being implemented to help with that is by having something out-of-pocket, out-of-band authentication. Or tokens," he said.

Consumers have basically rebelled against tokens, though, he noted, while tokens have worked for business online banking.

A better bet for payment data or other customer information protection is tokenization, where sensitive customer information, such as payment card information or Social Security numbers, for instance. "ApplePay is one of the first implementations of tokenization," he said.

Financial services' call centers employ voice fingerprinting as one level of authentication, akin to caller ID. And online banking is increasingly using device fingerprinting, capturing the type of device and software as another form of authentication for consumers, he said.

"But there's no silver bullet in security for financial services. It's a layered approach," Young said. "We have to make it safe to bank online but not too onerous or difficult for the end user. It's a fine line."

Retailers, meanwhile, suffer both apathy about breaches and a misunderstanding about them, says Arthur Tisi, chief information officer for Natural Markets Food Group. Retailers ask why they were hit. "It doesn't resonate with them that it's an opportunistic approach to breaching systems," he said.

"When you talk to the CEO of a retailer, [he says] 'we're not a bank, why are they coming after us? We're PCI-compliant,'" he said.

The retail industry is nearing the one-year anniversary of the start of what has been dubbed The Year of the Retail Breach, with big-name big box companies such as Target, Home Depot, and Nieman Marcus, as well as food chains Dairy Queen and JimmyJohn's and others all hit with payment card hacks.

Tisi says a big challenge for retailers is internal coordination pre- and post-attack. Take the legal and communications groups: "Legal is concerned with liability. The communications group is concerned with brand equity," he said. "Typically, the general counsel is going to win. So rather than getting into the middle of managing relationships post-breach, we're finding it's important to coordinating the organizations [in advance] so we get a good balance."

Many retailers now have an incident response plan in place to react quickly after an incident, he said. "The lack of coordination and reaction at Target after its [data breach] event could have been resolved in a much more favorable way," he said.

Tisi said some retailers are running vulnerability assessment scans beyond PCI, as well as forensic scans of data and malware.

"How are we going to coordinate communications to our customers? How are we going to communicate with … the FBI or Secret Service? How quickly can we assess what actually is happening to us while it's happening and determine the impact of what's happening?" he said. "We don't want to run out the door with our hair on fire prematurely."

Most companies, and especially those in retail, don't coordinate that communications well, he said. "What are you going to say? When are you going to say it? Who do you retain to communicate?" Tisi said. "You should already be developing a relationship with your insurance carrier."

On the media side, the business model has changed with online interaction and social media, says Ali Waezzadah, vice president of information security for CBS. "We can target a specific ad to what they watch and how they watch it," he said.

Using big data to correlate how viewers interact with their viewing habits and online is the next big thing, and media firms have to protect that information.

"All breaches happen because you miss the fundamentals. It's never the fancy technology that was implemented," such as SIEM or an IPS, he said.

At CBS, both the privacy and security teams work together closely, he said. "Our privacy organization at CBIS looks at us as their front line. We figure out a privacy issue before the privacy group" finds a problem, he said.

For healthcare, the Health Insurance Portability and Accountability Act (HIPAA) is no privacy or security cure-all, Dr. Deborah Peel, founder and chair of Patient Privacy Rights, said.

A patient's health information is accessible to too many users and databases, according to Peel, whose organization has helped map out just where that data travels after a patient visits a hospital, for example.

"HIPAA doesn’t protect data privacy or security," Peele said. Most hospitals have multiple contracts with licenses that allow other organizations to "touch" that data, including insurers, pharmacies, and others.

A typical hospital can have thousands of employees with access to patient information. While some have role-based policies over who can access what, many policies are still too broad, Peele said.

"The breaches are inevitable," she said.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sept4
100%
0%
sept4,
User Rank: Apprentice
11/11/2014 | 10:15:05 PM
Arthur Tisi Spot On!!!
After reading what Arthur Tisi said at the conference I can only second it.  It is time already for Business leaders to get it together!!!!!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/4/2014 | 10:44:03 AM
Does not inspire confidence
Interesting panel but I must admit that the "how they are fighting back" strategies don't inspire a lot of confidence, even with some promising new technologies on the horizon. Best quote, from  Arthur Tisi, chief information officer for Natural Markets Food Group:

"When you talk to the CEO of a retailer, [he says] 'we're not a bank, why are they coming after us? We're PCI-compliant,'" he said.

Where has the retail industry been for the past year. Have they been living in a cocoon? 

Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
CVE-2021-26294
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...