Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:03 PM
Connect Directly

The View From A High-Value Data Breach Target

Financial services, retail, media, and healthcare industry representatives share their biggest threats and strategies for combating them.

2014 PRIVACY XCHANGE FORUM — Scottsdale, Ariz. — Members of some of the juiciest targets of cybercrime -- financial services, retail, media, and healthcare -- here today shared what they consider the biggest cyberthreats to their industries and how they are fighting back.

Michael Young, vice president and product team manager for financial services firm EverBank, says the biggest threat to his industry is less about direct cyberattacks on banks than it is on customer account theft, identity theft, and payment card fraud. "Account takeover is the number one threat the financial services industry" faces, Young said. "People get in and steal your user ID and password and transfer money out of your account."

Even with the recent news of the attack against JPMorgan Chase, he says, financial services firms are less likely to get hacked directly because they can at least control how they protect their systems and networks. "That seems to be where we have the most control. It's the other three [account theft, identity theft, and payment card theft] where we don't."

Young said JPMorgan's hack didn't result in the typical privacy breach of data. "There was no release of secure data" reported, he said. "Account takeover and ID theft fraud is not by hacking into bank networks."

Financial services firms aren't storing their information in the cloud, of course, but in their own secured environments where they can control it. "They're not putting it in the cloud, which is the next big thing and the next big and scary thing from a financial perspective" in security, he said.

Young noted that while banks under the FFIEC guidelines must provide multi-factor authentication for online banking, credit unions only recently have begun to do so. The problem with two-factor authentication is that some forms can be -- and have been -- bypassed by cybercriminals: "Some of the ways it's being implemented to help with that is by having something out-of-pocket, out-of-band authentication. Or tokens," he said.

Consumers have basically rebelled against tokens, though, he noted, while tokens have worked for business online banking.

A better bet for payment data or other customer information protection is tokenization, where sensitive customer information, such as payment card information or Social Security numbers, for instance. "ApplePay is one of the first implementations of tokenization," he said.

Financial services' call centers employ voice fingerprinting as one level of authentication, akin to caller ID. And online banking is increasingly using device fingerprinting, capturing the type of device and software as another form of authentication for consumers, he said.

"But there's no silver bullet in security for financial services. It's a layered approach," Young said. "We have to make it safe to bank online but not too onerous or difficult for the end user. It's a fine line."

Retailers, meanwhile, suffer both apathy about breaches and a misunderstanding about them, says Arthur Tisi, chief information officer for Natural Markets Food Group. Retailers ask why they were hit. "It doesn't resonate with them that it's an opportunistic approach to breaching systems," he said.

"When you talk to the CEO of a retailer, [he says] 'we're not a bank, why are they coming after us? We're PCI-compliant,'" he said.

The retail industry is nearing the one-year anniversary of the start of what has been dubbed The Year of the Retail Breach, with big-name big box companies such as Target, Home Depot, and Nieman Marcus, as well as food chains Dairy Queen and JimmyJohn's and others all hit with payment card hacks.

Tisi says a big challenge for retailers is internal coordination pre- and post-attack. Take the legal and communications groups: "Legal is concerned with liability. The communications group is concerned with brand equity," he said. "Typically, the general counsel is going to win. So rather than getting into the middle of managing relationships post-breach, we're finding it's important to coordinating the organizations [in advance] so we get a good balance."

Many retailers now have an incident response plan in place to react quickly after an incident, he said. "The lack of coordination and reaction at Target after its [data breach] event could have been resolved in a much more favorable way," he said.

Tisi said some retailers are running vulnerability assessment scans beyond PCI, as well as forensic scans of data and malware.

"How are we going to coordinate communications to our customers? How are we going to communicate with … the FBI or Secret Service? How quickly can we assess what actually is happening to us while it's happening and determine the impact of what's happening?" he said. "We don't want to run out the door with our hair on fire prematurely."

Most companies, and especially those in retail, don't coordinate that communications well, he said. "What are you going to say? When are you going to say it? Who do you retain to communicate?" Tisi said. "You should already be developing a relationship with your insurance carrier."

On the media side, the business model has changed with online interaction and social media, says Ali Waezzadah, vice president of information security for CBS. "We can target a specific ad to what they watch and how they watch it," he said.

Using big data to correlate how viewers interact with their viewing habits and online is the next big thing, and media firms have to protect that information.

"All breaches happen because you miss the fundamentals. It's never the fancy technology that was implemented," such as SIEM or an IPS, he said.

At CBS, both the privacy and security teams work together closely, he said. "Our privacy organization at CBIS looks at us as their front line. We figure out a privacy issue before the privacy group" finds a problem, he said.

For healthcare, the Health Insurance Portability and Accountability Act (HIPAA) is no privacy or security cure-all, Dr. Deborah Peel, founder and chair of Patient Privacy Rights, said.

A patient's health information is accessible to too many users and databases, according to Peel, whose organization has helped map out just where that data travels after a patient visits a hospital, for example.

"HIPAA doesn’t protect data privacy or security," Peele said. Most hospitals have multiple contracts with licenses that allow other organizations to "touch" that data, including insurers, pharmacies, and others.

A typical hospital can have thousands of employees with access to patient information. While some have role-based policies over who can access what, many policies are still too broad, Peele said.

"The breaches are inevitable," she said.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/11/2014 | 10:15:05 PM
Arthur Tisi Spot On!!!
After reading what Arthur Tisi said at the conference I can only second it.  It is time already for Business leaders to get it together!!!!!
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/4/2014 | 10:44:03 AM
Does not inspire confidence
Interesting panel but I must admit that the "how they are fighting back" strategies don't inspire a lot of confidence, even with some promising new technologies on the horizon. Best quote, from  Arthur Tisi, chief information officer for Natural Markets Food Group:

"When you talk to the CEO of a retailer, [he says] 'we're not a bank, why are they coming after us? We're PCI-compliant,'" he said.

Where has the retail industry been for the past year. Have they been living in a cocoon? 

How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.