No one is sleeping well in the cybersecurity world

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.examiner.com/article/no-one-is-sleeping-well-the-cybersecurity-world

For anyone who attended the Kaspersky Lab Cybersecurity Summit in San
Francisco earlier this week, if they were looking for any sign that
protecting networks was getting easier, they left sorely disappointed.
Cybersecurity is getting harder, more complex, and continuously hampered by
a lack of shared information. And that’s the good news.

The session’s lead-off speaker was Tom Ridge, the nation’s first Secretary
of the U.S. Department of Homeland Security, and a man who ought to know.
Ridge now leads his own cybersecurity firm and spoke bluntly about the
current state of affairs. He made it clear that any attempt to bolster
security through the government was sorely misguided. “You cannot secure
the country from inside the Beltway,” said Ridge.

But he didn’t mince words about the private sector either, expressing
concern that U.S. companies had so far not shown an ability to combat the
increasing attacks seen in the past two years against important networks.
According to Ridge, the ultimate solution is shared information between the
private sector and the government. “You have to go from a need to know
mindset to a need to share mindset,” Ridge told the gathering.

Complicating the situation are world events that pull governments’
attention and resources away from fighting online criminal activity. During
a panel discussion that followed Ridge’s remarks, Eugene Kaspersky
(co-founder and CEO of Kaspersky Lab) expressed alarm that political
tensions in the Ukraine are giving cybercriminals an open door at the
moment to exploit vulnerabilities. “International projects will have less
(funding),” said Kaspersky.

The online security pioneer also warned about supplier chain security,
especially in the retail world. As has now been revealed, at the center of
the Target breach last December was the hackers’ ability to access store
systems through a vendor’s credentials. Just yesterday, Michaels Stores,
the nation’s largest arts and crafts chain, revealed that nearly 3 million
of their customers’ credit or debit cards may have been compromised. “It’s
a very big topic and it’s a huge problem,” said Kaspersky.

It has been widely speculated that in the aftermath of the Target breach
and other attacks in the retail sector, U.S. banks and credit card
companies will speed up the planned implementation of chip-embedded cards.
Also known as “EMV cards,” this technology makes it far more difficult to
gain access to customer accounts than today’s traditional magnetic stripe
product.

But during another panel discussion at the Kaspersky conference this week,
Ellen Richey, Chief Enterprise Risk Officer for Visa, made a point that her
company’s fraud rates are now one third the level of 20 years ago. “They
are at historic lows,” said Richey.

If Visa and other credit-card companies aren’t concerned about fraud risk,
this could slow the rollout of chip cards for years. In a separate
conversation with Philippe Courtot, Chairman and CEO of Qualys, he told
this columnist that he still believes chip card implementation must and
will happen in the U.S. Courtot delivered a similar message to attendees at
the annual RSA Cybersecurity Conference two months ago.

The operative word coming out of the sessions this week is paranoia.
Top-level company executives and government officials are desperately
trying to keep up with a growing rise in network attacks, never really
knowing where or when the next one will occur.

As the daily news brings reports of yet another breach, security directors
around the country are looking nervously over their shoulders. “I doubt
that the chief security officer of Walmart slept well on the night he
learned of the Target incursion,” said Ridge this week. Indeed not, and
most of his counterparts aren’t sleeping well either.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!