Financial Breaches Show ‘Trust Model’ Is Broken

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/attacks-breaches/financial-breaches-show-trust-model-is-broken/a/d-id/1317043

It's a full-blown crisis when a dozen major financial services firms admit
to having their networks probed by the same attackers as those behind the
JPMorgan Chase breach.

The one thing the seemingly never-ending string of security breaches
highlights is the fact that the current online trust model as we know it is
broken. The security compromises at JPMorgan Chase, Home Depot, Dairy
Queen, and elsewhere are proof that it is time for industry stakeholders to
go back to the drawing board. Clearly, the old model of throwing resources
at perimeter defenses, sticking in a few intrusion and anomaly detection
tools, patching, and praying is not working.

It’s bad enough when major retailers like Home Depot get compromised. It’s
much worse when JPMorgan Chase, the nation’s largest bank, says intruders
were able to break into its systems and steal data on a staggering 83
million consumer and commercial accounts. Having served as the Chief
Information Security Officer at Fifth Third Bank and Bank One, respectively
in Cincinnati and Columbus, Ohio, I can speak from personal experience.
It’s a full-blown crisis when more than a dozen major financial services
companies admit to having their networks being probed for weaknesses by the
same attackers as those behind the Chase breach. This reflects the
increasing technical sophistication and the audacity of those behind these
attacks.

It’s not just banking and the retail industry that are vulnerable. Other
sectors, some of them in critical infrastructure industries such as
electric sector companies, are also dangerously exposed to similar threats
from motivated, highly skilled adversaries. If the recently disclosed
breaches are any indication, many of them are likely already compromised
and don’t know it.

While it’s easy to blame the victims for their predicament, the problems go
much deeper. It is hard to believe that an organization like JPMorgan Chase
simply allowed intruders to waltz into its systems and walk away with all
those credentials. According to Jamie Dimon, the company’s chief executive
officer, JPMorgan Chase spends $250 million annually on computer security.
Over the next five years, the bank plans on doubling that amount to
minimize the risk of same thing happening again.

A lucky break for hackers?
That intruders were able to break through even the defenses that this kind
of money can buy only proves the old adage: The bad guys only need to get
lucky once. As Dimon noted in remarks at a financial service event in
Washington recently, defending enterprises is also about internal
protection, vendor protection, and about securing against everything that
touches the enterprise network. “There will be a lot of battles,” he said.
“Unfortunately some will be lost.”

Retailers, for instance, are frequent targets because magnetic stripe
credit and debit cards used in the US are so easy to compromise. Migrating
the payment system to smartcards based on the Europay MasterCard Visa (EMV)
standard will make it much harder for criminals to clone and use stolen
card data, thereby making it more difficult for hackers to take advantage
of retailers.

Breaches like the one at Dairy Queen spotlight the need for all enterprises
to pay attention to third-party service providers and the entire supply
chain. Dairy Queen says attackers used login credentials belonging to a
third-party vendor to access its networks and steal cardholder data
belonging to customers across 400 store locations. DQ is not the first
company to be victimized by a lapse at a third-party, and it won’t be the
last.

At the end of the day, despite the wealth of technologies in a computer
network, someone is still going to find a way to get in if they are
determined and patient enough. The focus has to be not only on detection,
response, and mitigation, but also on prevention. It needs to about
reducing the overall risk profile.

It takes a village
Security vendors, hardware manufacturers, and cloud service providers need
to be willing to work together to address the vulnerabilities that allow
breaches to happen so often. Threat information sharing is a vital
component of this partnership. One of the reasons perpetrators of the
JPMorgan attack probed other financial services companies was because they
figured their best chance of getting in would be before the banks started
alerting each other about unusual activity. Better information sharing
among enterprises, vendors, and other stakeholders should help deter such
behavior.

Similarly, technologies such as one-time-use credit card numbers that
change randomly with each transaction could make it more difficult for
criminals to steal from retailers. Even simple measures like giving
consumers the ability to specify spending limits over a particular time
period could reduce fraudulent use of stolen cards.

There are no silver bullets, but if protection could extend across the
entire supply chain, enterprises and the consumers they serve would be
better protected. For instance, make it easier for enterprises to discover
and secure applications based on employee use and business criticality.
Tools such as strong encryption, key management, tokenization, and data
loss prevention can help companies protect data in the cloud more
efficiently.

Getting security right in this environment of non-stop breaches presents a
huge opportunity for cloud and security providers to innovate. Addressing
security comprehensively across private sector companies can create an
environment that is resilient and transparent, and will allow us to prosper
over the long term.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!