In the wake of so many high-profile security breaches in recent months, businesses face a critical question: if major organizations with huge network security budgets can’t protect themselves, how can we? A look at the cases, though, shows that there are clear lessons to be learned about securing assets – no matter how large the institution.
- Information is compromised at its most compromising position. Far from being daring raids on a secure vault in broad daylight, recent breaches have one thing in common: they’ve exploited weaknesses in systems, processes, or technology in order to steal identities.
- The Bank of America and Wachovia scam, in which over 670,000 bank accounts were compromised, exploited weak access controls and employees who were vulnerable to manipulation by social engineering. Exposing a systemic problem, a man posing as a credit agency persuaded not one, but seven, New Jersey bank employees to access customer databases and sell him account information.
- While insiders in the Bank of America scandal violated business processes by selling data, it was ChoicePoint’s business processes themselves that represented their most compromising position. Because the company sold data to businesses without thorough audits to verify legitimacy, it was easy for thieves to pose as legitimate businesses and steal the personal records of over 145,000 people.
- When CitiFinancial lost computer tapes containing personal account information of over 3.9 million customers in June, the data was in its most compromising position: in transit (via UPS) from one secure site to another, in an unencrypted state.
- The hack of credit card processor CardSystems Solutions’ network resulted in the exposure of over 40 million accounts to fraud and the theft of at least 200,000 more. Where was CSS’s biggest weakness? In their processes, and in their network itself. Not only was CSS maintaining records they were supposed to have deleted; they didn’t have adequate technical controls in place to prevent their own network from being used to capture and forward the data. Exploiting this weakness, hackers installed rogue applications on the company’s internal systems that in turn sent the data offsite.
What can you do about it? Take the perspective of a hacker and follow the path of your data during the course of a business day. Who has access to the information? How do you back it up? Where are the most compromising positions? This must be an iterative process, as you repeat the steps until you have identified your most compromising positions and secured them. Doing so can be expensive, but the cost of being compromised is exponentially higher than the cost of preventing the compromise.
Use detective controls to identify breaches early in the process. In most of these cases, breaches were identified only through the evidence of an abnormally high rate of fraudulent transactions. By this point, it’s too late for the organization to do anything to protect the information – or to find out where it is, in many cases. Having compromised the system, stolen the data, and erased his tracks, the hacker – and not the business – is now the data owner.
It doesn't have to be that way. Many scams could have been detected by simply monitoring system logs. Employees involved in selling customer data were frequently accessing up to 500 customer accounts each day - well over the average of forty. Network monitoring would have detected the CardSystems Solutions hack as well. An effective intrusion prevention system would have stopped the hack altogether.
- Take a security-based approach to compliance, not the reverse. Each of these organizations were regulated and compliant to varying degrees. Even CSS, which was found to be out of compliance by Visa & MasterCard in an after-the-fact review, had been judged to meet standards just a year earlier. But compliance measures proved ineffective because regulations address the least amount of security controls an organization needs. Thus, when banks focus solely on making a 1 or a 2 on their regulatory exam, the result is not only a minimum return on their security investment, but inadequate security.