Friday, August 8, 2014
On July 16, 2014, Jacob J. Lew, Secretary of the U.S. Department of the Treasury, issued a call to action to the financial services industry to strengthen the security of its networks against cyber attacks.
"The consequences of cyber incidents are serious," he said in a speech at the 4th Annual Delivering Alpha Conference, a gathering of hedge fund managers in New York. "When credit card data is stolen, it disturbs lives and damages consumer confidence. When trade secrets are robbed, it undercuts America's businesses and undermines U.S. competitiveness. And successful attacks on our financial system would compromise market confidence, jeopardize the integrity of data, and pose a threat to financial stability."
Lew remarked on the high profile breaches that affected Target Corp., Neiman Marcus and Michaels Stores Inc. He said U.S. banks and credit unions have been victims of over 250 distributed denial of service (DDoS) attacks since 2011, overwhelming systems and forcing websites offline.
"It does not take much to imagine the impact of those attacks on U.S. banks if they had penetrated core operational functions rather than temporarily disrupting public websites and customer log-in pages," Lew noted. "Cyber attacks on our financial system represent a real threat to our economic and national security."
Lew also mentioned how fraudsters were able to hack into the Twitter account of the Associated Press in April 2013 and issue a false news alert that the White House had been attacked. Lew said the fake tweet "drove the Dow Jones Industrial Average down by more than 100 points within three minutes, temporarily erasing roughly $130 billion of value from U.S. stock markets."
The Treasury Department, which has a supervisory role over U.S. financial services, has instituted a number of plans aimed at heightening infrastructure security and fostering information sharing between the public and private sectors. Among its actions have been the development of the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity and the formation of the Cyber Intelligence Group.
The NIST Cybersecurity Framework provides a blueprint for financial services firms to "evaluate, maintain, and improve the resiliency of their computer systems," the Treasury Department said. And the CIG is an information sharing group that coordinates with the Financial Information Sharing and Analysis Center, which, among other things, conducts simulated tests of financial service providers' security protections and protocols against such cyber intrusions as DDoS attacks.
In his remarks, Lew highlighted the necessity of third-party hardware, software and payment vendors to adhere to the NIST Cybersecurity Framework. "Just as you consider your counterparties when you take on financial risk, you should also consider your counterparties in the area of cyber risk," he said.
The PCI Security Standards Council (PCI SSC) is taking up that very challenge. On Aug. 7, 2014, the governing body of the Payment Card Industry Data Security Standard (PCI DSS), published the Third-Party Security Assurance Information Supplement, designed to provide payment service providers and their third-party vendors, such as call centers, gateway operators and mobile payment firms, with data security best practices.
The council cited 2013 research from the Ponemon Institute that said payment businesses do not require that third-party vendors adhere to the "same level of rigor to information security in vendor networks as they do in their own." A main focus of the latest iteration of the PCI DSS (version 3.0) is on data security as a shared responsibility among all the businesses on the payments value chain.
The supplement is available on the PCI SSC website at www.pcisecuritystandards.org/security_standards/documents.php .
Meanwhile, the U.S. security community is focusing on the potential that rogue elements in foreign countries, or the governments themselves, will wage covert cyber warfare campaigns against the United States. At a July 15, 2014, Center for Security Policy panel discussion held at the National Press Club in Washington, D.C., security experts warned that the expected initial public offering of China-based online retail giant Alibaba Group Holding Ltd., with payments facilitated by its in-house processor Alipay, may pose a cyber warfare risk.
Panelists said the IPO, which is expected to take place after Labor Day, may be used by China as a way to infiltrate the U.S. economic system and collect payment-related data that can be used to engage in asymmetrical cyber warfare. Financial analyst Kevin Freeman said Alibaba's IPO is a manifestation of the Chinese practice of "unrestricted warfare" against the West. Former CIA analyst Fred Fleitz warned that China's economic hostility to the United States is being "dismissed or being argued away."
It is worth recalling that the US Army Corps of Engineers experienced a breach in 2013 that targeted its National Inventory of Dams database. U.S. intelligence agencies fingered the Chinese government, or "military cyber warriors" within China, for the attack. Data reportedly stolen in the breach included estimates of fatalities if a catastrophic breach occurred at any one of around 8,000 dams across the United States.
The U.S. government launched the Comprehensive National Cybersecurity Initiative in 2008. In a 2009 report to Congress, the CNCI said that a cyber attack on U.S. infrastructure "would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters."
The escalation in the size and scope of data breaches continues. On Aug. 5, 2014, information security and investigations firm Hold Security LLC reported it had uncovered a gang of Russian hackers, dubbed CyberVor, which used botnet attacks to steal more than 4.5 billion records, mostly user credentials lifted from over 420,000 web and file transfer protocol sites.
Hold Security estimated that the haul of data totaled over 1.2 billion unique sets of emails and passwords. The Milwaukee, Wisc.-based firm said many of the email/password combinations were from old, unused accounts, but that the "sheer number of credentials can potentially open a door to many systems and accounts."
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
