A Thing
The Green SheetGreen Sheet

Friday, July 28, 2017

Sophisticated cybercrime sets new bar for security teams

Independent studies by Juniper Research and Accenture PLC indicate companies are committing more resources and revenue to fighting existing and emerging forms of cybercrime. These findings are consistent with predictions by leading security analysts, who have urged companies to adopt advanced technologies and automation to protect against insecure Internet of Things (IoT) and distributed denial-of-service (DDoS) attack vectors.

"It's simply not possible for the standard business environment to keep pace with cyber criminals," said Mark Carl, Chief Executive Officer of Atlanta-based ControlScan Inc. "Ransomware and other types of malware are advancing way too rapidly. Regardless of their size, merchants can't be expected to go it alone, nor can they expect their payment processors to supply the 'magic bullet' that shoots down all cyberattacks coming at them."

Gilad Peleg, CEO of SecBI Ltd., added, "Most organizations don't do enough to secure their customers' data and are slow to detect when it has been compromised. In addition to enhancing the security of the data itself, companies need to proactively hunt for breaches and look for signs of data being exfiltrated out of their organization, usually through the network proxy."

API, automation targets

Peleg said the difficulty of looking at massive amounts of data has prompted many organizations to rely on artificial intelligence (AI). AI and automated tools may look like low-hanging fruit to cybercriminals, who are attacking AI and application programming interfaces (APIs). U.K.-based Juniper Research found growing threats in ecommerce and emerging IoT technology, both prone to massive botnet armies that launch DDoS attacks against automated detection systems.

Online Payment Fraud: Emerging Threats, Key Vertical Strategies & Market Forecasts 2017-2022, published July 25, 2017, by Juniper Research, highlighted the need for improved methods of customer and end-user authentication. The company predicted that organizations will spend $9.3 billion on fraud detection and prevention by 2022, a 22 percent increase over current levels.

Report author Steffen Sorrell said implementing 3-D Secure 2.0 may reduce fraud and shopping cart abandonment. He also cited the European Union's Revised Payment Services Directive, known as PSD2, as an additional protection for APIs used in international banking. "APIs expose a set of business logic rules, which by their nature are susceptible to abuse," Sorrell stated. "This will drive banks and service providers to greater emphasis on protecting those APIs."

Emerging market targets

A Juniper Research white paper, Future Fraud: 3 Key Battlegrounds in 2018, found the Latin American, Indian subcontinent and African and Middle Eastern regions vulnerable to bank and payment fraud. However, researchers predicted these regions will account for only 4 percent of global fraud detection prevention spending by the year 2022. They called for stronger regulation and consumer education on Internet safety.

The 2017 Cyber Threatscape Report, published July 25, 2017, by iDefense, a division of Accenture Security, found ransomware attacks by state-sponsored actors increased in the first half of 2017. Criminals used a variety of attack vectors, including destructive attacks, deception and denial tactics, malware-as-a-service toolkits and encryption services that are widely available on the Dark Web.

Josh Ray, Managing Director at Accenture, reported that ransomware is becoming more diversified and sophisticated. Attack vectors include reverse deception tactics, phishing campaigns, cryptocurrency schemes and DDoS attacks by botnets. "Our findings confirm that a new bar has been set for cybersecurity teams across all industries to defend their assets in the coming months," he said. "While the occurrence of new cyberattack methods is not going away, there are immediate actions companies can take to better protect themselves against malicious ransomware and reduce the impact of security breaches."

Think beyond PCI

ControlScan's Carl noted that security vulnerability doesn't begin or end with the payment card environment. Properly implemented, Payment Card Industry (PCI) Data Security Standard (DSS)-validated point-to-point encryption solutions may secure the merchant's payment card data but insufficiently protect against attacks that exfiltrate data and impact systems within other business areas, he stated.

"It's critical that merchants take a bigger-picture view of cybersecurity, one that accounts for all areas of their business," he added. "This involves integrating network security best practices with the PCI compliance requirements they're already working to meet. Many merchants don't have the internal resources to give security and compliance that kind of mindshare, however, so that's where managed security partnerships are valuable." end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing