Friday, September 29, 2017
Believing multiple access points, including mobile apps, may have enabled hackers to gain access to Deloitte's network, analysts warned companies that process and store consumer data to use advanced security methods to restrict remote worker access to sensitive customer data.
"One thing worth mentioning is that cyber attackers have migrated to mobile applications," said Michael Magrath, Director, Global Regulations & Standards at Vasco Data Security Inc. "Although convenient, mobile apps are typically developed with tight release cycles with user experience being most important and security not being the highest priority."
Ray DeMeo, founder and Chief Operations Officer at Virsec Systems Inc., said most breaches don't target well-protected resources directly; they typically exploit ancillary applications and remote entry points. "Hackers always look for the weakest link: web server vulnerabilities, stolen credentials or malicious insiders to gain a foothold," he stated. "Once inside, it's far too easy for hackers to pivot between apps, escalate privileges and access valuable data. And in far too many cases, sensitive data is copied outside of protected systems and accessible to a wide range of insiders and applications; this is where most of the damage occurs."
Magrath recommended using application shielding or Runtime Application Self-Protection (RASP) technology to proactively manage the threat of sophisticated malware by effectively detecting and preventing fraudulent app activities before they can start. "As noted in the PwC and BAE Systems report, APT10 utilizes malware as part of its espionage activity," he added. "Hardening network access while failing to lockdown mobile apps will leave organizations exposed and may leave CDE [cardholder data environments] unprotected."
DeMeo advised merchants and acquirers to keep online and business applications up to date and implement enhanced security measures ‒ that go beyond Payment Card Industry Data Security Standard (PCI DSS) requirements ‒ to protect all consumer information. "Any customer data should be encrypted whenever possible," he said. "Many businesses fall months behind on patching, needlessly exposing more data."
Magrath emphasized the need for a risk-based, multilayered approach to security. "Identity management and access control are high on the list to protect CDE," he noted. "The PCI DSS provides a good baseline for security requirements as does the NIST CSF. Given the numerous cyberattacks on industries like banking, payment processors, credit reporting agencies and healthcare, I would argue that these industries are high risk."
DeMeo expects the recent rash of cybersecurity breaches to lead to broader privacy measures. "The PCI DSS is very specific about protecting credit card numbers, but not intended to provide broader privacy protection for consumers," he said. "As we experienced with Equifax, enormous amounts of sensitive personal data can be breached that doesn't necessarily contain credit card numbers. If we're serious about broader privacy protection, we need to consider privacy laws as broad reaching as the European GDPR. It's unlikely that this will be done at the federal level, but increasingly, states are likely to start strengthening privacy laws."
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
