On Feb. 9 to 11, 2010, payments industry organizations will take part in a cyber attack simulation exercise designed to test the security of payment networks, educate organizations on system vulnerabilities and recommend improvements to better secure those networks.
The exercise, dubbed the Cyber Attack against Payment Processes (CAPP), is being organized by the Financial Services Information Sharing and Analysis Center. Many associations throughout the financial services sector are supporting, promoting and participating in the event's planning, including the payments industry's own Payments Processor Information Sharing Council.
Princeton, N.J.-based processor Heartland Payment Systems Inc. is co-chairing the planning process. Robert O. Carr, chairman and Chief Executive Officer at HPS, and founder of the PPISC, said the exercise is "very important" to the ultimate goal of protecting data networks from security breaches.
"We've invited payments processors; we've invited retail merchants; we've invited a lot of merchant organizations, financial institutions," Carr said. "If they have a lot of electronic payments being processed through their organizations, they're encouraged to participate."
According to John South, Chief Security Officer at HPS, the three-day exercise involves a set of "events" (cyber attack scenarios) that participants will be confronted with, followed by an evaluation of how participants' security safeguards would respond to the attacks. Anonymous surveys are included in the scenarios to give FS-ISAC and the participating associations a snapshot on the state of cyber security in financial services.
At the conclusion of the exercise, FS-ISAC will tabulate the results of the surveys to provide feedback to participating organizations on where vulnerabilities lie in payment networks.
The purpose of the exercise is therefore to allow companies to look "introspectively" - evaluate their own strengths and weaknesses from a data security standpoint, and thus take action to shore up weak points in their networks, South said.
Specifically for payments, CAPP will help show the industry "where do we really need to put, as an industry, the most effort, and whether it be in policies and practices or infrastructural development, or if it's just understanding the issues," South added.
Tim Cranny, CEO of payment security consulting firm Panoptic Security Inc., believes an exercise that confronts organizations with sophisticated attack scenarios could be "extremely valuable" to individual businesses and the industry overall.
Large processors and other high-profile targets attract the attention of "very focused individuals who, if you block the first 100 things, will try the 101st, the 102nd thing," Cranny said.
It is those types of evolving threats the exercise is designed to highlight, according to South.
"So each day there's a set of events and a set of questions to give the corporation or the entity that's participating a chance to look at their current systems," South said. "The next day - the second day - they receive a new set of events that say, 'OK, here's what evolved over the evening.'"
The same scenario occurs over day three, at the end of which FS-ISAC will tabulate the results for dissemination to CAPP participants.
Carr and Cranny agree that this exercise is the first in which the payments industry is participating. Cranny believes this is a good sign.
"One thing that has held security back for a long time is that it has been a secretive, almost furtive type of process," he said. "People haven't admitted when they've had problems, haven't even admitted when they've had successes.
"There wasn't a lot of sharing information and war stories and learning from other peoples mistakes because no mistakes were ever admitted. But the bad guys are sharing very rapidly and learning from each other, so if you're going to deal with that escalating threat profile, it's a very good idea to share information and to do things like this. ... I think it is a step upward in maturity and sophistication for the industry. And it's a good thing."
Carr and Cranny also agree that payment business participants may learn some hard lessons about the state of their cyber security programs.
"I'm fairly certain that many participating companies are going to realize that they're not as prepared as they think they are," Carr said.
All types of businesses in the payments industry are invited to participate. The exercise is free of charge, and participants will receive an "after-action report" that includes best practices and threat mitigation techniques. Visit www.fsisac.com/capp to register; the deadline is Jan. 29.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next