The Green Sheet Online Edition
June 28, 2010 • Issue 10:06:02
Feedback from CAPP exercise proves informative
A cyber attack simulation exercise that tested the security networks of over 700 financial institutions and other organizations was successful in educating participants about the current threat landscape and helping them improve enterprise-wide security, according to John South, Chief Security Officer at Heartland Payment Systems Inc. and co-leader of the exercise.
The Cyber Attack against Payment Processes (CAPP) exercise, which was conducted over three consecutive days in February 2010, presented participants with written scenarios that involved such fraud schemes as spear phishing, distributed denial of service (DDoS) attacks and a data breach at a fictitious third-party processor.
The scenarios evolved and grew in complexity over the three-day period. Participants then answered questions about how they would react to the attacks. "So they learned how their company would respond," South said. "They got to test their incident response plans. And then they got a chance to revamp their incident response plans to more appropriately cover some of the attack vectors that are out there today."
The Financial Services and Information Sharing and Analysis Center (FS-ISAC), which prepared and orchestrated CAPP, tabulated the results from the exercise and published a summary (downloadable for free at www.fsisac.com/files/public/db/p243.pdf).
Four exercises were administered: one each for financial institutions, retailers, payment processors, and other businesses and governments. The payment processor exercise involved a spear phishing attack (an email scam targeted at individuals within organizations). Additionally, the scenario had a hacker infiltrate the processor's network and compromise user names and passwords.
"And then when they thought they had that covered, then we threw a distributed denial service attack on them," South said. (DDoS attacks attempt to prevent websites and other online services from functioning properly.) The scenario was therefore designed to evolve and put more pressure on the processor over time.
By doing that, the exercise showed processors how their response plans operate and whether they "escalate as the problem escalates," South said.
Responses under scrutiny
The summary reported that 85 percent of the processors recognized on day one that a data breach had occurred. Businesses in the other sectors measured similar attack recognition rates when confronted with their scenarios. By day three, virtually all exercise participants (from 95 to 97 percent) realized their organizations, or their customers, had been attacked, the summary said.
But Tim Cranny, Chief Executive Officer of payment security consulting firm Panoptic Security Inc., cautions against reading too much into those percentages.
While he acknowledges the value of the exercise, it's not like being subjected to an actual attack. It's the difference between "going to the gym and having a boxing class and being mugged," he said.
In the real world, companies experience more trouble concerning detecting and stopping fraud than they openly admit, he added. "I think this [exercise] should be interpreted as the best possible spin put on the underlying reality," he said.
Breaches and law enforcement
The FS-ISAC also concluded that processors - as well as most of the other businesses and organizations that took part in the other three exercises - were not quick to bring law enforcement agencies into the process after detecting a security breach.
"The reasons were across the board," South said. "But, in some cases, they didn't think they had enough information, or they didn't know which law enforcement agency would be involved. Or they just didn't want to get law enforcement involved that early because they were afraid of what law enforcement might do: take over the systems."
Cranny believes reluctance to inform law enforcement is explained by companies wanting to retain control of managing the breach.
"Once they bring in third parties, even law enforcement, the story is beyond their control," he said. "And it can be very difficult to manage the story. What they want to do, of course, is protect their customers and their partners but also continue to look as good as possible. Bringing in law enforcement takes it out of their control."
By day three of the exercise, however, all the payment processors (except one) recognized the scope of the scripted attacks and had contacted law enforcement, such as the FBI or U.S. Secret Service, South said. He hopes that the exercise participants learned a lesson.
"When there is a serious enough attack that involves the kinds of information or financial instruments that were involved in this, that they would not be reluctant to bring law enforcement in as quickly as possible once they identified the scenario being relevant to law enforcement," South said.
Actions to take
Based on the results of the exercise, the FS-ISAC made recommendations about how businesses and organizations can improve enterprise data security and operational risk. Among the proposals are for businesses to install a dedicated computer for accessing online banking and initiating payments and to incorporate end-to-end security that makes cardholder data useless to fraudsters even if it is compromised.
South said the FS-ISAC expects to continue with CAPP exercises done quarterly starting in the first quarter of 2011, with each quarter devoted to one scenario for one of the four sectors.
The payment processors scenario is slated to be the first one administered in 2011. South also said future exercises will be more complex than the initial one and therefore more challenging for participants.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.