GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

A roadmap to GS Online

News

Industry Update

The PA DSS deadline looms

Global anti-fraud tool on the horizon

First Data charts the rise of fraud as a service

Feedback from CAPP exercise proves informative

Features

Guiding merchants toward honest processing partners

Research Rundown

Selling Prepaid

Prepaid in brief

Prepaid's relevancy for mass transit reaffirmed

Perspective on the 'gift' economy

Thom Aldredge
World Gift Card

Views

Could the future of micropayments be Square?

Patti Murphy
The Takoma Group

Margin compression: What's goin' on?

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
What does a merchant get for a PCI fee? - Part 2

Ken Musante
Eureka Payments LLC

Beyond professional courtesy

Dale S. Laszig
Castles Technology Co. Ltd.

Succeeding at PCI compliance - Part 2: Executing an effective pilot program

Dawn M. Martinez
First Data Corp.

Training to go global

Caroline Hometh
Payvision

Eight keys to a great first impression

Nicholas Cucci
Network Merchants Inc.

Company Profile

Retail Cloud

New Products

Check guarantee on the go

EZVerify
EZCheck

Easy to use, hosted gateway

Fusebox
Elavon Inc.

Inspiration

Dig for gold, revisit your portfolio

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

June 28, 2010  •  Issue 10:06:02

previous next

Feedback from CAPP exercise proves informative

A cyber attack simulation exercise that tested the security networks of over 700 financial institutions and other organizations was successful in educating participants about the current threat landscape and helping them improve enterprise-wide security, according to John South, Chief Security Officer at Heartland Payment Systems Inc. and co-leader of the exercise.

The Cyber Attack against Payment Processes (CAPP) exercise, which was conducted over three consecutive days in February 2010, presented participants with written scenarios that involved such fraud schemes as spear phishing, distributed denial of service (DDoS) attacks and a data breach at a fictitious third-party processor.

The scenarios evolved and grew in complexity over the three-day period. Participants then answered questions about how they would react to the attacks. "So they learned how their company would respond," South said. "They got to test their incident response plans. And then they got a chance to revamp their incident response plans to more appropriately cover some of the attack vectors that are out there today."

Attack vectors

The Financial Services and Information Sharing and Analysis Center (FS-ISAC), which prepared and orchestrated CAPP, tabulated the results from the exercise and published a summary (downloadable for free at www.fsisac.com/files/public/db/p243.pdf).

Four exercises were administered: one each for financial institutions, retailers, payment processors, and other businesses and governments. The payment processor exercise involved a spear phishing attack (an email scam targeted at individuals within organizations). Additionally, the scenario had a hacker infiltrate the processor's network and compromise user names and passwords.

"And then when they thought they had that covered, then we threw a distributed denial service attack on them," South said. (DDoS attacks attempt to prevent websites and other online services from functioning properly.) The scenario was therefore designed to evolve and put more pressure on the processor over time.

By doing that, the exercise showed processors how their response plans operate and whether they "escalate as the problem escalates," South said.

Responses under scrutiny

The summary reported that 85 percent of the processors recognized on day one that a data breach had occurred. Businesses in the other sectors measured similar attack recognition rates when confronted with their scenarios. By day three, virtually all exercise participants (from 95 to 97 percent) realized their organizations, or their customers, had been attacked, the summary said.

But Tim Cranny, Chief Executive Officer of payment security consulting firm Panoptic Security Inc., cautions against reading too much into those percentages.

While he acknowledges the value of the exercise, it's not like being subjected to an actual attack. It's the difference between "going to the gym and having a boxing class and being mugged," he said.

In the real world, companies experience more trouble concerning detecting and stopping fraud than they openly admit, he added. "I think this [exercise] should be interpreted as the best possible spin put on the underlying reality," he said.

Breaches and law enforcement

The FS-ISAC also concluded that processors - as well as most of the other businesses and organizations that took part in the other three exercises - were not quick to bring law enforcement agencies into the process after detecting a security breach.

"The reasons were across the board," South said. "But, in some cases, they didn't think they had enough information, or they didn't know which law enforcement agency would be involved. Or they just didn't want to get law enforcement involved that early because they were afraid of what law enforcement might do: take over the systems."

Cranny believes reluctance to inform law enforcement is explained by companies wanting to retain control of managing the breach.

"Once they bring in third parties, even law enforcement, the story is beyond their control," he said. "And it can be very difficult to manage the story. What they want to do, of course, is protect their customers and their partners but also continue to look as good as possible. Bringing in law enforcement takes it out of their control."

By day three of the exercise, however, all the payment processors (except one) recognized the scope of the scripted attacks and had contacted law enforcement, such as the FBI or U.S. Secret Service, South said. He hopes that the exercise participants learned a lesson.

"When there is a serious enough attack that involves the kinds of information or financial instruments that were involved in this, that they would not be reluctant to bring law enforcement in as quickly as possible once they identified the scenario being relevant to law enforcement," South said.

Actions to take

Based on the results of the exercise, the FS-ISAC made recommendations about how businesses and organizations can improve enterprise data security and operational risk. Among the proposals are for businesses to install a dedicated computer for accessing online banking and initiating payments and to incorporate end-to-end security that makes cardholder data useless to fraudsters even if it is compromised.

South said the FS-ISAC expects to continue with CAPP exercises done quarterly starting in the first quarter of 2011, with each quarter devoted to one scenario for one of the four sectors.

The payment processors scenario is slated to be the first one administered in 2011. South also said future exercises will be more complex than the initial one and therefore more challenging for participants.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services