The Green Sheet Online Edition
April 13, 2015 • Issue 15:04:01
Closing the door to backdoor breaches
While the number of reported cyber attacks against U.S. retailers dropped 50 percent last year, cyber criminals still managed to steal over 61 million records, compared with nearly 73 million in 2013, according to IBM security analysts. But incidents involving less than 10 million records apiece told a different story. The number of retail records compromised in this segment increased significantly, up 43 percent year-over-year.
"The threat from organized cyber crime rings remains the largest security challenge for retailers," said Kris Lovejoy, General Manager, IBM Security Services. The primary mode of attack in 2014 was unauthorized access via Secure Shell (SSH) brute-force attacks, surpassing malicious code, which topped the list in 2012 and 2013, according to IBM. And both types of attacks are expected to continue unless immediate action is taken by all stakeholders.
In SSH brute-force attacks, hackers attempt to bypass secure shell access to remote machines by using random username and password combinations to determine the combination that will enable them to gain illegal access. In malicious code statement attacks, also referred to as SQL injection attacks, the injected code allows hackers to direct networks to execute arbitrary commands. IBM tracked 6,000 SQL injection attacks perpetrated against U.S. retailers last year.
"One thing that we're seeing here in all of our breach investigations is, and this is a change that we've really noticed a significant uptick in, almost half of all the records that are stolen are now nonpayment card data," said Greg Rosenberg, Security Engineer at Trustwave. "The question then becomes even if you encrypt the information within a terminal or swipe or tap device, what about that other data? How do you value that, and what are the consequences if that is stolen?"
The Javelin Strategy & Research 2015 Identity Fraud Study draws a close correlation between data breaches and subsequent identity fraud, which last year impacted 12.7 million Americans at a price tag of $16 billion in fraudulent activity. And two-thirds of those victims reported receiving data breach notifications in the same year the fraud was committed. Cradlepoint Security Solutions estimates 45 percent of businesses breached are retailers, and 1 in 4 customers of businesses affected become identity fraud victims.
Healthcare records, social media and virtually anywhere personally identifiable information floats in cyberspace have become the new frontier for career cybercriminals. Even with the persistent threat of attack, weak passwords continue to be an open door for cyber intrusions. "Weak passwords are exploited quite a bit as the starting point to a breach," Rosenberg noted.
But that is only the tip of the iceberg. In analyzing data, The Online Trust found 29 percent of breaches involving the loss of personally identifiable information in 2014 were caused by employees working in organizations that lack adequate internal controls.
Set and forget not an option
Opportunistic cybercriminals troll the Internet around the clock in search of code flaws and other network vulnerabilities, leaving no room for the "set and forget" security mindset. Lulled by a false sense that breaches can't happen to them because incidents involving targeted businesses with vast amounts of data garner all the attention, smaller merchants fall prey to attacks every day with little public notice.
"There needs to be a shift in attitude that installing these security packages will prevent a breach," said Lucas Zaichkowsky, Enterprise Defense Architect at AccessData in a recent webinar. "Things get past these preventative defenses all the time." He said businesses should actively monitor systems for an attack in progress across the entire attack life cycle. Merchants must also understand how attacks can accelerate from initial point of entry to privilege escalation and lateral movement into the card data environment.
Systems that port forward data to remote desktop software are especially vulnerable. "People will port forward from their router firewall to the POS system so they can access it remotely," he said. "Once they're in, they're on that POS system running as the local administrator, and they can do whatever they want – dropping keystroke recorders, network snoopers and RAM scrapers." Hackers can also set systems to automatically upload stolen data at regular intervals to avoid repeat visits and circumvent detection efforts.
Hardening of network systems therefore is critical. For starters, he said, businesses need to protect and monitor the use of privileged credentials. "One really cheap thing that you can do is set it up so that any administrative account, when it's used, sends an email to the account users," Zaichkowsky said. "It's a really easy tripwire." This step also has an added benefit in that it warns key personnel of a potential threat early on in the attack life cycle.
Network administrators should also look at end points, monitor networks, review log files and be prepared to act quickly when suspicious network activity is detected. "Understand the attack so that you know what user account passwords to reset, where all the backdoors are that need to get yanked out, and then do it as quickly as possible before they get to what they're after," Zaichkowsky noted.
For credit card processors, rapid escalation in threat dynamics can be devastating. "They'll steal your databases, they'll go after your hardware security modules to get debit card PINs," Zaichkowsky said. "If you have a website that's taking e-ecommerce transactions, they'll modify your production code."
Based on information gleaned from attempted intrusions, security defenses can be deployed to thwart similar attack behavior in the future. "If you know that they're constantly doing SQL injection, then that tells you that you need to have a lot more code review, web application firewalls, and to lock down those web servers and what they can communicate to and monitor the heck out of them," Zaichkowsky noted.
Layered security offers best defense
Security experts agree the best defense against breaches is a layered, risk-based approach that physically separates the payment environment from everything else. While stand-alone terminals that encrypt data are prone to on-site tampering, most are not subject to remote hacking. The same applies to electronic cash registers, which rely on the Inter-Register Communications (IRC) network protocol as a safeguard. At greatest risk are Internet-connected integrated systems.
"With PCI DSS 3.0, which took effect this year, a lot of the changes in the security guidelines are around the network and ensuring that merchants have their network environments set up properly, but more importantly merchants are using either the right partners or the right products to secure their network properly," said Simon Gamble, President, North America, at Mako Networks.
Mako offers a Payment Card Industry (PCI) Data Security Standard (DSS) version 3.0-compliant, cloud-based hosted management service comprised of two parts. "We have our appliance that sits on the edge of the customer's network, connects it to the Internet, and also separates the payments environment from all the other bits and pieces they have on their network, but allows them to share the same Internet connection," Gamble said. The other piece is a hosted management platform where administration and control of the Mako appliances takes place.
One requirement for establishing a secure payments environment is to restrict where each component in that environment can communicate. For example, using the Mako system a merchant that processes payments with First Data Corp. could select First Data from a dropdown window and designate a specific terminal, or multiple terminals and a printer, to connect only with First Data.
"We then might have what we called a pre-approved content list for a client," Gamble said. "So if a client also needs their terminals to connect to Microsoft for Windows updates and to McAfee for antivirus updates, we can allow those in a pre-approved manner."
Both pieces in Mako's system work collaboratively to make it nearly impossible to fall out of compliance without realizing it, Gamble stated. "The system won't let them change things that are going to break the compliance, and if they do, there are warnings that pop up that say, 'Are you sure you want to do this? This is going to break your compliance,'" Gamble said. "If they agree to go ahead with it, alerts are sent out to everyone from their bank to their processor and IT department."
Gamble noted that Mako has the only network management system in the world with PCI certification that is extensible to the merchant, because the certification covers the appliance and the services that it's delivering into the merchant's environment. "The real goal is to make security and network control accessible to people who aren't necessarily interested in it but need to ensure that their business is protected," he said.
Along similar lines, Trustwave developed a suite of managed encryption services that protect sensitive data in midsize and large enterprise network environments. "The customer identifies sensitive data, tags it, and then we have tools that essentially encrypt it wherever it goes," Rosenberg said. "You can encrypt an entire laptop hard drive, or removable media like a USB stick, or information that goes to a CD or DVD. Or you can just tag data as it's in flight, for example email. But it's not just payment card data."
Trustwave's encryption services are designed to protect vast amounts of nonpayment data, including customer records and applications on systems that don't natively support encryption. Rosenberg noted that the system actively monitors different types of data associated with the respective owners of that data, and any data deemed to be at risk is then captured or quarantined to prevent an intrusion from advancing to the next level.
Another company working to deflect cyber adversaries is Shape Security. Its patent-pending approach prevents malware from executing commands, thus protecting the user interface layer. Since malware typically uses polymorphic code to hide itself from antivirus products by appearing slightly different each time it infects a machine, Shape has developed a unique technique based on what it refers to as "real-time polymorphism."
"We can invert this concept and use real-time polymorphism to constantly rewrite a site's code," Shape stated. "This disables the malware's capability to send commands to the website without impacting users or the web application's functionality." Like Mako, Shape offers plug-in Shapeshifter units that operate seamlessly in the background.
Former U.S. Department of Defense Chief Information Security Officer Robert Lentz said that by preventing automation against website user interfaces, Shape's technology allows enterprises to block multiple attack categories, including account takeover, application DDoS and Man-in-the-Browser, with one product. "This is not only a powerful new tool for enterprises, but a potentially disruptive technology for multiple sectors of the cybersecurity industry," Lentz said.
Vigilance extends beyond compliance
Both Gamble and Rosenberg agree it is important for merchants not to confuse compliance with removing risk. "There are a lot of people who think, 'If I am PCI DSS-compliant, I have nothing to worry about," Rosenberg said. "That's not true in a large number of cases. Merchants are sometimes targeted because of who they are, or the data they possess, or something that they've done, but in many cases PCI controls are compromised in some way.
"So just understand that inherently compliance doesn't equal security and a risk-first mindset not only helps you address nonpayment card data, which the bad guys are targeting quite a bit, but allows you to cost effectively address compliance as you go through as well. It kind of gives you the big picture."
Art Coviello, the former Chairman and Chief Executive Officer of RSA Security Inc., now a security division of EMC Corp., told Information Security Media Group he believes platforms capable of making sense of risk environments and systems that can detect behavior-based anomalies will help close cybersecurity gaps that exist today. In the future, real-time profiling using neural networks, fuzzy logic and adaptive learning will be instrumental in detecting behavioral anomalies the instant they happen.
All of this comes as good news, because today's attackers are as sophisticated as the systems designed to fight them. According to Zaichkowsky, a small number of cybercrime rings dominate the world today. "Recently, there was a new group announced called FIN4, meaning financially motivated group number four," he said. "We're up to four groups now – they're that few – but they know exactly what they're doing and it's legitimate hacking."
The message to merchants in all of this is that it’s one thing to secure the transaction, but another to secure the network itself. With backdoors to computer networks left wide open, unwelcome cyber intruders invite themselves in, often repeatedly and evading detection until all the damage is done. When this occurs, many merchants find themselves with no alternative but to close shop permanently. Sadly, had they embraced adequate preventive measures, they might still be in business today.
SIDE NOTE:Data security best practice strategies
The Online Trust Alliance created a list of security and privacy best practices for business environments. Following is a list of the organization’s top 12 recommendations. For more information, visit https://otalliance.org/2015bestpractices.
The top 12 recommended security best practices:
- Enforce effective password management policies: This six-step approach includes multi-factor authentication and deploying log-in abuse detection systems.
- Execute least privilege user access: Using this strategy all accounts on computer networks run on as few privilege and access levels as possible.
- Harden devices: This strategy focuses on multilayered firewall protections, antivirus software updates, automatic patch management, among other procedures.
- Conduct regular penetration tests and vulnerability scans: Employing both procedures, businesses can quickly identify potential vulnerability points and attack vectors.
- Require authentication for inbound and outbound email: This five-step approach includes end-to-end email authentication and quarantine policy enforcement.
- Implement mobile device management: This strategy requires user authentication to unlock devices and allows for remote wiping of lost or stolen devices.
- Real-time business infrastructure monitoring: This step allows businesses to collect and analyze network traffic and logs in real-time.
- Deploy web application firewalls: To remain up-to-date, OTA advises regular review of the top 10 web app security risks identified by the Open Web Application Security Project.
- Allow only authorized wireless devices to connect with networks: For merchants, this step includes POS terminals as well as routers and printers.
- Deploy Always On Secure Socket Layer: AOSSL applies to all servers that require log-in authentication and data collection.
- Review server certificates for domain vulnerabilities: Organizationally Validated or Extended Validation SSL certificates are recommended over the riskier Domain Validated SSL certificates.
- Develop a data breach response plan: Not only should businesses develop a response plan, but the plan should be periodically reviewed, revised and tested with key personnel.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.