[ISN] Fighting the good fight

From: InfoSec News <alerts_at_private>
Date: Mon, 22 Sep 2008 01:05:26 -0500 (CDT)
http://www.theglobeandmail.com/servlet/story/RTGAM.20080918.kirwan1909/BNStory/Technology/home

By Mary Kirwan
special to Globetechnology.com
September 18, 2008

We are not winning the battle against computer hackers. In fact, they 
are running rings around us.

But what are we doing to remedy the situation? Do we stand a fighting 
chance? Or is resistance futile against an army of computer geniuses 
spread around the world?

The massive security breach at US retailer TJX was a case in point. 
Media focus has been on the fact that insecure wireless networks 
facilitated the attack by a motley crew of attackers, recently charged 
by US prosecutors, although many of them remain at large.

But was the scenario avoidable?

A top TJX executive, vice-chairman Donald G. Campbell, recently told the 
Boston Globe that the record-breaking breach cost TJX $202 million in 
security remediation costs, and in settling consumer lawsuits, and 
presumably to pay fines levied by the credit card companies for failing 
to comply with industry security standards.

$202 million is a tidy sum in tough economic times.

Not to mention the fact that banks and credit unions spent millions of 
dollars to reissue compromised cards, and in turn sued anyone who seemed 
like a deep pocket. Regulators and law enforcers entered the fray, and 
legislation mandating more robust security procedures - targeting 
retailers - was passed in Minnesota. US retailers fumed, and finger 
pointing was rife.

Clearly, the repercussions of rogue keystrokes by individuals often 
little more than immature adolescents, are too severe to be ignored. We 
simply must take the fight to them, instead of serving ourselves up on a 
plate like sacrificial lambs.

But we are still in denial.

The general consensus is that security at TJX was pretty abysmal. 
However, according to TJX's Mr. Campbell, TJX "believes its security was 
comparable to most other major retailers and generally better than 
retailers who are not as large."

He also expressed the view that the US should adopt chip and pin 
technology for bankcards, in place of current magnetic stripe systems 
that are less secure and easy to clone. He told reporters that the 
technology, common in Asia and Europe- and to be gradually phased in 
here in Canada- would have prevented the security breach at the massive 
US retailer.

I remain doubtful that this is an accurate assessment of the situation, 
but this upgrade would cost a fortune to introduce in the United States, 
and no one is enthusiastic. The merchants will balk at the costs of new 
bankcard readers, and criminals will adapt. If they can't immediately 
break the underlying technology, they will work around it, and find 
numerous paths of least resistance.

Unlike their targets, the bad guys think out of the box, and they like 
to keep it simple.

We, on the other hand, have a problem with simple. We tend inexplicably 
to shy away from practical, inexpensive, common sense solutions.

Unfortunately, a good part of the reason for the flight to complexity in 
managing security risks is that many companies simply do not know what 
they are doing.

According to research from global payment security consultancy, 
Trustwave, point-of-sale (POS) software at retail outlets — and 
implicated in the TJX attack - is frequently insecure. In a test 
conducted with Visa last year, Trustwave identified vulnerabilities at 
1,600 POS systems; these vulnerabilities were primarily caused by 
improperly configured firewalls, and other avoidable errors.

However, they also found that sixty-three percent of the time, third 
parties, paid to know better, such as POS developers, integrators or 
local IT firms, used the same passwords for all clients running a 
particular piece of software. Hackers are fully aware of these sloppy 
practices, and exploit them to the hilt.

But if the experts make such basic mistakes, it surely bodes poorly for 
the rest of the market.

A recent report by US wireless operator, Verizon's Business 
Investigative Response team, The 2008 Data Breach Investigations Report, 
drew on data from over 500 forensic engagements handled over a four-year 
period (2004- 2007), representing more than 230 million compromised 
records.

The report makes it clear that we are our own worst enemy when it comes 
to managing security risks.

Nine out of 10 data breaches involved organizations lacking basic 
information about their information assets. Attacks involved systems, 
data, network connections or accessibility that companies were unaware 
of, or systems with unknown accounts or privileges.

Verizon called these eventualities, the "unknown unknowns", and describe 
them as 'the Achilles heel in the data protection efforts of every 
organization—regardless of industry, size, location, or overall security 
posture'.

You can't protect what you don't even know exists.

But resistance isn't futile: In 87 percent of cases, Verizon 
investigators concluded that the breach could have been avoided if 
reasonable security controls had been in place at the time of the 
incident. And far from being the work of the truly gifted, eighty-three 
percent of breaches were caused by attacks not considered to be 
particularly difficult.

Companies also had fair warning of attacks, but missed the signs. 
Verizon found that 'evidence of events leading up to 82 percent of data 
breaches was available to the organization prior to actual compromise'.

Although large sums of money are spent on monitoring software, only 4 
percent of incidents were detected by security technologies- not because 
they don't work, but because no one was looking.

We simply have to do better. Or face the consequences.


__________________________________________________      
Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
http://conference.hackinthebox.org/hitbsecconf2008kl/
Received on Sun Sep 21 2008 - 23:05:26 PDT

This archive was generated by hypermail 2.2.0 : Sun Sep 21 2008 - 23:20:46 PDT