http://www.theglobeandmail.com/servlet/story/RTGAM.20080918.kirwan1909/BNStory/Technology/home By Mary Kirwan special to Globetechnology.com September 18, 2008 We are not winning the battle against computer hackers. In fact, they are running rings around us. But what are we doing to remedy the situation? Do we stand a fighting chance? Or is resistance futile against an army of computer geniuses spread around the world? The massive security breach at US retailer TJX was a case in point. Media focus has been on the fact that insecure wireless networks facilitated the attack by a motley crew of attackers, recently charged by US prosecutors, although many of them remain at large. But was the scenario avoidable? A top TJX executive, vice-chairman Donald G. Campbell, recently told the Boston Globe that the record-breaking breach cost TJX $202 million in security remediation costs, and in settling consumer lawsuits, and presumably to pay fines levied by the credit card companies for failing to comply with industry security standards. $202 million is a tidy sum in tough economic times. Not to mention the fact that banks and credit unions spent millions of dollars to reissue compromised cards, and in turn sued anyone who seemed like a deep pocket. Regulators and law enforcers entered the fray, and legislation mandating more robust security procedures - targeting retailers - was passed in Minnesota. US retailers fumed, and finger pointing was rife. Clearly, the repercussions of rogue keystrokes by individuals often little more than immature adolescents, are too severe to be ignored. We simply must take the fight to them, instead of serving ourselves up on a plate like sacrificial lambs. But we are still in denial. The general consensus is that security at TJX was pretty abysmal. However, according to TJX's Mr. Campbell, TJX "believes its security was comparable to most other major retailers and generally better than retailers who are not as large." He also expressed the view that the US should adopt chip and pin technology for bankcards, in place of current magnetic stripe systems that are less secure and easy to clone. He told reporters that the technology, common in Asia and Europe- and to be gradually phased in here in Canada- would have prevented the security breach at the massive US retailer. I remain doubtful that this is an accurate assessment of the situation, but this upgrade would cost a fortune to introduce in the United States, and no one is enthusiastic. The merchants will balk at the costs of new bankcard readers, and criminals will adapt. If they can't immediately break the underlying technology, they will work around it, and find numerous paths of least resistance. Unlike their targets, the bad guys think out of the box, and they like to keep it simple. We, on the other hand, have a problem with simple. We tend inexplicably to shy away from practical, inexpensive, common sense solutions. Unfortunately, a good part of the reason for the flight to complexity in managing security risks is that many companies simply do not know what they are doing. According to research from global payment security consultancy, Trustwave, point-of-sale (POS) software at retail outlets — and implicated in the TJX attack - is frequently insecure. In a test conducted with Visa last year, Trustwave identified vulnerabilities at 1,600 POS systems; these vulnerabilities were primarily caused by improperly configured firewalls, and other avoidable errors. However, they also found that sixty-three percent of the time, third parties, paid to know better, such as POS developers, integrators or local IT firms, used the same passwords for all clients running a particular piece of software. Hackers are fully aware of these sloppy practices, and exploit them to the hilt. But if the experts make such basic mistakes, it surely bodes poorly for the rest of the market. A recent report by US wireless operator, Verizon's Business Investigative Response team, The 2008 Data Breach Investigations Report, drew on data from over 500 forensic engagements handled over a four-year period (2004- 2007), representing more than 230 million compromised records. The report makes it clear that we are our own worst enemy when it comes to managing security risks. Nine out of 10 data breaches involved organizations lacking basic information about their information assets. Attacks involved systems, data, network connections or accessibility that companies were unaware of, or systems with unknown accounts or privileges. Verizon called these eventualities, the "unknown unknowns", and describe them as 'the Achilles heel in the data protection efforts of every organization—regardless of industry, size, location, or overall security posture'. You can't protect what you don't even know exists. But resistance isn't futile: In 87 percent of cases, Verizon investigators concluded that the breach could have been avoided if reasonable security controls had been in place at the time of the incident. And far from being the work of the truly gifted, eighty-three percent of breaches were caused by attacks not considered to be particularly difficult. Companies also had fair warning of attacks, but missed the signs. Verizon found that 'evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise'. Although large sums of money are spent on monitoring software, only 4 percent of incidents were detected by security technologies- not because they don't work, but because no one was looking. We simply have to do better. Or face the consequences. __________________________________________________ Register now for HITBSecConf2008 - Malaysia! With a new triple-track conference featuring 4 keynote speakers and over 35 international experts, this is the largest network security event in Asia and the Middle East! http://conference.hackinthebox.org/hitbsecconf2008kl/Received on Sun Sep 21 2008 - 23:05:26 PDT
This archive was generated by hypermail 2.2.0 : Sun Sep 21 2008 - 23:20:46 PDT