By Rick Ricker
VP, Enterprise Payment Solutions
3Delta Systems, Inc.
The first in a 2-part series
Online security, fraud detection and prevention are getting more difficult by the day in the business world.
A recent FireEye Advanced Threat Report examined data from 89 million malware incidents and found that organizations experienced a “malware event” an average of once every three minutes. These events ranged from malicious email file attachments to an infected machine making callbacks to a command-and-control server so as to evade traditional corporate defenses, including next-generation firewalls and security gateways.
Cyber criminals are clever, patient, organized and global. They’re masters of social engineering, skilled in targeting the most vulnerable businesses, governments and individuals with the highest potential for gain. They focus on their targets with methodical precision, studying victims’ digital personas on Facebook, Twitter, LinkedIn and other social media channels, piecing together bits of information to help them more easily penetrate systems and lure unsuspecting targets into clicking on links in seemingly genuine emails, unleashing malware that compromises computers or allows keystroke logger robots to collect user login IDs, account data and other personally identifiable information.
Malware that embeds itself in a browser application can then divert, modify or manipulate data that a user submits on an online log-in page. This type of attack – known as a “man-in-the browser” or “man-in-the-middle” attack -- scans a computer for information that can then be used by cyber crooks as secondary authentication for logging into a user’s bank account.
Online criminals are also persistent, probing a system until they penetrate its perimeter, then continue attacking its vulnerabilities in hopes of hitting the right target. Once inside a system, many attackers become entrenched. They lie low, undetected for months or even years, using advanced malware and bots designed to fly under the radar of security software, all the while surreptitiously stealing funds and/or data. Often, they and their accomplices are well-funded by crime groups from rogue nations where security and enforcement are lax and financial fraud is difficult to prosecute.
The Holy Grail for cyber attackers is a “zero-day exploit.” Malicious programmers create a worm or virus that exploits unknown or undocumented vulnerabilities in browsers, software applications or operating systems, then often use email phishing to trick computer users into visiting a web site where the Trojan resides. Once triggered by clicking on a link, the worm can quickly infect the user’s PC and spread to other computers.
Most companies can’t field full-time security defense teams with the same intensity and focus as cyber thieves. So, the odds of a successful intrusion are in the perpetrator's favor.
Why CIOs & CISOs Can’t Sleep at Night
According to a recent poll by ThreatTrack Security, enterprises are facing an unprecedented surge of highly targeted and sophisticated threats that are designed to evade traditional malware detection technologies. As a result, there’s broad concern among C-suite executives about the vulnerability of their networks against cyber attacks and their ability to withstand those attacks.
In the survey, a whopping 97% of enterprise executives with annual security budgets over $1 million admitted they were concerned about their vulnerabilty to malware attacks and cyber-espionage tactics. More than two-thirds (69%) of those surveyed also said their biggest fear was that their companies would not be able to stop cyber threats. One in five (21%) said their number one concern was not knowing whether an attack was even underway.
Despite these fears, however, the study also found that most executives had not yet adopted cyber defense best practices, technologies or trained staff to protect their systems and confidential data against attacks. Similar findings are borne out by Verizon’s 2013 Data Breach Investigations Report. In that study, 69% of breaches were discovered by external parties and 66% took months or years to discover.
The Verizon report also noted that cyber criminals rely most often on social engineering and phishing attacks to gain a foothold into corporate networks so that they can steal valuable account credentials.
According to the Ponemon Institute’s "The 2013 Cost of Data Breach:Global Analysis,” the United States is the costliest country to suffer a data breach, with the total cost per data breach incident registering at $5.4 million.
What’s a CIO or CISO To Do?
For starters, chief information officers and their security counterparts should recognize that, even though no system on earth is 100% hack-proof, every business can and should manage the risk of a possible breach by putting data protection best practices in place and planning for ‘graceful failure’. This approach, which minimizes economic or corporate harm, assumes that at least one element of your network’s security defenses will fail at some point, allowing perpetrators to gain access but that multiple countermeasures will detect and respond to an attack in case one system safeguard fails. A deep, multi-layered security approach like this remains the best breach defense for protecting confidential data, whether you’re a large enterprise or a small business.
An alert mind is also one of the best defenses against fraud, and stopping cyber crime begins and ends with individual computers and their users. Train all employees, not just IT administrators, to keep an eye out for unusual behavior – unexpected account usage, for example – and to sound an alert in case of anomalies. Warn employees against clicking on pop-up windows or suspicious links in emails – even from people or businesses that appear legitimate – which can be tricks to install spyware and steal confidential information.
Ensure all employees, contract personnel and business partners know your company’s fraud policies, practices and fraud-response processes. Given the growing role of organized crime in perpetrating credit card fraud and theft, make sure anyone with access to important intellectual property and trade secrets is trained on the latest cyber criminal breach tactics, such as phishing, man-in-the-browser attacks and other social engineering schemes. Merchants who accept credit or purchase cards should also set up their payment systems so that access is limited to key staff on a need-to-know basis.
For enterprises engaged in e-commerce, the best defense is to eliminate storage of credit card data or personally identiable information on company networks altogether using tokenization, a technology that 3Delta Systems pioneered a decade ago.
3Delta Systems’ CardVault® tokenization service lets businesses easily accept and process customer card payments while eliminating the risk of storing their card information on internal systems, thereby protecting data from hackers, promoting faster and easier PCI compliance and cutting costs.
CardVault safeguards confidential credit card information by first securely tokenizing that data, then eliminating it completely from a company’s internal systems, much like emptying a warehouse so that a thief has nothing to steal. The process involves replacing credit card purchase data with randomly generated reference keys that safely convert real 16-digit card numbers into a string of characters that become useless to a cyber criminal.
Today, CardVault tokenizes the data on millions of credit cards at more than 4,100 merchant locations throughout the United States and has become a formidable tool in a CISO’s defense arsenal. With CardVault in place, information security officers can sleep better at night, knowing that their customers’ payment and transaction data is safe and secure.
At 3Delta Systems, we’re continually investing in fraud-fighting solutions that deliver the ultimate in payments peace of mind and educating our customers about the latest fraud threats and countermeasures.
We invite you to download a free white paper about CardVault entitled, Stopping Data Cyberthieves In Their Tracks.
You may find this free checklist of the Top 10 Best Practices for Fighting Credit Card Theft and Fraud handy, too.
Click here to Read Part II: Cyber Attacks: Shoring Up Your Enterprise Defenses