The View From A High-Value Data Breach Target

  /     /     /  
Publicated : 22/11/2024   Category : security


The View From A High-Value Data Breach Target


Financial services, retail, media, and healthcare industry representatives share their biggest threats and strategies for combating them.



2014 PRIVACY XCHANGE FORUM — Scottsdale, Ariz. — Members of some of the juiciest targets of cybercrime -- financial services, retail, media, and healthcare -- here today shared what they consider the biggest cyberthreats to their industries and how they are fighting back.
Michael Young, vice president and product team manager for financial services firm EverBank, says the biggest threat to his industry is less about direct cyberattacks on banks than it is on customer account theft, identity theft, and payment card fraud. Account takeover is the number one threat the financial services industry faces, Young said. People get in and steal your user ID and password and transfer money out of your account.
Even with the recent news of the attack against JPMorgan Chase, he says, financial services firms are less likely to get hacked directly because they can at least control how they protect their systems and networks. That seems to be where we have the most control. Its the other three [account theft, identity theft, and payment card theft] where we dont.
Young said JPMorgans hack didnt result in the typical privacy breach of data. There was no release of secure data reported, he said. Account takeover and ID theft fraud is not by hacking into bank networks.
Financial services firms arent storing their information in the cloud, of course, but in their own secured environments where they can control it. Theyre not putting it in the cloud, which is the next big thing and the next big and scary thing from a financial perspective in security, he said.
Young noted that while banks under the FFIEC guidelines must provide multi-factor authentication for online banking, credit unions only recently have begun to do so. The problem with two-factor authentication is that some forms can be -- and have been -- bypassed by cybercriminals: Some of the ways its being implemented to help with that is by having something out-of-pocket, out-of-band authentication. Or tokens, he said.
Consumers have basically rebelled against tokens, though, he noted, while tokens have worked for business online banking.
A better bet for payment data or other customer information protection is tokenization, where sensitive customer information, such as payment card information or Social Security numbers, for instance. ApplePay is one of the first implementations of tokenization, he said.
Financial services call centers employ voice fingerprinting as one level of authentication, akin to caller ID. And online banking is increasingly using device fingerprinting, capturing the type of device and software as another form of authentication for consumers, he said.
But theres no silver bullet in security for financial services. Its a layered approach, Young said. We have to make it safe to bank online but not too onerous or difficult for the end user. Its a fine line.
Retailers, meanwhile, suffer both apathy about breaches and a misunderstanding about them, says Arthur Tisi, chief information officer for Natural Markets Food Group. Retailers ask why they were hit. It doesnt resonate with them that its an opportunistic approach to breaching systems, he said.
When you talk to the CEO of a retailer, [he says] were not a bank, why are they coming after us? Were PCI-compliant, he said.
The retail industry is nearing the one-year anniversary of the start of what has been dubbed The Year of the Retail Breach, with big-name big box companies such as Target, Home Depot, and Nieman Marcus, as well as food chains Dairy Queen and JimmyJohns and others all hit with payment card hacks.
Tisi says a big challenge for retailers is internal coordination pre- and post-attack. Take the legal and communications groups: Legal is concerned with liability. The communications group is concerned with brand equity, he said. Typically, the general counsel is going to win. So rather than getting into the middle of managing relationships post-breach, were finding its important to coordinating the organizations [in advance] so we get a good balance.
Many retailers now have an incident response plan in place to react quickly after an incident, he said. The lack of coordination and reaction at Target after its [data breach] event could have been resolved in a much more favorable way, he said.
Tisi said some retailers are running vulnerability assessment scans beyond PCI, as well as forensic scans of data and malware.
How are we going to coordinate communications to our customers? How are we going to communicate with … the FBI or Secret Service? How quickly can we assess what actually is happening to us while its happening and determine the impact of whats happening? he said. We dont want to run out the door with our hair on fire prematurely.
Most companies, and especially those in retail, dont coordinate that communications well, he said. What are you going to say? When are you going to say it? Who do you retain to communicate? Tisi said. You should already be developing a relationship with your insurance carrier.
On the media side, the business model has changed with online interaction and social media, says Ali Waezzadah, vice president of information security for CBS. We can target a specific ad to what they watch and how they watch it, he said.
Using big data to correlate how viewers interact with their viewing habits and online is the next big thing, and media firms have to protect that information.
All breaches happen because you miss the fundamentals. Its never the fancy technology that was implemented, such as SIEM or an IPS, he said.
At CBS, both the privacy and security teams work together closely, he said. Our privacy organization at CBIS looks at us as their front line. We figure out a privacy issue before the privacy group finds a problem, he said.
For healthcare, the Health Insurance Portability and Accountability Act (HIPAA) is no privacy or security cure-all, Dr. Deborah Peel, founder and chair of Patient Privacy Rights, said.
A patients health information is accessible to too many users and databases, according to Peel, whose organization has helped map out just where that data travels after a patient visits a hospital, for example.
HIPAA doesn’t protect data privacy or security, Peele said. Most hospitals have multiple contracts with licenses that allow other organizations to touch that data, including insurers, pharmacies, and others.
A typical hospital can have thousands of employees with access to patient information. While some have role-based policies over who can access what, many policies are still too broad, Peele said.
The breaches are inevitable, she said.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
The View From A High-Value Data Breach Target