After some customers reportedly alerted First National Bank of Durango that their debit cards had fraudulent transactions on them, the $399 million company noted in a corporate statement that because of the breach at Heartland – the fifth largest card processor in the U.S. – debit cards that they issued may have been compromised.
“To protect our customers, we have temporarily blocked all point-of-sale purchases. Debit cards will still work at the ATM,” the company states on its website. It further clarifies the issue by adding, “It is important to note that there was not a security breach at First National Bank of Durango – our systems remain secure. The breach occurred at a third-party processor.”
And that breach, which was announced in January 2009, not only turned out to be one of the most colossal of cybertheft incidents, but evidently is proving to be one of the worst in terms of long-lasting consequences as its effects are still being felt by other financial services companies and their customers. After the announcement that hackers had bypassed network firewalls to penetrate the databases of several large companies, including Heartland, 7-Eleven and Hannaford Bros. Co., the personally identifiable information (PII) of more than 130 million credit and debit card holders was stolen. Albert Gonzales has been indicted and pleaded guilty to the crimes, but officials at First National Bank of Durango have reportedly surmised that his partners avoided use of their customers' card numbers under the intense media coverage glare that followed the Heartland breach. Hence, the reason their patrons are being hit only now.
If First National Bank of Durango's announcement is a harbinger of things to come, other financial institutions and their patrons even now might be victimized by fraudulent activity related to the Heartland breach, which already has cost that company tens of millions of dollars in legal costs, fines from Visa and MasterCard, damage to the brand's reputation and at least some clients' misgivings. But, it's not as if companies in the financial space don't have enough to deal with already when it comes to safeguarding critical corporate and customer data.
During an SC Magazine Financial Services Roundtable, which was sponsored by security and compliance vendor ArcSight and held late last year in New York, a number of leading information security professionals discussed the poor economy's effects on their overall risk management plans, how they are refining IT security tactics and strategies in light of tightening belts, and what might be in store for information security campaigns going forward. For them, data breaches like the one at Heartland account for only a fraction of the cybersecurity areas they fret about day after day.
“I don't feel that my job security is what it was two years ago, and I just had a friend of mine who was a CSO [in a] very similar position, working for a private company that undertook a re-organization, and he lost his job,” said featured speaker of the Financial Services Roundtable Mark Sokol.
Head of operational risk at a large financial services company and a member of the board of directors at the Financial Services Information Sharing and Analysis Center (FS-ISAC), Sokol noted his personal thoughts about job security to point out that the typical corporate worker in today's questionable economy poses a greater risk to organizations and, therefore, is a bigger worry for IT security professionals like him. High stress, frustration and uncertainty, as well as concerns about personal financial situations or other private issues, just might drive corporate end-users to engage in cybercrimes.
“Is somebody who works for a bank more enticed to sell identity data to make ends meet?,” he asked the group during the event, which was organized to enable high-level information security leaders from the financial market to exchange advice and insight about some of the challenges they're facing. Whether driven by malicious intent or because of simple oversight, theft or exposure of PII by insiders is a rising problem for companies and their information security pros, he contended.
Yet another result of the still tenuous economic state are threats to data resulting from increased merger and acquisition activity, added Warren Axelrod (left), formerly business information security and chief privacy officer with Bank of America's U.S. Trust division and currently one of the project managers of the Financial Services Technology Consortium's (FSTC) Software Assurance initiative. He said during the Roundtable that because of the tough economy, mergers/acquisitions and countless layoffs are causing massive changes in employees' responsibilities. As a result, IT security pros are being forced to monitor access rights more regularly, as well as establish and follow a more stringent process of review and approval for access privileges to be granted and revoked – a process that usually should involve technologies to help automate and audit the process.
Alphonse Edouard, vice president of IT for Dune Capital Management, agreed, noting that mergers often also highlight the need to adhere to numerous regulations – maybe even some that one may not have worried about before the unification of various companies.
Compliance, too, is a major concern for CISOs across all verticals, but for the financial services space in particular such mandates as the Red Flag Rules, requiring the development and implementation of identity theft prevention programs, the Payment Card Industry Data Security Standard, the Sarbanes-Oxley and Gramm-Leach-Bliley Acts, or even current and possibly more strict guidance from the Federal Financial Institutions Examination Council (FFIEC) regarding two-factor authentication for customers, are directives with which IT security pros must ensure their companies are in line.
The evolving threat landscape
Beyond regulations and insider threats, there still are other cybersecurity problems, too. Sokol, who shared some statistical data at the Roundtable, noted a huge rise in the occurrence of malware over the last two years, a leap in the monthly creation of malicious websites, a jump in zombies and botnets, an escalation in the use of subversion techniques by cybercriminals to launch more sophisticated attacks to steal PII, increases in breaches that exploited unpatched corporate websites and networks, and over 20 countries around the world arming themselves for cyberwarfare.
But it's not just these kinds of attacks happening more and more that is the sole worry for businesses. There are the wide-ranging consequences that they inflict. According to some studies, data breaches can cost companies $1 million or more. Plus, because of the still persisting financial downturn, cyberattacks like these launched by outsiders are likely to rise and, worse, become even more successful as enterprises consider further cuts to security budgets and IT staff, said Sokol. Then there's the worry of organized, sophisticated state-sponsored attacks against critical infrastructure companies – think Operation Aurora, the recent campaign on Google and 30 other major corporations alleged to have originated in China.Yet, by waiting for alerts from intrusion detection/prevention systems, many companies still only react to attacks after they occur – much too late to stop resulting data theft.
“I don't want to go to my CEO's office and say, ‘I got great news. Our intrusion detection system detected this breach and we lost a million records.' We have a problem,” Sokol said at the event.
Much of that problem has to do with the fact that “the bad guys” are still compromising organizations through known means, such as application vulnerabilities or simple misconfigurations, he added. And this is in spite of the fact that many studies of software development costs have proven the financial benefits of fixing bugs earlier rather than after release, said Reed Henry, senior vice president of of marketing and business development at Arcsight. Those leading the fray “are bringing security into the discussion much earlier than they used to – not only because they are aware of compliance requirements and know it will cost less to implement earlier in their cycle, but also because they realize they gain far more useful results from security that is given priority earlier,” Henry explained.
Another problem that some information security pros still are missing is the opportunity to work with other business units to achieve goals of both understanding and supporting their corporation's overall business aims. Getting the right stakeholders around the table to discuss both business initiatives and the security needed to make them fruitful is a critical step.
“Computing is making its way into every department and onto every desk, so more and more perspectives are already involved in technology decisions,” said Henry. “Security has been far less likely to be successful when dictated from an IT department.”
Engaging with key business units and aligning IT security plans with corporate projects from the start will help give data protection needs and associated expeditures priority, then.
“Are there basic things we could do to improve security in the organization? What do we do about it and is it a technical problem or is it a business problem? How do we manage security through recession?,” asked Sokol during the Roundtable. “Go back to basics. It's not about us spending money on technologies and I've been commonly quoted as saying, ‘Don't jump to solutions. As risk management executives, because that is what our jobs are, we have to ask ourselves what are we doing to help our companies be profitable and generate the revenue and the lines of the business goals that we're trying to achieve? And it's not always about the latest and greatest of security technologies. We need to do our own performance reviews. Should we be asking, ‘Were there any major cyberattacks?' Or, ‘What did I do to help the business be more successful this year?'”
Not just a cost center
Detecting an intrusion too late is unacceptable to most financial organizations – there's too much too lose. For Dune's Edouard, security is about what you do before an incident occurs because, he said at the event, a cyber event will occur. In reaching this understanding then, all that is left for information security leaders to do is decide their companies' security needs and make the right tactical and strategic calls to fulfill them.
“Our priorities flow with the dynamics of the business,” said Edouard. “If I was a utility company, the dynamics don't change. If I sell electricity, the dynamics don't change. But in the financial space or health care, the dynamics are like a sine wave. They're up and down.”
The right IT security managers understand that constant shift, he added, so their priorities will change with the needs of their companies. This is when security done right is comparable to the scaffolding used during construction – it has to be in the right place at the right time and remain there for however long it's needed.
“Let's face it: Anyone who thinks that they'll never get breached is in a dream world. There will always be a breach,” he added. “It's just a question of how do you manage a breach before and after, what are some countermeasures you're going to put in, and what are the dynamics of your business because security has to be matched up with what is generating capital.”
Moreover, any security outlay that is lined up with business goals likely will not be viewed as just a cost center. And that's a good thing considering the still tough economy.
“Security in the past often was characterized as a roadblock, or a hurdle to overcome,” said Henry. “And this was not too far from the truth. This has changed as security technology has really improved. Integration of system logs from multiple sources to ensure that an audit trail exists for all access to protected data used to be a huge challenge, but now it's a no-brainer. The story also has changed because security is seen as an essential way to improve the business – metrics such as system availability speak for themselves.”
Out of the almost 400 information security pros who responded to SC Magazine's Data Breach Survey late last year, the results of which were published in January's edition, some 20 percent were from the financial sector. While about 95 percent of those respondents believed they were taking the right steps to protect against a data breach or exposure – acknowledging that regulatory compliance, impact to the brand, possible profit loss and customer demand were all factors driving these initiatives – approximately 51 percent expected their budgets to increase over this year, another 46 percent predicted that they would remain flat and about four percent anticipated a decrease. Meantime, 18 percent already had experienced a major breach and another eight percent didn't even know if their companies had had one or not.
For Edouard, that's where simplifying the infrastructure and then implementing both the most logical and best security solutions, as well as applying the right security strategies with the help of business colleagues, comes into play.
“Simplicity is the highest form of sophistication. The more simple you make your environment, the more sophisticated your environment gets, and that's where your cost-savings come in,” said Edouard. “You're getting pressure from the business to go out into the cloud and to outsource. In my work, I have to simplify [the business infrastructure], but I have to secure it and I have to manage the risks around it. As long as people have to access data, you'll always have the risk.”