It’s a business owner’s worst nightmare; criminals stealing millions of customers’ card holder data. Lately, this nightmare has been far too real. Malware attacks are dominating the headlines as hackers continue to go after businesses that accept payment cards for transactions. Why payment cards? They are lucrative. Intelligence gathered from real world investigations has identified the black market value of a stolen credit card to be between $15 and $50. So, how can businesses prevent these kinds of attacks? First, they must think like criminals, understand their methodology, define the “who, what, where, when and why” for their next attack. Then, they must plan and setup a comprehensive security system that consists of multiple layers of defense, detection, response and ongoing prevention.
Inside a hacker’s mind
Malware attacks are carried out predominantly by professional criminals. Most of the breaches follow logical patterns of attack consisting of four common elements – infiltration, propagation, aggregation and exfiltration. First, attackers penetrate the target environment (infiltration), then they move from the initial point of entry to their target systems (propagation), next they identify and collect target data (aggregation) and finally, they move that data to a system controlled by the attacker (exfiltration). They typically choose targets that will give them the most bang for the buck – e.g., stealing millions of payment card information at once to sell shortly afterwards. That’s why point-of-sales (POS) devices, mobile and non-mobile, are high on a hacker’s list.
One of our Trustwave ethical hackers was recently hired to perform penetration tests on iOS mobile POS devices that retailers wanted to use for payment card transactions. Simulating a real-life criminal, he first jailbroke the device, gaining control of its operating system and then identified that the software installed in the device did not encrypt payment card information the moment a card was swiped. He was then able to plant malware on the device and extract payment card numbers as the cards were swiped. Within just twenty minutes, he gained access to the payment card information of hundreds of customers. If he were a real-life criminal, he would sell that information on the black market and move onto his next target. Thankfully, he’s a white hat.
Similar to our ethical hacker, a real life criminal first looks for security weaknesses that he can exploit and in today’s world, where new technologies and communication platforms like social media, bring-your-own-device (BYOD), mobile applications and mobile POS devices are increasingly used for business purposes, weaknesses are plentiful.
Plug the holes
Any single weak link in a business’s network, application, databases or devices can expose that business to an attack. That is why business leaders should build their security plans around these vital questions:
- What vulnerabilities exist that would give a criminal access to my private information? Since vulnerabilities are the point of intrusion for nearly any breach, businesses must identify and eliminate them on a regular basis so that they remain ahead of the criminals.
- Are my databases secured? Databases hold a treasure trove of business data yet too often database security is overlooked. Businesses assume if their networks and applications are secure, so is their database. An assumption that’s false—and dangerous. Databases need constant scanning and their own protection.
- Am I consistently testing my systems and applications to ensure any updates or changes are not creating vulnerabilities? Systems and applications are regularly updated and changed as part of typical business operations. However, change may bring new vulnerabilities, which is why frequent penetration testing is essential.
- Do I have any web applications that are exposed to the internet? Web applications are a high value target for attackers because they are easily accessible and deliver a valuable payload. While monitoring 200,000 websites, our researchers found 16,000 attacks occurred on web applications per day. That is why web application protection is essential.
- What do I do to defend the most common attack vectors such as the web and email? According to a recent survey of nearly 160 security professionals, conducted by Osterman Research, the majority of respondents (58 percent) said their biggest concern surrounding security was malware being introduced from employees surfing the web. The second biggest concern was malware being introduced from employees using personal webmail (56 percent). Since business leaders cannot always rely on their employees to adhere by best security practices, they should implement controls that specifically target end-users.
Even business leaders who have already answered the above questions and deployed various security controls, may want to take a closer look at the skills and manpower they currently have in-house. Oftentimes, we speak with businesses that purchase security technologies only to find that they do not have the manpower or skillsets needed to install, integrate and manage them. In that case, they may want to seek help from the outside and augment their staff by partnering with a third-party team of security experts whose sole responsibility is to protect the business’s valuable data. Clearly, malware isn’t going anywhere so whatever it takes to stay in front of the attacks is what should be done.