Most Wanted: ‘Next Generation Thinking’ to Combat Cyber Crime

cyber-crime

High-profile data breaches affecting retailers including Target, Nieman Marcus and Michael’s have put information security into the mainstream, affecting sales and prompting Congressional hearings. As these breaches show, it is becoming increasingly difficult for businesses and technology companies to stay ahead of cyber-criminals.

The financial fallout and erosion of consumer trust continue to reverberate from Target’s disclosures in December and January that the personal and/or credit information of as many as 110 million customers was compromised after hackers reportedly installed malware onto the retailer’s point-of-sale machines through one of its suppliers.

On a conference call following the company’s fourth quarter earnings report February 26, Target CEO Gregg Steinhafel said the retailer is still analyzing what went wrong and is increasing the company’s investment in security. “This incident and recent security breaches at other companies have shaken [consumers’] confidence in both Target and the U.S. payment system more broadly,” he said. So far, Target has had $61 million in expenses related to its data breach with $44 million covered by insurance.

Meanwhile, the threat from hackers continues to cause ripples in the retail industry. Last week, Sears announced that it was investigating a possible breach, though the department store chain said so far it had found no evidence of an attack. “Certainly, information security has been in the press more in the last year than the entire decade before, and that’s raising awareness,” says Andrea Matwyshyn, a legal studies and business ethics professor at Wharton. “Consumers are still at the point where they don’t know how to protect themselves.”

Indeed, the Target incidents weren’t that surprising given that Verizon, for example, tallied and analyzed 47,000 security incidents and 670 confirmed data breaches impacting a number of businesses and industries in its 2013 data breach investigations report. The ongoing study has logged more than 2,500 data breaches and 1.1 billion compromised records over nine years.

“Security is better than we’ve had in the past, but not good enough to address what we’ll face in the future.” –Andrea Matwyshyn

The 2013 report, which looks at incidents from 2012, is put together with the cooperation of partners across various industries and nations to conduct forensic analysis on security issues. The incidents covered in the report spanned 27 countries and multiple industries, with 37% impacting financial institutions, 24% at retail establishments, 20% at manufacturing, transportation and utility companies, and 20% at information and professional services firms. According to the report, 92% of the attacks were perpetrated by outsiders to the entities being targeted.

But the Target breach — which caused the company’s sales to soften “meaningfully” after it was made public, Steinhafel said in a statement — put security concerns front and center for many, and illustrates how organized crime networks have used technology to create armies of attack programs and launched marketplaces where stolen data is bought and sold. “Ultimately, companies will have to get their acts together because there can be real brand damage,” says Wharton marketing professor David Bell.

Unfortunately, firms may not know how to protect themselves, notes Matwyshyn. “There will have to be new security approaches from the technical and legal side. Security is better than we’ve had in the past, but not good enough to address what we’ll face in the future.”

One obvious way to improve security would be for banks and credit card issuers to adopt the so-called chip and PIN technology used in much of the European Union. The technology would replace the credit card’s traditional magnetic stripe which, along with the customer signature, are used by retailers for verification with a computer chip-embedded smart card that requires consumers to enter a PIN (personal identification number) to complete a transaction.

Among those advocating that a version of these smart card chips known as EMV (after the technology’s original developers, Europay, Mastercard and Visa) become the norm in the U.S. is Visa CEO Charlie Scharf, who said in a statement released in January that the breaches “remind us of the need for all of us to continue to work together to secure payments from criminals.” Mastercard has also urged customers to accelerate adoption of EMV. Credit card issuers and merchants have long resisted the technology due to the cost of manufacturing the cards and purchasing new point-of-sale machines.

But the breaches at Target and elsewhere may be changing that. The National Retail Federation (NRF), which represents the retail industry, said it wants mandatory use of chip and PIN technology and is pushing for federal legislation that will make it easier to share information about data crimes. According to the NRF, “the biggest reason card information can be stolen is that the U.S. credit card industry and issuing banks still use 1960s technology while criminals have moved into the 21st century.”

Wharton legal studies and business ethics professor Kevin Werbach calls the switch to chip and PIN “a no-brainer to cut down on fraud. It’s not a panacea, but it will certainly help with one significant security vulnerability.” Ultimately, however, Wharton experts say it will take more than just that one technology to better secure businesses in the U.S. A change in the nation’s legal framework and a shift in consumer attitudes are also needed.

The Cyber Arms Race

A fundamental issue for companies is that cybercrime has surged with new technologies, such as automation tools that allow hackers to step up attacks.

In a presentation February 26 at the RSA Conference in San Francisco, a team of security experts outlined the most dangerous attacks and threats in the future. The key themes were that mobile applications are allowing criminals to use wireless devices to poach credit card data. In addition, malware is being added to point-of-sale terminals at stores so data can be collected before it’s encrypted. And in the future, the security experts expect that social network information will be mined and combined with other records to procure personally identifiable information that can be sold or used to conduct cybercrime.

“Companies will have to run quickly just to keep up,” says Matwyshyn. “New technologies are sometimes the answer, but companies may have to innovate their way out of this tough situation. How do you mitigate risk?”

Among the firms attempting to do that is Shape Security, which on February 25 announced that it had raised $40 million in a third round of venture capital. The company recently launched products based on polymorphic code, or code that changes each time it runs while still performing the same function. Today, many attacks launched on websites take advantage of the “view source” feature in web browsers that allows anyone to see the underlying code used to display the page. According to Shape, polymorphic code could combat attacks better because it rewrites itself every time a page loads. As a result, the code is harder for attackers to exploit.

The overall aim is to disrupt the economics of cybercrime by making attackers work harder. Today, it’s relatively easy for cyber-criminals to create “bots,” automated programs that are surreptitiously planted, lie in wait and then can be triggered remotely to attack when conditions are optimal.

“Cyber-security is an arms race, and the good guys are at a fundamental disadvantage. There is simply no way to plug every vulnerability.” –Kevin Werbach

Meanwhile, other security companies are also offering new approaches. For instance, FireEye has developed what it calls a Continuous Threat Protection model that identifies threats in real-time rather than updating their protection software only after a new form of malware is identified. Another company, Seculert, aims to detect and intercept so-called botnets automatically using traffic analysis and analytics.

According to Matwyshyn, there will have to be more experimentation like this from the technology companies charged with defending consumers. “With security, there needs to be next-generation thinking,” she notes. Werbach agrees, pointing out that “cyber-security is an arms race, and the good guys are at a fundamental disadvantage. There is simply no way to plug every vulnerability, because it only takes one person or company being lax about security to enable a successful attack. We need to deploy better technology, but what we really need to do is build more resilience and better incentives into the system.”

Steinhafel’s plan is to make Target a high-profile security reclamation project. “We are accelerating the adoption of advanced chip-enabled technology, investing more than $100 million to equip our stores and to issue Target branded smart chip credit and debit cards,” Steinhafel said during Target’s fourth quarter earnings conference call. “We have long supported this more secure technology, but broad adoption in the U.S. market has been elusive. We believe that recent events will help the industry to reach a tipping point toward accelerated adoption in the U.S., and we are investing to ensure that Target is a clear leader in driving this change.”

Changing Incentives

Werbach says that there needs to be more transparency regarding which companies are using best practices and which fall short. In addition, because consumers aren’t liable for credit card fraud, they are less likely to push for stronger systems at companies that have delayed security investments.

Wharton marketing professor Robert Meyer said Target and other retailers will have to wait and see how consumers change their behavior in the wake of the cyber-attacks. “People faced with risky situations tend to fixate on individual episodes,” Meyer points out. “For instance, [The Target breach] is a small event relative to the overall security landscape, but there is the potential to harm the brand if the company is associated with the attack.”

“However far behind we think we are compared to cyber-criminals, we’re probably even farther behind.” –David Bell

Target cut its sales projections due to the data breach, but the company’s leadership indicated during its fourth quarter earnings conference call that customer engagement was bouncing back.

“My guess is that the Target incident will fade relatively quickly,” says Meyer. “It’s more important how companies handle the event and restore trust. If the last thing people remember is that Target customers had accounts hacked — even if they don’t fully understand what that means — they won’t shop at Target or [use] their credit cards [there].” As part of its mea culpa after announcing the data breach in December, Target offered a 10% discount for all customers making an in-store purchase the weekend before Christmas. It also offered customers a free year of credit monitoring. “Anything done to make people feel more secure has a positive impact,” Meyer notes.

He adds that it’s unlikely that most consumers will give up their credit cards to protect themselves from hackers. “Perhaps consumers could and should cut back spending and shift to transactions with cash, but they are not in the position to do it,” says Meyer. “The average household is in debt, so that cash ship has sailed.”

For security to improve, Matwyshyn says that the incentive structure that exists among U.S. retailers, banks and credit card companies needs to change. One reason the chip and PIN technology worked in Europe is that the relationship between banks and regulators is fundamentally different than the situation in the U.S. Regulators in Europe have more clout and a less adversarial relationship with bankers, and were able to position security technology as a way to improve customer service and lower costs, says Matwyshyn.

In the United States, however, regulators generally don’t have the ability to easily foist mandates regarding new technologies and architectures onto companies. The argument against chip and PIN technology is focused on the cost of implementation and the massive administrative task of issuing new cards. “[European] banks saw promise, but EU regulators gave a nudge. Regulators don’t nudge here,” Matwyshyn states.

In addition, the determination of liability after a breach needs to be considered, she notes. If a company is proactive with security and can prove that it is using state-of-the-art technology, the firm should have an easier time with regulators and a stronger defense  against any lawsuits that emerge. “The compromised entity has to convince the court and regulators that it acted reasonably,” Matwyshyn says, adding that the opposite side of that equation would be stiffer punishment for a company that scrimped on security and chose to allocate resources elsewhere.

“There are a lot of areas of infrastructure where we broadly lag in the U.S. How far behind we are in security varies by company, but most places are more lax than we would hope,” adds Bell. “However far behind we think we are compared to cyber-criminals, we’re probably even farther behind.”

Citing Knowledge@Wharton

Close


For Personal use:

Please use the following citations to quote for personal use:

MLA

"Most Wanted: ‘Next Generation Thinking’ to Combat Cyber Crime." Knowledge@Wharton. The Wharton School, University of Pennsylvania, [05 March, 2014]. Web. [26 July, 2014] <http://knowledge.wharton.upenn.edu/article/next-generation-thinking-needed-combat-cyber-crime/>

APA

Most Wanted: ‘Next Generation Thinking’ to Combat Cyber Crime. Knowledge@Wharton (2014, March 05). Retrieved from http://knowledge.wharton.upenn.edu/article/next-generation-thinking-needed-combat-cyber-crime/

Chicago

"Most Wanted: ‘Next Generation Thinking’ to Combat Cyber Crime" Knowledge@Wharton, [March 05, 2014].
Accessed [July 26, 2014]. [http://knowledge.wharton.upenn.edu/article/next-generation-thinking-needed-combat-cyber-crime/]


For Educational/Business use:

Please contact us for repurposing articles, podcasts, or videos using our content licensing contact form.

 

Join The Discussion

One Comment So Far

Arjen de Landgraaf

Part of the current problem is that security and risk management people only have any corporate visibility once the proverbial brown stuff hits the fan. That’s their only chance to become heroes in the eyes of management. Recognizing, Locating and Fixing the damage done after a breach or compromise.

Think of departments such as CERTS, or CSIRTS – Emergency RESPONSE, Incident RESPONSE… With full focus on waiting for something to happen and responding to direct threats, re-active as opposed to pro-active. SIEMS let you know that something happened, all now-warning, not fore-warning.

When Security staff is being recognized and rewarded on NOT having any incidents, a bit like the story on the Chinese health physicians, who get paid as long as their client (patient) remains healthy… then they could finally fully re-focus on becoming more pro-active.

What it requires to be pro-active is knowing what you otherwise would not know.

What I mean with that is the following: Imagine you’re asleep at night and an escaped murderer, a psychotic Killer, is at your backdoor. Because you are sound asleep, you have no clue your belongings and even live of you and your loved ones may be at stake, once the person at your backdoor decides to try to get in. Because you don’t know the threat, you have not taken extra precautions to lock and bolt the door, because nothing happens anyway, it’s a safe neighborhood. For you, there is no threat at all. You don’t know what you don’t know.

If you would receive a warning up-front that a person could be a possible threat, and he is around your neighborhood, you would know, and take pro-active action. Such as making sure your house is secure
and all doors and windows are locked and bolted down.

The same with Business and Technology Risks. If you are warned in time of a possible weak spot you can secure it, or decide to run the risk. But at least you know.

Now, business risks can be compared to a balloon. It’s your job as a Risk Manager to defend your balloon against any threats such as (hacker) pins. They can come from anywhere, and hit the balloon at any point, at any time. So, your defense must be based on protecting that balloon 360×360, 24×7, 365 days each year. You need to protect the full surface, while a hacker only needs one pin, hit one weak point ANYWHERE and the whole balloon collapses, taking the whole business to a grinding halt.

And here comes the second problem. Most Security and Risk people do NOT know the new threats. They know of some, as most technical people they devised their own system of sources, RSS feeds, email lists, chats with colleagues, etc. etc. and feel they are well informed. That they only know some; that they don’t know what they don’t know means any other pending threats and risks simply don’t exist in their own minds. Happily asleep at night, until suddenly they are rudely awoken.

Waking up when it’s already way too late. When they should have known and have taken measures before. Instead, they suddenly become center of the panic attention, working day and night to find out what happened, trying to retrace the paths taken by the cybercriminals, trying to re-assure integrity of the data and systems (perhaps a backdoor is built in), while management scrambles to try to contain reputation damage, angry shareholders and upset customers. And the business is losing money hand over fist.

If you don’t know there may be a new threat, for instance one that requires patching, your balloon is at risk. If another business in the same industry as yours is hacked, you need to know this to be extra aware. If a new hacktivism action has started, aiming at businesses in your country, you need to know. If a new spear phishing method was used to attack a similar organization as yours, you need to know. Threats can come from anywhere, think of the DigiNotar Certificate provider debacle in the Netherlands, or the recent Target and Neiman Marcus breaches, etc.

Coming back to the in-house system the security or Risk officer built to be informed, its RSS feed, or whatever they did to re-invent the wheel (as EVERY risk Office faces the same issue) the third problem comes up. Either way too little Information, or Information overload.

All technical staff love browsing the internet. Business management has not got a single clue what those technical employees are doing, they say they are busy watching for new threats, so C-level thinks they must be doing a good job. Wrong. They are wasting company time and money, while they give the impression that they are effective in what they are doing. Security and Risk staff should know that they know, and be focused on pro-actively protecting their organization. No amateuristic fluffing around pretending to be a white hacker. They need to fix ALL weak spots in their balloon, every day, all the time.

Say, the security officer receives a couple of hundred RSS feeds, generating thousands of items, each one a possible risk or threat, but only a fraction relevant for your organization. The only way to know, is to inspect each of them, and as a new threat can emerge anytime anywhere, they need to keep track of them the whole time. Now, the Security Officer also deserve the weekends off for their family. But the threats keep coming. So, on Monday morning they arrive fresh at work, and some 6000 RSS items are waiting. With possible one or two that need their immediate attention. Hidden somewhere amongst those 6000. But, they do not know which one. So they need to check them one by one. In the meantime something else comes up, continuing checking later in the day. Until they suddenly get hit by an item that indicates that the whole company is at immediate risk. Pity that they only knew 3.30PM, while they should have known Saturday evening, when it first showed up. Too little actionable intelligence, too late.

What they need is direct access to Relevant Actionable Intelligence. No White Noise, hard direct intel on Anything that may threaten the success of their organization. Something or someone that is watching out for them 24×7 and immediately informing them when there is a possible threat or risk, Leaving the Security Officer and Risk Manager to be effective in protecting the organization from future threats.

To know what needs to be done to fix this, visit BRI-Business Risk Intelligence and register for more information at htpps://brica.de

Because Fore-Warned is Fore-Armed.