Page 11 - GS161102
P. 11
News
cybercriminals use a combination of techniques to break US-CERT strives for a safer, stronger Internet for all
into ecommerce sites and steal identity and payment card Americans by responding to major incidents, analyzing
data. threats and exchanging critical cybersecurity information
with trusted partners around the world, according to its
ChargebackGurus has seen an increase in "friendly website.
fraud"; its analysts are working with payment card brands
to evaluate this trend. Some consumers have bragged Following are the seven elements to address as part of US-
about friendly fraud on social media, claiming to have CERT's protection plan:
received free goods by disputing charges, according to
recent reports. Overall chargeback volumes in 2015 were 1. Accurate hardware inventory
30 percent friendly fraud and 70 percent true fraud; these
numbers reversed in 2016 to 70 percent friendly fraud and 2. Accurate software inventory
30 percent true fraud, the company stated.
3. Continuous configuration management and hard-
Tripwire, Verizon ening
advocate
cyber-readiness 4. Comprehensive vulnerability management
T he National Retail Federation projected a 3.6 5. Patch management
percent increase in 2016 retail holiday sales, and
leading security firms are warning companies 6. Log management
to protect their data. Recently published reports
by Tripwire Inc. and Verizon Inc. suggest retailers can do 7. Identity and access management
more to safeguard physical stores and ecommerce sites.
The Tripwire study, published Oct. 10, 2016, surveyed Tripwire cited the following data as evidence of the need
763 information technology (IT) professionals, 100 of for early, automated threat detection:
whom were in the retail sector. Verizon's 2016 Data Breach
Investigations Report analyzed over 100,000 incidents that • 84 percent of respondents were confident they
occurred in 2015, including 3,141 confirmed data breaches. could detect intrusions on their networks, but only
51 percent knew exactly how long the detection
Tim Erlin, Senior Director of IT Security and Risk Strategy at process would take.
Tripwire, cautioned IT professionals against complacency.
"The increased scrutiny of retail cyber security in the • 43 percent of respondents knew how long it would
wake of major breaches has forced organizations to focus take their vulnerability scanning systems to
on securing their environments, yet these survey results generate an alert after detecting unauthorized entry
show that there's still a lot of room for improvement," he on the network; 81 percent believed it would happen
said. within hours.
Verizon's study found that 99 percent of reported cyber • 51 percent of respondents believed their automated
attacks in 2015 occurred within a period of hours but went tools do not detect all necessary information, such
undetected for weeks, sharply down from response times as locations and departments, needed to identify
in 2014. "There is a dramatic decline in internal discovery unauthorized configuration changes to endpoint
and a corresponding increase in discovery by fraud devices.
detection in our dataset this year," the authors wrote.
• 36 percent of respondents said less than 80 percent
Seven-point protection plan of patches succeed in a typical patch cycle.
Tripwire analysts recommend protecting physical and Advanced tools, surveillance
digital infrastructures with a seven-point plan established
by the United States Computer Emergency Readiness Team Verizon and Tripwire advise IT professionals to use
(US-CERT). "When implemented across an organization, advanced security tools to protect against increasingly
these controls deliver specific, actionable information cunning cybercriminals. Verizon cited phishing as a
necessary to defend against the most pervasive and dominant cyberattack method. As multilayered protections
dangerous cyberattacks," the company stated. against phishing scams, the company proposed spam
protection, list blocking, email header/attachment/URL
analysis and reporting of suspicious emails.
The Verizon report encouraged companies to authenticate,
segment, and monitor all devices, apps and personnel
connected to their networks. Report authors also gently
poked fun at the idea of enforcing best practices within a
security department. "One can't really say 'don't screw up
again', or 'pay attention to what you are doing, for Pete's
sake,'" they wrote. "Nevertheless, there are some common
sense practices that can be implemented to help keep
errors to a minimum."
11
