Page 39 - GS170402

P. 39

ChapterTitleViews

Along these lines, a recent Forrester Research survey Any company in the payments business, of whatever
found that 80 percent of breaches involve compromised size, would be well advised to pay attention here. You
privileged accounts, and an unknown number are attrib- can learn more about the ISMG at www.databreachtoday.
utable to insider abuse. Composed of companies process- com/memberships. I also recommend that you check out
ing payments for third parties, The Green Sheet subscriber the daily Krebs on Security blog at www.krebsonsecurity.
base, is an ideal target for cyber-criminals, perhaps the com and the Software Engineering Institute at Carnegie
ideal target. Mellon University's website, www.CERT.org.

Payment companies have employees and merchants Perhaps the most depressing takeaway for me was the
accessing networks via smartphones and laptops. BYOD, presentation by the FBI and Los Angeles District Attorney,
remote working, POS devices accessing the Internet and which emphasized that after reporting a breach to the
internal networks are commonplace. These all need to be authorities, your journey has just begun.
managed.
Be prepared
As networks and enterprises grow in size and complexity, If you do not have a plan in place, an attorney to manage
it becomes harder to identify threats and catch attackers. the post-breach environment, committed management
The barrier to entry for hackers has been lowered, too. and prompt follow-through, you can be sued by the
Today, a criminal can buy and download ready-to-deploy regulators for negligence, even though the breach was not
exploit kits and malware on the Internet. And aside from your fault. As one speaker put it, there is "compliance fog,"
these outside threats, there are threats from within an and a "regulation gap," multiple jurisdictions, and multiple
organization: employees, contractors, supply chain users enforcement authorities (SEC, FCC, CFPB, FTC), and very
or customers. little case law on this subject.
It's a long game
The ISMG focuses on info-risk, data breach, banks,
Darktrace, a presenter at the ISMG conference, put it this governments, healthcare, and careers in IT security. I
way: "For businesses, it is no longer realistic to expect cannot emphasize strongly enough how important it
that every threat or potential intruder can be kept out. is to be aware of the threats to your organization from
Networks are becoming larger, more complex, spanning cybercrime and to take action, which includes getting
different geographies, and accessible to a wider variety of senior management involved.
dispersed people. It is almost impossible to keep up.
To learn more, contact Mark D'Agostino at ISMG (609-
"The new generation of cyber-threats is not necessarily 356-1499, ext. 26). Just imagine if your customer database
targeting data alone. Today's most pernicious threats are and transaction record files were hacked and the data
playing a long game, and look to disrupt or undermine the (dates, dollar amounts, authorization numbers, etc.)
very integrity of data. For example, a healthcare company was permanently changed. What if you had no way to
relies on the integrity of patient data. A bank must be able determine what the real numbers were? How would your
to trust the core processor's data regarding their customer's company stay in business?
bank balances. But what if the information, or part of it, is
not just taken, but changed? There are two kinds of attacks. Trust attacks undermine
the integrity of the data; they manipulate, do not exfiltrate
"The new wave of attackers may lie low inside a network and are a threat to your reputation and stability. Then there
for weeks or months before taking definitive actions. are attacks using AI (polymorphic malware). These attacks
… Today, slow running and sophisticated attackers are are an arms race with algorithms fighting algorithms.
targeting all manner of companies and industries."
I am glad I was able to attend this conference. It opened
The good news is that there are about 4.5 million IT my eyes to the world of cybercrime as a service. All
professionals who have background and experience as professionals in the payment space, whether working in
security risk professionals. The bad news is that about IT directly or not, should be paying attention.
1 million IT risk management jobs are vacant right now
because we lack this number of trained professionals. Brandes Elitch, Director of Partner Acquisition for CrossCheck Inc., has
One of the most compelling statistics in the ISMG been a cash management practitioner for several Fortune 500 com-
presentations was that when there was fraudulent insider panies, sold cash management services for major banks and served
activity, the perpetrator had worked at the organization as a consultant to bankcard acquirers. A Certified Cash Manager
for at least five years with no apparent issues, and it took and Accredited ACH Professional, Brandes has a Master's in Business
32 months from the start of the fraud for it to be detected. Administration from New York University and a Juris Doctor from Santa
Clara University. He can be reached at brandese@cross-check.com.

34 35 36 37 38 39 40 41 42 43 44