Home » breach

Tag: breach

CYBER SECURITY AND THE ART OF WAR

Successful cyber-attacks can ruin businesses, livelihoods, and even the lives of Small and Medium Business (SMB) owners and their customers. The enemy continues to grow stronger, launching over 4,000 attacks at SMBs daily. And, the stakes could not be higher. This is not a game……this is a war.

• The majority of cyber-attacks are directed at SMBs, due mostly to the attacker’s perception of weaker defenses at SMBs as compared to larger enterprises with greater resources and defenses in place.
• Post-attack remediation costs of an attack can extend into the hundreds of thousands of dollars for an SMB
• 70% of SMBs attacked go out of business in less than 2 years after a significant breach

So, how do we win?

Oddly enough in these tech forward times, the answers may exist in a book written over 2,500 years ago.

Sun Tzu, the Chinese general, military strategist and philosopher who lived in the 5th century B.C. is best known for authoring, “The Art of War”. This seminal work has influenced military strategy from when it was written to present day. The Japanese military adopted many of the book’s principles as it built itself into a modern military power. During the Vietnam War, Ho Chi Minh had it translated and given to his officers for study, contributing to the Vietnamese Army’s success against the French and American forces. More recently, during the Gulf War American Generals Schwarzkopf and Powell employed Sun Tzu’s philosophies during that conflict. And to this day, “The Art of War” continues to be a part of the Marine Corps Professional Reading Program.

The following are a few key “Art of War” principles, rendered to address the cyber-security challenges faced by today’s business owner.


“Every battle is won before it’s ever fought.”

Sun Tzu speaks to the importance of being fully committed and prepared, well in advance of any engagement with the enemy. Did you know that approximately 80% of businesses are not fully PCI compliant? To extend the analogy, this means that 4 out of 5 businesses are already losing the battle.


“The expert in battle moves the enemy, and is not moved by him.”

An effective cyber-security strategy must be proactive, agile and restless. The advantage exists in forcing the cyber-criminal to react to the defenses being put in place. Ask yourself if you are acting, or reacting.


“A clever fighter is one who not only wins, but excels in winning with ease.”

This idea is similar to the modern day reference to people who exhibit mastery within their field. Elite athletes or artists for instance who, “make it look easy”. But as we all know, that mastery is the result of untold hours of consistent and focused practice of their craft. To “win” against cyber-attacks, you must persistently invest the time and energy necessary to excel at defending your enterprise.


“Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.”

This translates to the importance of establishing and maintaining a very powerful security schema, while remaining opaque to outside forces. This of course includes software solutions, but also includes well-defined security policies and even training protocols for employees, minimizing inroads for attackers. And in the event that an attack is detected, we must move swiftly and strongly to obliterate it.


“The greatest victory is that which requires no battle.”

This is the ideal state that we strive for. One in which the enemy chooses to not attack, as a result of the perceived strength of our defenses.

We at Wind River Financial in partnership with Trustwave are excited to offer our client partners the robust offering with in the Advanced Security Package (ASP) as we all continue to fight this battle. We encourage you to contact your Relationship Manager for your Login so that you can activate these enhanced tools immediately. These types of serial upgrades are critical to defend your business. Equally important is the commitment of the SMB owner to making cyber security a top priority. Having the very best tools in your arsenal, in tandem with a committed and vigilant philosophy is the best strategy for winning this war.

To learn more about the tools you can go here. To speak with a Relationship Manager call our Client Care 800-704-7253 ext. 6828

Who are you?

As a fraud expert, I recall a certain fraud conference I attended years ago with a presentation by one of the U.S. Attorney’s Offices in New York. The conference was hosted by the Int. Assoc. of Financial Crimes Investigators (IAFCI), an association for whom I now co-chair the Cyber Fraud Industry Group. The U.S. Attorney’s Office began their presentation with background music of Who Are You by The Who – the theme song of the original CSI TV series. They played this while running through a slide show of articles about identity theft which were endless. The salient point was that identity theft was already out of control at that time.

This memory is pertinent to discussions today about the Equifax breach and questions I’m getting from, seemingly, all directions. Most people are asking “what should I do?” Everyone from family members to clients are asking.

The issue has a long history and probably begins with the practice of entities using SSNs as a unique identifier for individuals. The SSN itself was only meant to be used for social security and I’ve heard that it’s actually illegal to use it for other purposes. However, I think you’ll agree that many entities still use it for identity purposes – both private and public sectors.

On top of this, the credit rating industry in the U.S. has private entities (credit reporting agencies) that make money by purchasing your payment history from creditors, creating profiles, and then selling a credit score to potential new creditors so that they can determine their risk. They also maintain consumer personal identifiers within the profiles that can be used to positively identify credit applicants. This is something U.S. financial institutions are required to do to help combat money laundering and other crimes. What could possibly go wrong with entities storing this sensitive information?

Another issue the financial services industry is struggling with are synthetic identities. These are identities that are completely false, but nevertheless, criminals are able to establish credit profiles at credit reporting agencies with the false identifiers and apply for credit under them.

Where does it end? That’s a good question. If I ask “Who are you?” giving me your first name may be enough if I know you. However, if I’m a financial institution and you’re applying for a loan or a credit card, I have to rely primarily on the credit profile as your “identity.”

This is where we turn back to the Equifax breach in which, at the time of this writing, was the compromise of approximately 143 million consumer profiles (about half the population of the U.S.) and 209,000 credit card numbers.

The compromised information can be used to open financial accounts such as credit cards, loans, lines of credit, etc. It could be used to file a false income tax return on your behalf in order to get an income tax refund. It can also be used for non-financial services related ID theft.

There are plenty of good resources for information on what to do now. One is the Financial Services Information Sharing & Analysis Center (FS-ISAC) and the Federal Trade Commission (FTC). These resources provide information that you can use to determine your personal best course of action that may be based on characteristics such as your age, your personal credit needs such as whether you need instant credit, or other parameters.

They also provide the links to complete any actions you may wish to complete such as checking to see if your information is known to have been included in the Equifax data compromise, signing up for credit monitoring, placing a freeze on your credit reports, placing a fraud alert on your credit reports, or taking other action.

Some actions you can take to be defensive against identity theft over the long term include:

• Filing your income tax return as soon as possible each year so that criminals can’t file a false one using your SSN

• Reviewing your credit reports each year free of cost (annualcreditreport.com). You can also run queries on the SSNs of your underage children to ensure that they come back blank or not on file. If they come back with accounts, you will want to investigate further and file consumer disputes on their behalf if necessary. This can be particularly important in the time period before your child graduates high school as they may be applying for student or other types of loans which is a bad time to find out they were the victims of identity theft with ruined credit.

• Utilizing credit monitoring services. There are some free services to do this such as certain credit card accounts that offer this as an included service, ¹Credit Karma, credit monitoring services offered by entities after they have been breached (Equifax is offering this), etc.

The Equifax data compromise was a large one, but they are certainly not the only one. Also remember that your information is on file with the federal government – several departments of which have experienced their own data compromises. The point being that you should assume your identity information is at risk and you should act accordingly over the long term while helping your children and older generations do the same. At the end of the day, if your credit becomes damaged from a fraudulent entry, you can file a dispute with the credit agency or agencies. Federal law requires the agencies to then take certain actions to verify with the reporting creditor or correct or remove the entry which should improve your credit rating situation.

So…who are you?

 

 

¹Wind River Financial does not endorse or promote any particular service. Those mentioned are for example purposes.

Preparing for Data Breaches: What retailers need to do

Cybersecurity is one of the most urgent topics on the agendas of retail executives. In fact, cyberattacks resulting in the loss of customer cardholder data and personal identifiable information have been fairly common in recent years. The best-prepared retailers are shifting their cybersecurity strategies from focusing on prevention, to implementing techniques to quickly detect breaches and limit the damage once a breach has been confirmed.

Please join Jan Hertzberg, Derek Laczniak and me for a Lunch and Learn about how retailers can limit the scope and impact of cybersecurity breaches as well as leverage cyber-risk insurance to contain losses. Baker Tilly is sponsoring the event.

Event Info

Wed, September 30, 2015, 11:00am – 1:00pm CST

Nakoma Country Club
4145 Country Club Rd
Madison, WI

To learn more and register for this free event go here.

So You’ve Been Breached…Now What?

In today’s heightened regulatory environment, the last thing that any business wants to find out is that they’ve been breached. If you think that you’re too small of a target for any hacker to have interest, you’re wrong. Over 90% of current network intrusions occur at small or medium businesses. They may not all make the newspaper like a multi-national retailer, but this is the state of data security.

The current belief within the information security community is that “it’s not a matter of if…it’s a matter of when” you will experience an intrusion. The fact is that most breached entities find out initially from a third party such as through law enforcement or customers.

An important item to have on file to help manage such situations is a breach response plan, not only because it’s a PCI requirement, but because you don’t want to have to make the difficult decisions you’re going to have to make under pressure with the decisions you make potentially having legal, financial, and even business survival implications.

There are several resources that may assist you in preparing an incident response plan. Below are some examples that you may find useful.

Electronic Transactions Association (ETA) Fraud & Security Committee

Data Breach Response: A Nine-Step Guide for Smaller Merchants

Visa

What To Do If Compromised.

An incident response plan is not something that most of us are chomping at the bit to write, but any time committed to it is worthwhile as it could significantly impact the time and expense of a data security event.

Of course if you are breached or suspect you might have been breached, contact us immediately and we will assist you by putting you in touch with the folks who can help in your situation.

Your Logo May Not be a ‘Target,’ but Your Business May Be One

‘…Because That’s Where the Money Is’

These were the words supposedly uttered by the infamous bank robber Willie Sutton when a reporter asked why he robbed banks (although Sutton later denied ever saying this). Throughout history, it can be implied that this is the reason that any bank robber, or other thief, would target a specific location.

Today, this rings true even in the cyber world where we see the computer networks of merchants breached on an almost daily basis. It is a high tech cat and mouse game which has very real world consequences for the victim business both financially and via reputation. In fact, statistics tell us that one in five businesses fail as the result of a data compromise. The suspect, on the other hand, has a much lesser risk of even being identified or apprehended which is one of the reasons why cybercrime is so prevalent.

You may have read about the Target breach that occurred during the holiday shopping season which, at the time of this writing, amounted to the compromise of approximately 70 million records (credit card numbers, customer information, etc). It was also disclosed that the way in which data was stolen from Target’s computer network was via malware (malicious software) called RAM scrapers or memory parsers. These types of tools allow attackers to “scrape” credit card data while it momentarily rests unencrypted in a computer’s or POS system’s RAM memory without effecting the legitimate sale transaction. This can be done even if the merchant does not store the credit card data long term. We sometimes refer to this as intercepting data in transit or while it is moving.

When we look at the reasons behind many computer network breaches, we often see the same reasons repeatedly. They are: passwords that are too simple and can be easily “brute forced” or guessed with dictionary based password guessing software, or improperly configured remote access (such as for bookkeeping) in which the remote access software may still have the default password enabled.

If you own or run a small or medium business (SMB), you may not think of your business as a target (no pun intended) for hackers, but the opposite is actually true. In fact, most industry statistics tell us that over 90% of current breaches are to SMBs. We often see hackers looking for the path of least resistance and this is often SMBs due to the perceived notion of lesser security. After all, if you were a bank robber, would you rather go after Fort Knox, or a small financial institution that likely doesn’t have as many levels of security in place?

So you may be asking “how can I reduce the chances of my business getting breached?” The answer is through PCI compliance. PCI is a data security compliance framework that was built and is maintained to help merchants secure their computer networks against credit card compromises. It is not a guarantee that your business cannot get breached, but it represents the minimum best practices based on the current threat environment. Depending on how you accept credit cards and how this data may flow through your computer network, achieving PCI compliance may have certain challenges and may require technical assistance, but it is effective at its goal of protecting credit card data. Like many compliance frameworks, PCI is designed to help reduce your risk – by reducing the chance of a computer breach.

Wind River Financial runs a program called PCI Partner in partnership with Trustwave, a data security company, which helps our customers achieve and maintain PCI compliance to reduce data breach risk. This is done by working through a compliance questionnaire on a web portal. This process helps identify any vulnerabilities or weak spots in your computer network or in business practices. In addition, we also provide Breach Protection which offers up to $100,000 in recovery if your business should experience a data breach. All of our customers have Breach Protection unless they have opted out. We encourage you to take the time to get through PCI validation and make security business as usual. Don’t be easy prey for hackers that are just looking for an easy target.

As a last note, Visa had a great video that was produced for their 2013 Global Security Summit related to the challenges of securing technology in a global environment. You can view it on YouTube here.