The third instalment in our 2013 series in which we discuss with world leading information risk management firm, Paladion, cyber intrusion and security.
Continuing with our Expert insights series for 2013, we have a special treat: an interview with Co-Founder and Chief Operating Officer of Paladion, Vinod Vasadevan. Although many of you might not have heard of Paladion, the firm is considered a global leader in managed security. It has been included in a number of internationally recognised rankings for the network/information security, such as those prepared by Deloitte, Gartner, Info Security Products Guide, and Red Herring.
Recognising the expertise to which we had access (in Vinod), we broadened our discussion of cyber threats and security from purely a Caribbean focus. As a result, the insights shared are even more valuable, since we can now consider those topics in a much wider context.
Similar to previous Expert insight instalments, questions were posed to Vinod, and the responses provided are set out below. However, we were able to supplement that exercise with a Skype video call with Vinod, in which we were able to not only pose the initial set of questions, but also ask about:
- trends in the types of threats that organisations are likely to experience in the future, and
- what should organisations be doing to position themselves to address/manage those anticipated threats.
Be forewarned: the quality of the Skype call, especially the sound, is a bit inconsistent, but Vinod does provide some very insightful responses, which should not be missed…
ICT Pulse: Paladion manages security for enterprises in four continents, what do you see out there? What does the threat landscape look like?
Vinod Vasadevan: Just as we speak, the shock impact of the $45 million ATM fraud that involved prepaid cards of two banks in Middle East is just settling in. This fraud was executed across 27 countries within 10 hours. It is a recent and most visible example of the organized nature of cyber crime today.
Today’s threat landscape is complex with multiple threat actors. We have the cyber crime syndicates, hacktivists, nation states and the script kiddies. Each of them has their own agenda. Cyber crime syndicates are financially motivated. They focus on identity theft, card data theft, skimming, phishing, financial malware and any other attack that leads to financial benefits. Hacktivists (e.g. Anonymous) organize attacks for a certain cause. They shutdown Visa/MasterCard/PayPal sites when Visa/MasterCard stopped fund transfers to Wikileaks. Similarly many US government websites were brought down when Aaron Schwartz committed suicide. They can be good or bad based on which side you are on. Last year also saw active participation from nation states. It is rumoured that the Stuxnet worm was engineered by some nation states to bring down Iranian nuclear facilities. All of this is on the demand side.
On the supply side, it is easy to buy stolen cards, identities etc. Data with more information commands higher price. Attack toolkits like phishing are available in SaaS (Software as a Service) model. Similarly malware, for example financial malware that targets customers from specific banks, can be bought online. Botnets that triggered many of the recent US DDOS (Distributed Denial of Service) attacks at the beginning of this year can be bought in a service model.
Hence for bigger enterprises, they could be direct targets of cybercrime syndicates, nation states and hacktivists. For the medium and smaller enterprises, they can get caught in the crossfire.
ICTP: What are the implications for Caribbean as a region?
VV: Caribbean is an emerging economy and is therefore a target for cybercrime syndicates. The recent compromises of card data in the region and ATM attacks are a testimony to this. In general, the maturity of security controls in most enterprises need to scale up. There are some exceptions. The security awareness of consumers is also low. Hence cybercrime syndicates will see Caribbean as an easy target and we will continue to see an increase in financially motivated attacks. The region will continue to be a target of phishing, skimming and data theft attacks. I should say that ICT Pulse is doing a good job on enhancing security awareness in the region.
ICTP: What is Payment Card Industry Data Security Standard (PCI DSS)? Does PCI DSS adoption help reduce such incidents?
VV: PCI DSS is the leading data security standard for the payment card industry. It was created with the intent of protecting cardholder data. It has 12 requirements that organizations should implement and continuously maintain. The requirements are a combination of technologies and practices. Key controls include network security, cardholder data protection, logical and physical access control, security monitoring, security testing, vulnerability management programmes. It is a comprehensive standard. The requirements for PCI DSS certification for an organisation are quite strict and are closely monitored by the PCI Council. Hence PCI DSS implementation can lead to significant improvement in security posture once implemented. The standard applies to any industry or organisation that manages cardholder data. The PCI Council has been driving the implementation of the standard in the retail industry in geographies such as US and Europe, since the financial services are already heavily regulated. In some other geographies, where the financial services industry is not regulated, members of the PCI Council have ensured that banks also adopt the standard.
There is a strong link between theft of card data and fraud from the same through cloning and other means. Implementation of PCI DSS enables organisations to discover card data across the organisation, and to put in controls for protection across the different business units. This leads to drastic reduction in card data theft and corresponding fraud losses.
ICTP: There is an impression that PCI DSS compliance is a costly exercise, given the security technology investments required. How are organizations balancing the cost/benefit aspect of PCI DSS?
VV: PCI DSS does provide a disciplined approach for implementation of the standard. It also lays emphasis on robust security controls. At the same time, it is a flexible standard. If an organisation cannot meet a certain requirement, they can look at a compensating control, which provides the same level of security as that of the original requirement. Compensating controls can be innovative as long as they meet the security objective of the requirement. So, it is not always about implementing the most expensive technology, but about implementing the right technology.
As an example, the security-monitoring requirement need not be met with the best of breed SIEM (Security Information and Event Management) tool. As long as the tool used, along with the process implemented, meets the events to be monitored and the timelines specified, it will suffice even if the tool is not the best SIEM.
Similarly, if an organisation has challenges masking PAN (the first six and last four digits are the maximum number of digits to be displayed) due to application or database related complexities, the same can be managed with compensatory controls. We have seen cases where the PAN for example is used as an index in a database and cannot be therefore truncated. In such cases, the standard is flexible enough to allow for combination of other controls including rigorous monitoring and access control. So, it is up to the organisation to develop a control framework that provides for security, but at the same time, manage the cost.
Any breach of card data leads to direct losses due to fraud, regulatory fines, loss of customers, and hits the brand image of the organisation. In this context the Return On Investment for PCI DSS implementation is easy to understand.
ICTP: In several instances, and even in the most recent global ATM incident, the attackers do not directly compromise the banks, but rather their outsourced vendors. What should banks and similar institutions do in such scenarios?
VV: Yes, this is the case since the attackers are looking at easy points of compromise. Going back to the recent USD 45 million fraud using prepaid cards, the payment processors serving the banks were compromised. This is the case since most banks have robust security controls and are much more difficult to compromise. The payment processors on the other hand are smaller organizations with limited resources and the hence the chances of weak links in their security is a higher probability. This is a trend.
Last year, certain certification agencies in Europe were compromised to get at the root certificates of large enterprises. There are many examples of outsourced call centres of banks getting compromised for carrying out fraud. This calls for a strong vendor security programme to be implemented by banks.
This programme should encompass periodic assessment of the security posture of the outsourced vendor by the bank. The assessment should review the technology infrastructure and applications, processes, personnel related to the outsourced project. As part of this programme, the bank should also track the vendor for mitigation of identified risks. There can also be vendor benchmarking and continuous improvement programs with bonuses and penalties built in to the contract. Banks can also mandate vendor compliance to leading security standards, such as PCI DSS, ISO 27001 etc. to ensure good security practices by vendors.
Do you have any questions or comments for Vinod? Do share them the ICT Pulse Comments area below.
Looking forward to your feedback!