Week 6 - Security Awareness: To Train or Not

An ongoing battle in the security awareness training arena is around the effectiveness of this training.  Is there a benefit for companies to provide this training or would the money be better spent in other information security areas?  Many companies require employees to take security awareness training once a year, often as part of other annual compliance training.  Naysayers on the effectiveness of this training believe this is a wasted effort due to the time span between iterations and the "check it off and move on" format that is often used to present this content.  While not a recent article, Fahmida Rashid wrote on this subject in April of 2013 for SecurityWeek online magazine.  Her discussion focuses on the specific area of phishing and spear-fishing attacks as these are likely weak points in endpoint security.  As purveyors of these attack methods have become more sophisticated it has become more difficult for the average user to resist clicking a link, especially if it happens to be from a company that they do business with.  Many e-mails are unrecognizable as fakes from communications that would come from a valid source.  This has been especially true in the banking industry and this also affects electronic payments as gaining access to an account online through one of these attack methods could potentially lead to a number of illegal transactions taking place.  So is the best answer to give up or is there a different type of training method that would be more effective?  The method proposed in Ms. Rashid's article is called simulated attack training.  To use this the company creates phishing or spear-fishing e-mails to send to employees.  If the employee falls for the fake e-mail they are then enrolled in "just-in-time" training to recognize this type of attack and to respond appropriately.  This allows identification for focused training in this area to address this threat.  An unnamed Fortune 50 company quoted in this article had 35% of their staff that received a simulated attack the first time respond inappropriately.  By providing immediate feedback the next time this simulation was run only 6% responded inappropriately.  This method provides metrics on the effectiveness of one aspect of security awareness training and avoids the annual repetitive nature that many training efforts unfortunately fall into.  The exciting aspect of this type of training is to consider what other areas this could be successfully applied to.

Week 5 - The Board of Directors and Information Security

The discussion this week in class covers Information Security Policy and has been mentioned both this week and in past lessons, for any policy to be effective it must come from the top down.  The Information Systems Audit and Control Association (ISACA) knowledge center has a link to an article  (marketing my prevent the deep link) in InformationWeek online magazine from August 19, 2014 that asks "CyberSecurity: How Involved Should Boards of Directors Be?".  The author quotes statistics regarding interest expressed by board members in cybersecurity stating the 58% of them feel they should be involved in cybersecurity while 65% say they have become more aware in the last 1 to 2 years of the risk their organizations face due to potential breaches.  As correctly pointed out, the role of a Board of Directors for a company is not to be configuring firewalls but in guiding the company to ensure that management puts the proper policies in place that the firewall does get configured.  The ISACA and the Institute of Internal Auditors (IIA) have collaborated to come up with a list of questions board members should be asking company's executive leaders:

(1) Is there a security framework in use? - There are a number of security frameworks available and depending on the company's business there may be a required framework or even multiple required frameworks issued by regulatory bodies of the company's industry.

(2) What are the top 5 cybersecurity risks the organization faces? - This may include areas such as new technology or legacy technology that is being used beyond it capabilities, such as the Windows XP POS devices mentioned in a previous post.

(3) Do employees understand their role in cybersecurity and protecting company assets? - Awareness training is the focus here and many companies are making this an annual requirement.

(4) Does cybersecurity planning cover both external and internal threats?  Breaches from external sources get plenty of attention in the news but internal threats are still a reality.

(5) How does the company manage security governance? - Ensure that the three lines of defense, controls, governance, and audit being correctly managed so that everyone involved understands their role.

(6) Has the response to a serious breach been planned?  Plays nicely into last weeks subject in class about incident response, disaster recovery, and contingency planning.

As one of the goals of this blog is to relate information security matters to the electronic payments industry, there is a discussion in the article referenced that fits this area.  In the case where a Board of Directors does not involve itself in cybersecurity it is possible they will face calls for their replacement.  This has happened regarding the data breach of payments data at Target stores last year.  An adviser to institutional investors recommended that 70% of Target's board be replaced due to this incident during the annual shareholders vote for the board.

Week 4 - Security and Mobile Payments

Part of the big announcement on September 9, 2014 of the upcoming Apple iPhone 6 was the availability of the Apple Pay payments system.  Apple has waited quite a while to participate in one of the most popular mobile payments strategies available, near-field communication (NFC).  Most other smart phone manufacturers have included NFC capabilities in their devices for some time as evidenced by the Samsung Galaxy ad campaign some years back showing users touching phones to transfer songs.  For use in payments, the NFC equipped device is touched to a point-of-sale terminal and the user provides a secondary identification to complete the transaction.  Apple has included a additional hardware component in the iPhone 6 to lend it an extra level of security.  Other methods besides NFC can already be used to make payments, perform money transfers, or buy products using any smart phone device available.  But how safe is it?  Writing for c|net security, Charlie Osborne's article from September 15, 2014 titled Most mobile apps will fail standard security tests, Gartner says does not instill confidence in smart devices being able to withstand many of the security threats that are easily handled in other computing devices.  While the article is focused on discussing the ramifications to the increasingly popular bring your own device (BYOD) movement in the corporate world, many of the same concerns exist for mobile payments.  One of the main points of the article are that existing security testing methods, static application security testing (SAST) and dynamic application security testing (DAST) are mentioned, do not address the needs of the mobile device market.  The prediction made by Gartner is that in the next two years there will be an increase in endpoint breaches due to increased mobile device usage.  For mobile payments, and other areas as well, this implies a step or two backwards with respect to the level of security available on the device.  While Apple is famous for tightly controlling the applications that are available for it's mobile devices, mobile devices using other operating systems have already experienced a number of security issues.  It will not be a surprise if there are applications from Symantic, Norton, or other vendors offering anti-virus and other security features for mobile devices.  Until that time it appears that caution should be exercised when deciding to use mobile payments.  One final log to throw on the fire, telecommunication providers are also interested in participating in the mobile payments space.  However, these companies are not regulated in the same manner as banking institutions.  For example, a customer is limited to $50 liability for fraudulent charges to credit cards by banking regulations as long as the customer notifies their bank in a reasonable amount of time.  Currently there are not any regulations governing telecommunications companies on this or disputed charges.  Mobile payments are going to happen, and are already popular in other parts of the world.  But will this be similar to the initial days of online payments and purchases were security came after the fact and a large number of people were victims of fraud and identity theft?  So far events appear to be headed in this direction.

Week 3 - Home Depot and BlackPOS

As has been a widely reported in the news, Home Depot stores in the United States and Canada have been subject to a data breach that has compromised credit and debit cards.  In a story published in Security Week there is information provided, second hand, that this breach was due to point of sale (POS) devices infected with a new variant of the BlackPOS malware.  This is the same malware that was blamed for data breaches at Target, Neiman Marcus, and other retailers late in 2013.  Target's breach is now thought to have exceeded 110 million customers according to a c|net story.  I know we received replacement credit cards with EMV chips due to this breach, so what are the associated costs that this breach has cost in just card reissuance?  And having seen what happened at Target et.al. why have retailers like Home Depot not stepped up replacement of POS devices and installed new devices with EMV capabilities?  Many retailers have performed this replacement, even Target has EMV capable devices in the Dallas, TX and Boulder, CO stores that I have been in recently, yet this functionality is not active.  In fact, WalMart stores are the only retailer I am currently aware of that is forcing the use of EMV cards if you have one.  But even there no PIN is required.  You put the card in the slot, confirm the purchase amount, and wait for it to beep telling you to remove your card.  The only reason that I can think that EMV rollout has not been more aggressive is that cost/benefit analysis has shown that the risk of a data breach and the associated costs is less than the cost of POS replacement.  Even the most basic POS devices cost over $500 each.  I can't imagine the number of POS devices that Home Depot has, but I suspect the cost of this data breach will exceed the replacement costs.  This has been a long-term problem in this specific area.  The movement to install EMV capable POS devices at the moment by retailers is being driven more by the October 2015 deadline by credit card issuers than the cost associated with potential breaches.  After this date retailers will be responsible for any fraudulent credit card transactions.  While EMV has been successfully deployed in Europe for some time, resistance in the United States has been strong against any changes to POS devices for many years. The implementation of debit cards for use in pay at the pump transactions in the early 2000's was a previous such event.  This required changing out all of these POS devices as debit transactions must be encrypted from the POS device by banking regulations.  Around the same time a small company came up with a different use of existing technology to address the POS fraud issue.  This company figured out that the magnetic stripe on any transaction instrument has noise on it that is as unique as a fingerprint.  Using a specially designed POS device this noise could be read and transmitted along with the card information to validate a transaction.  The best part is the noise cannot be replicated so the card could not be duplicated.  A great idea, but again the cost/risk/benefit calculations did not favor this technology so this never made it into use.

Week 2 Post - GameOver Zeus Botnet

In June the FBI reported that the the GameOver Zeus botnet had been disrupted and filed charges against a Russian Federation citizen as the administrator of the botnet.  A botnet infects multiple computers and uses these to perform actions at the direction of the administrator.  In the case of the GameOver Zeus botnet this particular malware specifically targeted banking information and other credentials that were then used to create electronic financial transactions and transfer funds from the computer owner's accounts to those of the criminals controlling the botnet.  Most botnets make use of a centralized command and control system where the botnet can be disrupted by blocking traffic from that system.  In the case of the GameOver Zeus botnet a decentralized peer-to-peer command and control infrastructure was employed allowing any computer infected to issue instructions to the entire network of computers that are part of the botnet network.  This makes taking down the botnet more difficult.  From an electronic payments perspective this type of activity threatens anyone who uses their computer to make online purchases or uses online bill pay with a bank account.  Both of these methods of making payments are increasing at a steady rate each year.  Wholesale bank transactions, where large amounts are transferred between banking institutions are another area of concern as most terminals into mainframe systems are PCs these days.  The dollar amount of individual transactions of this type are surely of interest to the same people who go after individual's bank accounts.  The method employed to disrupt the botnet was to redirect server communications from servers controlled by the perpetrators to computers to controlled by the US government.  This required issuance of civil and criminal court orders for this to be accomplished, not something an individual will be able to undertake.  The FBI coordinated the redirection with multiple international Computer Emergency Readiness Teams (CERTs) and these teams then were able to identify the IP addresses of infected computers so cleanup could occur.  Recommendations to protect yourself from this type of malware include the same recommendations we've all been given for a number of years:

+ Ensure that your computer's antivirus software is up to date
+ Configure your computer to apply OS and browser updates automatically
+ Turn on the pop up blocker (seems like a number of applications require pop ups to be allowed still)
+ Only download from trusted sites
+ Don't open e-mail attachments you didn't request, and scan them regardless
+ Don't use embedded links in e-mail to go to a site, rather access an organization's web site directly

If you're like me though, you have probably ignored at least one of these recommendations in the last several months.  This points to the need for continuous reminders of best practices in the security area.