By Bob Olson, Tim Saja, and Stephen McCarney
The latest breaches at leading retailers teach at least three timely lessons for financial institutions: They make a priority of reducing POS (ATM) and vendor software exposure. They expose the folly of trying to chase down each new vulnerability. And they lead bank security officials toward longer term and more cost-effective measures for securing money and data.
“How did they do it? How did they get in?” In the wake of the breaches at leading retailers, the headlines made that the pressing issue. And of course that needs to be solved.
But in the final analysis, a sensible answer for bank security officials is, “Who cares?” Because if there’s anything bankers know, it is that they are targets – whether the thieves drill into the vault, hold up the teller, embezzle from a trusted position, or creep in through malware. Banks are where the money (actual currency or its data equivalent) still is. And in today’s cyber age, the money and data are flying about between banks, their customers, and their devices, potentially vulnerable at every point.
Recent headlines simply prove the ubiquity of vulnerabilities. Apparently “they” exploited what was thought to be a benign vulnerability in the retailer’s network but which eventually exposed customer information at the point of sale (POS). And they did so with the embedded credentials of vendor software installed at the retailer’s network.
For banks, POS means the ATM. What bank Chief Security Officer didn’t get an urgent invitation from the CEO to brief the board of directors on “Could a Target-style breach happen at our ATMs?”
It’s a good question. More than likely your ATMs have no direct connection to the Internet, and what good is purloined data if it can’t be leaked out to the Internet and then find its way to foreign countries where it then gets posted for sale?
But hackers don’t need direct connections if your ATMs are on the same network as the computers used by new accounts people and your branch manager who, say, decides to check out CNN’s “Around the Web” on his lunch break and in doing so opens a web page hosted in Russia. Malware from the ATM can make its way to all those computers and any others on the network, breaking down the stolen data in small enough bits that it excites no attention, and then, finally, thanks to that single opening, abscond with it all unnoticed. The Neiman-Marcus breach began in July 2013 and continued through October 2013.
And today there’s an added worry about ATM security: April 8 brings Microsoft’s long-planned withdrawal of support for Windows XP, which happens to be the operating system for most of the 90 to 95 percent of the world’s ATMs that use Windows, according to the ATM Industry Association. Come April 9, without new security measures, ATMs running XP would be non-PCI-compliant, and yet only 38 percent of ATM operators running on Windows XP plan to be upgraded by then. With that in mind, many banks are temporarily “locking down” ATMs while they migrate to other supported systems.
Likewise, on the news about vendor’s credentials being exploited in one recent breach, banks are reexamining their vendor security measures. And when the next breach headlines burst out, they will be racing to harden another target that hackers have penetrated. In the meantime, the FFIEC is warning them about ATM security, and Congress is holding hearings likely to result in new cybersecurity laws.
So we are talking about waves of compliance that eat up time and money. We are talking about hundreds of thousands of ATMs (to say nothing of scores of other legacy systems with obsolescing security protection). Hundreds of thousands of vendor credentials. Millions of cell phones and computers, all hooked into your networks in one way or another. And a criminal community that keeps perfecting its methods and gaining imitators with each breakthrough.
Out on the Internet there’s a video of a toddler picking up tennis balls and tucking them into the can under his arm. He tucks one in, leans over to pick up another, and out rolls the first one. He picks it up. Over and over. Same thing. He never gets frustrated, but if you were a bank CEO paying for security that way, you would.
Increasingly it’s a fool’s errand to keep tackling security vulnerabilities one at a time with short-term deterrents. Instead the new security formula in banks needs to be cloak, contain, and collect.
By cloak, we mean, make your tempting devices, transactions, and data invisible to anybody who doesn’t need to be part of them. By building in this “principle of least privilege,” (the least amount of privilege necessary to complete the job), you strictly limit the damage of any security breach, accidental or malicious. Criminals out there pinging away, looking for an interesting ATM, PC, or smartphone to penetrate, don’t even find a hardened target – they detect nothing at all. They go phishing elsewhere, where they can detect a target.
By contain, we acknowledge what all security experts know – nothing is 100% impervious to determined hackers. Whether it’s a software error, a rogue employee, a naïve customer, a compromised vendor, or lax procedures, someday something is going to let an intruder in. That’s where containment comes in. We keep dangerous medical viruses in check by quarantining the sick, preventing the germs from getting out the door. The same applies to data collected by software viruses and malware.
Instead of connecting your ATMs to the branch network, you need to connect them to a private network where they only have network access to servers that process ATM requests. Even if an intruder manages to infect the ATM, as long as the information never leaves the enterprise, no damage is done. New technologies like virtualization enable this without the cost and complexity of more hardware by allowing you to virtualize your networking into smaller “communities of interest.”
By collect we mean collect relevant information that alerts you in real time of any hints that your systems or data have been compromised. It takes time to execute a successful intrusion. Like burglars who look for signs that homeowners are away on vacation, hackers count on having plenty of time to orchestrate their deeds as widely as possible throughout a compromised enterprise. In the latest breaches, that meant keeping their heads down until 70 million cards had been stolen, slipping bits of information out unobtrusively. If you’re not reviewing succinct reports in real time that flag non-standard activity when it’s still small, and if you’re not regularly updating your diagnostics and analytics to keep up with the latest intruder gambits, massive breaches can go undetected.
Mr. Olson is Vice President, Global Financial Services, Mr. Saja is Director of Security Solution Architecture, and Mr. McCarney is Director, Global Security and Cloud Portfolio for Blue Bell, Penn.-based Unisys Corp.