Welcome to the 28th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.
The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.
Your Payment Security Matters as Much as Your Capital.
If your customers lose faith in you, you’re done.
Sales transactions require trust in the method of payment. Cash can be counterfeited, checks can bounce, credit cards get stolen. But those issues pale in comparison when your own company is the weak link in the chain of good faith. Just ask the retailers wishing they weren’t in the national headlines lately. Data insecurity can set you back to the tune of millions of dollars. And the stain on your reputation will last a long time.
To reduce your risk of exposing your customers’ data and help keep your online payment transactions secure, here are three principles to keep in mind:
1. Protect the user’s account identity.
Magnetic-stripe cards don’t cut it from a security perspective. It’s too easy to hack into point-of-sale systems: they’re physically exposed, inconvenient to upgrade, and usually Internet-connected. To protect your customers (and your reputation), it’s time to move to chip cards. And here’s the good news: mobile phones can act like a chip card—Apple Pay is an example—so convenience isn’t lost.
Other payment methods, like PayPal or Alibaba’s Alipay, don’t use magnetic stripes, but their static passwords can still be problematic for overall security. Kudos to Apple Pay for requiring a fingerprint swipe for payment authorization.
JW Secure has vast experience in the chip-card space (for example, SmartUtil) and can help provide improved security for these methods of payment.
2. Determine the user’s true intent.
The larger the electronic transaction, the more important it is to ensure the computer has not been compromised and is acting on behalf of the real user. Hackers have several types of insidious tools in their arsenal for achieving long-term dominance over high-value targets: root kits, “pass the hash” attacks, and other advanced, persistent threats.
While mass credit card thefts in the domain of business-to-consumer (B2C) commerce have recently been well publicized, cyber attacks on business-to-business (B2B) commerce tend to be underreported. Since government and payment-card industry loss limits don’t apply to B2B accounts, it’s particularly important that the account holder lock down the client-computing environment to help limit theft.
Enforcing client-device integrity, and thereby safeguarding user intent, is critical for reducing fraud loss. By enforcing device security and compliance from the hardware up through the browser, we can prevent the computer from pulling a HAL and initiating transactions not authorized by the user. For more information about the current state of the art, see the JW Secure StrongNet™ solution.
3. Detect fraud.
Detecting fraud is as much about protecting the business from malicious insiders as it is about protection from external fraudsters.
While you can’t stop all rogue employees, you can take steps to increase your chances of catching data breaches quickly. Begin by modeling the electronic audit event activity expected from a given datacenter environment under normal conditions. The model includes what objects—computers, users, and security groups—are expected to show up. In other words, the “normal” activity model consists of the inventory of the secure environment. (How do you know when you’re secure if you don’t know what you’re securing?)
After that, the next step in improving the model is to measure when certain activities are expected, with what frequency, and in which combinations.
Any deviation from the model of normal activity must be flagged for immediate follow-up. For each incident, you have three possible outcomes:
A. It’s real. You found a rogue actor and need to chase it off the network.
B. False positive. You need to update the model.
C. Neither of the above. It’s exceptional, but authorized.
JW Secure can help with the auditing, modeling, and breach-detection processes: please see our StrongInsight solution.
Protecting your business is your choice.
Recent high-profile data breaches have demonstrated the vulnerability of large credit-card merchant accounts in the face of sophisticated electronic adversaries. In each case, however, it was also shown that mature commercial security technologies that existed could have detected and/or mitigated the attack. An enterprise must choose to deploy and maintain such defenses. To stakeholders, the trade-off is obvious: it’s cheaper to pay for network defense than it is to fix a tarnished reputation.
For more information about protecting your critical data from determined adversaries, please reach us at firstname.lastname@example.org.