Common Pitfalls of Data Security: Q&A with Brian Poole
We recently interviewed Brian Poole, Security Architect at Kount, regarding common pitfalls of data security. Before joining Kount, Brian worked in a wide range of IT roles including five years as a Penetration Tester in the security arena. In the role of a penetration tester, or “white hat hacker”, he attacked systems at online businesses, large retailers and Fortune 500 companies, seeking out vulnerabilities in their IT and data systems. In addition to providing valuable insights about data security during our conversation, Brian also offered advice on simple steps that eCommerce merchants can take to help improve security.
Q: What are the top vulnerabilities that everyone knows about?
A: Everyone has heard about large-scale breaches, like those at Target, Home Depot, and Kmart. These are typically network-based attacks in which the hackers get access to the company’s network, connect to point-of-sale devices, and then use some type of memory scraper malware to collect credit card and user account information. Other common attack vectors come through trusted third-party service providers —either IT or non-IT providers — where an attacker is able to compromise the provider and use it to attack another company’s secure IT infrastructure. Some of the more mundane vulnerabilities include poorly configured services or OS/application security patches that have not been updated.
Q: What are the top vulnerabilities that no one knows about?
A: The biggest trend that I’ve been seeing involves businesses moving their business to the cloud and not having the expertise to make the move in a secure manner. Oftentimes, the move happens before the internal IT staff have time to plan or get trained on the new security requirements of a cloud environment. For example, they may mistakenly think that just because cloud data is not public, it’s protected. But that’s not always the case. For example, Amazon Web services creates snapshots of data that an unsophisticated cloud user may think is secure, but if an attacker knows how to get into those “buckets” of data, it’s a huge vulnerability.
Q: What are the top targets in data breaches?
A: Retailers and banks tend to be top targets because they have the credit card information, account information, and financial information that hackers are trying to get their hands on. Also, I can say with 100% certainty that if you have a website or an eCommerce site, fraudsters are probing it as you read this. It’s just a fact of life today. Finally, it’s important to remember that about 30% of successful exploits originate from within an organization.
Q: What is the most unusual or aggressive attack you’ve ever seen?
A: There was a case of a group of hackers in China who were targeting lawyers and reading their emails about mergers and acquisitions. They then were using this information to engage in insider trading. That’s pretty unusual.
As for aggressive attacks, Distributed Denial of Service (DDoS) attacks are particularly crippling to online retailers. The Mirai botnet is estimated to have 100k-150k hosts that can generate 1 terabit of traffic per second, which is enough to shut down almost anyone’s network.
Hackers can monetize DDoS attacks in a number of ways. For example, the operators of botnets will “rent” them out to companies who want to stage an attack against a competitor. Think of the damage that can be inflicted on a major retail site that is shut down for a few hours on Black Friday or Cyber Monday. DDoS attacks can also be used to manipulate stock prices. We’ve seen extended or repeated outages have a strong impact on stock prices. Hackers can short a stock and then take down the company’s eCommerce site or website and profit when the stock price falls.
In addition, anger can be a motivator for hackers. Brian Krebs, a well-known expert on cyber security, was the target of DDoS attacks because of who and what he was investigating. Finally, DDoS attacks can be used as a misdirection tactic. While your IT team is absorbed in fighting off a DDoS attack, hackers are sneaking into another part of your network to plant malware or steal data.
Q: Where are the biggest vulnerabilities?
A: As I said earlier, every company and every website is constantly being scanned by hackers for vulnerabilities. But my experience has been that smaller companies are most at risk. Their security is typically not as sophisticated as the systems of larger companies. For a hacker, attacking a target is a serious project and involves risk. By targeting small firms, there is less chance of being caught or prosecuted. Further, techniques like spear phishing—where fraudsters impersonate key personnel and target select individuals—often are more effective within smaller organizations. If a bookkeeper at a 20-person company gets an email that appears to be from the president saying: “wire $10,000 to XZY account,” he or she is likely to comply.
Q: What was the lamest attack you’ve ever seen?
A: I don’t know about lamest attack, but the lamest vulnerability is people not changing their default login credentials. In other words, they’ll have a user login of “admin” and a password of “password.” This seems to happen most with hardware and systems that are not of primary focus. For example, companies may keep default login credentials on laser printers in order to simplify access for everyone in the office. But because these devices are connected to the network, that weak security provides an easy point of entry for hackers.
Q: What is the most important thing merchants can do to protect their data?
A: Understand what’s most important to your company and make security for that a priority. Don’t be myopic. A customer’s credit card account may not be the most important thing hackers are after. For example, with the Ashley Madison breach, the biggest problem was customers’ identities being publicized. For a pharmaceutical site, it might be users’ prescription histories being revealed. So I would recommend thinking strategically about risk management and come up with a plan that prioritizes protecting against “the worst thing that could possibly happen.”
Q: What is the most common mistake that merchants make to expose their data?
A: Forgetting the basics. I can’t stress enough: don’t use default credentials. Don’t share credentials between systems. Update security patches. Configure services correctly. The other thing that I would emphasize is to look at those systems that are secondary but tied to your primary eCommerce systems. For instance, data backup or accounting or CRM. While security for your primary system may be in good shape, hackers know to “look around the edges” to find the easiest vulnerabilities.
Q: What is the worst business impact you’ve seen from compromised data security?
A: There are number of really bad things that can happen. For example, it’s not unheard of for small companies to go out of business because of data breaches and security compromises. Also, for companies that are operating Software as a Service (SaaS) solutions, a data breach puts them at a high risk of losing their biggest clients. And then there is the example of Yahoo. When they revealed that 1 billion user records had been compromised, it led to a $350 million drop in the acquisition offer they received from Verizon. That’s a lot of money.
Q: What is the biggest regulatory impact you see in the data security arena?
A: In the US, regulators have been consistently using HIPAA, which provides protection to healthcare information, to go after violations with significant monetary fines. And companies doing cross-border business should be aware of the European Union’s GDPR privacy data standard, which has been enacted and is scheduled to be enforced starting in 2018. Organizations in breach of GDPR can be fined up to 4% of annual global sales or €20 Million.
Q: What’s the most time-consuming part of securing data?
A: Starting from scratch. Trying to figure out levels of access and who and what should have the least privileges/least access—without breaking things. That takes time. Also, companies tend to add applications and systems as they grow. Discovering and identifying all those unknown resources on your network that could be potential vulnerabilities takes a lot of effort.
Q: How many attacks do you see a day?
A: There are literally thousands and thousands of “generic” scans of websites and eCommerce sites every day. The good news is that these are typically not successful. What you have to guard against is the hacker with a plan. If you have something of substantial value, and a committed hacker decides they want to steal or compromise it, that’s when you’re in the greatest danger.
Q: What is the most likely source of a data breach?
A: Most attacks are still perpetrated by outside attackers. A large percentage of these attacks are directly exploiting vulnerable external networks or applications. However, it is also very common for attackers to target employees using malware or by guessing poor passwords to gain a foothold into the internal network. External attackers have a good chance of successful breaches with sufficient time and dedication, but those with inside access are almost guaranteed to find exploitable vulnerabilities. There is a saying that you are never finished with security. It’s an ongoing effort to keep systems secure while also effectively auditing and monitoring so that you know when incidents do occur.
More than 5 billion records were compromised in data breaches during the first 7 months of 2017. These breaches provide the weaponized data that fuels card-not-present fraud, identity theft, account takeover and a myriad of other problems for eCommerce merchants and their customers. By taking positive steps to secure and protect their data, businesses can help stem this tide of breaches and make online and eCommerce activity safer for all of us.
Discover more about the state of fraud and mobile payments in the "Mobile Payments & Fraud Report: 2017".