Top Layer Networks' Ken Pappas: When PCI Compliance Isn't Enough
As recent high-profile events have shown, just because a company is PCI compliant doesn't mean it can't get hacked, allowing its customers' personal data to spill all over the Internet. Top Layer Networks Security Strategist Ken Pappas sees lots of companies with insufficient security practices and ways to make them better.
High-profile data breaches continue to spotlight the growing risks consumers face of identity theft and credit card fraud. Four highly visible data breaches disclosed in the last 18 months are particularly worrisome because they show a systemic failure in the procedures that both the public and regulatory agencies expect companies to get right.
One notorious incident involved retail giant TJX. In that case, hackers stole some 46 million credit and debit card numbers when they accessed the computer systems at two TJX corporate hubs over a period of several years. By some estimates, the intrusion was the biggest breach of personal data ever reported.
TJX officials reported that unauthorized software placed on its computer systems stole at least 100 files containing data on millions of accounts from systems that process and store transaction information in those two locations. TJX officials believe the hackers were able to steal payment card data from one system as transactions were being approved. The hackers may have had access to the company's data encryption tool.
Another incident involved the East Coast supermarket chain Hannaford Bros. Store officials revealed in March that they learned the previous month of an ongoing security breach. That break in security compromised 4.2 million credit and debit card numbers and led to about 1,800 cases of fraud. Hackers stole credit and debit card numbers but no other personal information during the card authorization process, according to Hannaford officials. The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.
The third major incident was disclosed at the French bank Société Générale in January of this year. Bank officials discovered on Jan. 18 that a former futures trader and an assistant covered up massive trading positions that led to a multi-billion dollar loss. An internal audit published in late May showed that the trader's activities had raised red flags at the derivatives exchange Eurex and also led to 75 internal alerts in the bank.
The fourth high-profile data breach occurred from April to September 2007 at in the corporate network of restaurant/video arcade chain Dave & Buster's. Three suspected hackers were arrested for breaking into the network and remotely installing "packet sniffer" software on point-of-sale servers at 11 Dave & Buster's locations throughout the U.S. The group allegedly used this software to log credit and payment card data as it was sent from the branch locations to corporate headquarters. The hackers then reportedly sold the stolen data to other criminals who used them to make online purchases.
With these incidents in mind, TechNewsWorld recently met with Ken Pappas, vice president of marketing and security strategist at computer security firm Top Layer Networks.
TNW: Why are so many data breaches occurring? The rising number suggests that existing security procedures are not working.
Ken Pappas: The increasing number of network break-in reports are the result of changing laws that now force companies to go public when breaches occur. The real question is how much of these media reports are the result of the increased disclosure rules versus actual increased breaches. We may be finding out that more breaches have been happening right along than we knew about.
TNW: What rule changes are causing the increased breach reporting?
Pappas: Mostly corporations follow the honor system. Regulatory agencies that create these breach reporting rules do not have large staffs of investigators to check on companies. The rules require corporations to report a breach that involves a loss beyond a particular threshold. If a company gets caught not complying, God help them with the penalties.
TNW: How prevalent are the data breaches?
Pappas: All big corporations have huge databases and customer lists. The potential is that a breach is coming to a store near you. Breaches are imminent. There are lots of big guys out there with lots of customers.
TNW: Do regulatory agencies mandate specific methods to help corporations better protect their networks from breaches?
Pappas: Companies must use some kind of security procedures. The problem is that some companies handle network activity without security experts. Instead, they use best effort strategies to help lower the risk of a breach. Clearly, these approaches are not providing adequate protection. Shame on any company that does not take security more seriously.
TNW: What are some of the fallacies such companies follow that lower their network security?
Pappas: Obsolescence is a big factor. The days of only [needing] a firewall to protect a network are gone forever. Hackers use disguised Trojans and payloads that slip right through a firewall. Corporations need to deploy newer security strategies such as intrusion prevention systems to look deep into the incoming Internet traffic.
TNW: Is one method better than another when deploying network security?
Pappas: Companies have to evolve their security strategies. They can't rely on just one security company's product. It is essential that corporations do not be reliant on just one company. For instance, they need network host protection and network address translation, or NAT, protection. Usually corporations do not have protection for thumb drives.
TNW: Should corporations be concerned about conflicting technologies when they layer different security strategies?
Pappas: Having more than one type of protection is not a bad thing. Corporations don't have to worry about conflicting technologies. They need to apply a good business sense and look at what various security companies offer. One approach will compliment another one.
TNW: Is there any concern about a false sense of network security?
Pappas: Yes. Corporations need to be regularly audited by security experts. For instance, the Hannaford Bros. breach wasn't prevented just because the company was PCI compliant [Payment Card Industry Data Security Standard]. As was demonstrated, networks can still get hacked.
TNW: What have you seen on the corporate level that leads to a false sense of security regarding network protection?
Pappas: There are several reasons why some corporations are more susceptible to hackers than others. One is corporate officers already believe they have protection. A second reason is that the corporation may be under budget constraints. The management team then decides to take network security money out of the budget for six months. A third reason is that knowledge within a company is lacking.
TNW: Do you see government stepping in with stronger mandates as corporations continue to suffer from network breaches?
Pappas: The government is already tightening the rules more. Government agencies are holding companies more accountable. One problem is that often credit card numbers are not encrypted at the point of swipe. I do see more government efforts to force security technology. One way government is doing this is with significant penalties when breaches occur.
TNW: Besides government, what other factors are driving corporations to greater security awareness?
Pappas: A loss of credibility and confidence by consumers will have a tremendous impact on corporations. Also, the law of easy money is a key driver. We are seeing very high bidding among criminals for stolen credit card numbers. Another driving factor is the hackers' activity. The more disruptive hackers become, the more reactive corporations will have to become to better protect themselves.
TNW: What role does the software market and Web 2.0 play in these breach threats?
Pappas: A lot of Internet products are not developed around security. The threat of a major financial loss for companies will compel them to do something proactive.
TNW: What about non-corporate computer users? Do you see any connection with a lack of consumer security and the continuing incidents of network breaches?
Pappas: We have 5 million PCs worldwide that are infected. About 11 percent of all PCs on the Internet have no security products at all. These are the first ones attacked. Children and moms and dads are at opposite ends of the security spectrum. They often have no knowledge about security. Nobody tells new computer users about security. A lot of elderly people with access to computers fall prey to trickery.
TNW: Is there anything significant about the Dave & Buster's breach that underlies what other companies face?
Pappas: It reflects the contributing factors. For instance, companies sometimes take existing IT staff and make them responsible for security -- more of a feel-good initiative. The problem is you really need an expert to make your network secure. Then there's company policies and training. Security policies are not refreshed as new technology is brought to market. Employers are doing a poor job educating their employees. This leads to employees falling to trickery and foolery. "We are certified!" I hear this frequently. Just being security certified does not mean you can't be hacked.