As cyberthreats grow in number and sophistication, so does the need for cybersecurity professionals to become more nimble and proactive in their defense against attacks.
By Andrew Munger
The Escalating Concern of Commercial Breaches
With alarming frequency, major retailers have experienced breaches to customers’ credit and debit card payment information in recent years. Here are some of the largest retail breaches to date:
Home Depot customers’ credit cards, debit cards and email addresses were taken in the spring and summer of 2014. Hackers stole 53 million email addresses and 56 million credit and debit cards. Home Depot was alerted to the breach on September 2, 2014, and subsequently offered free identity protection services — including credit monitoring — to any customer who used a payment card at a Home Depot store in 2014, and for any who do so through September 19, 2015.
Arts and crafts retailer Michael’s experienced a data breach that affected customers who used credit or debit cards between May 8, 2013, and January 27, 2014. More than 2.6 million payment cards at stores nationwide were affected. An additional 400,000 cards used between June 26, 2013, and February 27, 2014, at subsidiary Aaron Brothers were affected.
Neiman Marcus customers experienced a data breach of 1.1 million credit and debit cards.
Payment data was stolen off of cards used from July 16, 2013, to Oct. 30, 2013.
Staples reported that malware deployed to 115 of its more than 1,400 U.S. retail stores may have allowed access to transaction data on approximately 1.16 million customer payment cards. The malware may have allowed access to data for purchases made from August 10, 2014, through September 16, 2014. At two stores, a breach occurred from July 20, 2014, through September 16, 2014.
Approximately 40 million credit and debit card accounts used at Target between November 27 and December 15, 2013, may have been impacted in a data breach. Target also reported that the names, phone numbers, mailing addresses or e-mail addresses of an additional 70 million customers may have been stolen during the data breach. Some customers may have belonged to both groups.
Cyber intrusions and data breaches have become common national news headlines. Massive data breaches have plagued corporate giants such as Target, Home Depot, Sony Pictures and Anthem Insurance. Governments are under continual attack from activists and hostile nation-states. Even consumers are continuously targeted by malicious software (malware) such as CryptoLocker (which holds a user’s files for ransom) and Zeus (a banking trojan that aims to steal money from personal bank accounts). We are continually reminded by these headlines that no one is immune from the myriad of hackers who are eager to take advantage of our interconnected, technology-reliant world.
Despite the onslaught of frightening headlines, there is a clear path to winning in the cyber arena. Focusing on security basics that are commonly ignored such as regular patching, user awareness training, password management and secure network configurations will reduce the majority of cyberrisk by removing the “low hanging fruit.” Remember that you are not the only target for a cyberthreat actor, and if you increase the effort it takes for a cyberthreat to hack you, other targets will be more attractive and the potential attacker will choose the easier target. Think of it in terms of a physical threat: If a burglar is casing a neighborhood, the house with the open windows and unlocked door is much more appealing to the burglar than the house with the locked windows, dead-bolted doors and motion-sensor lighting.
Hiring and empowering intelligent technical analysts, and guiding your efforts with threat intelligence are also key to reducing cyberrisk. Cyberthreat intelligence is an information security discipline that is helping many organizations combat increasing cyberthreats through analysis of the cyberthreat landscape, system vulnerabilities, and attack likelihood. Cyberthreat intelligence professionals use the traditional intelligence cycle of planning, collection, processing, analysis, production and dissemination to produce an intelligence product that supports specific requirements. An effective cyberthreat intelligence capability will both support intelligence-based decision-making at the strategic level as well as enable proactive cyberdefense at the operational level.
Current Cyberthreat Landscape
Most cyberthreat models classify three major tiers of threat, ranging from novice hackers who hack for notoriety, thrill or activism, to sophisticated cybercriminals motivated by money, to nation-state actors who intrude into their adversaries’ networks to gain political or economic advantage.