Such Star Trekian references should be taken at least semiseriously, in light of a number of studies, analyses, and vendor offerings released recently regarding business, and banking, preparedness-or lack thereof-to fraud, intrusion, and disruption.
Just a couple of headlines to drive home the point that it's a war out there:
• "RSA launches RSA NextGen Security Operations Services to help customers build battle-ready cyber defenses."
• "Experian Data Breach Resolution and the Ponemon Institute release new study-"Printers, routers, and other internet devices being hijacked to participate in DrDoS cyber attacks." [DrDoS is not a misprint, as explained below.]
What is really scary is that the bad guys use not only the highest of high technology, but also the lowest of low technology, and are pretty successful at both.
Think shoulder surfing is a thing of the past? Forget it. ThreatMetrix says the proliferation of public wi-fi spots, and their use for business, opens up a ripe field for data thieves.
"Cybercriminals can subtly use a high-resolution video camera on a mobile device to capture a nearby user's activity. For example, a consumer may enter his or her credit card information or gmail login into a device while waiting in line, without knowing the cybercriminal is capturing a video of the credentials," the company says.
Other dangers lurking around unprotected wi-fi spots include:
• Network scanners can detect open ports on a device that's connected to a network, providing the fraudster the potential to take complete control of the device.
• Off-the-shelf products can intercept a user's internet connection, granting the hacker full access to the network connection.
• Through social hacking-such as leaving a seemingly innocuous thumb drive on a table-the hacker can take advantage of a consumer's curiosity so that when the drive is inserted, malware can then capture sensitive information.
That's just the simple stuff.
By now, everyone must have heard about distributed denial of service, or DDoS, attacks. The bad guys have taken the next step into what is called distributed reflection and amplification denial of service attacks, known as DrDoS. Prolexic describes these as targeting internet protocol-based devices such as printers, cameras, routers, hubs, sensors, and other network devices, rather than the computers themselves. The object is to take advantage of inherent vulnerabilities in standard network protocols, co-opt the devices, and transform them into malicious bots.
"Unfortunately, the protocols were written with functionality, not security, in mind. The internet used to be a safer place than it is now," says Stuart Scholly, president, Prolexic.
One would think that, faced with such adversaries, corporations would be on high alert-and that makes a study by Experian that much more troubling. Its survey included several hundred companies in the retail, health and pharmaceuticals, and financial services industries, so its relevancy to banking might not be in a straight line.
• 76% of all the privacy professionals say their organization already had or expects to have a material data breach that results in the loss of customers and business partners.
• 65% lack mechanisms to verify that contact with each victim was completed, and only 38% have mechanisms for working with victims with special circumstances.
"The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response," says Larry Ponemon, chairman and founder of the Ponemon Institute.
To be fair, one must note that banks are required to comply with numerous data security regulations, and are exhaustively examined for such compliance. Multilayered defenses are the name of the game now. It is also fair to say that banks must continually play a catch-up role in the cybercrime onslaught, while their adversaries are free to come up with new lines of attack.
So there has arisen a cottage industry-or to continue the battlefield metaphor-a defense-industrial complex, aimed at giving those on the front lines new and ever-better weapons. Just in the last few weeks have come these announcements:
• RSA NextGen Security Operations Center-A suite of services that provide: aggregation and analysis of threat intelligence data; correlation of content intelligence data throughout the organization; deployment of solutions that provide advanced analytic intelligence capabilities; and development of security operations processes and procedures and the automation of related workflows.
• GateKeeper 2.0 from MasterCard-Aimed at online merchants and acquiring banks, it offers end-to-end fraud monitoring, detection, and prevention.
• FraudMAP Wire from Guardian Analytics-It addresses the escalating problem of fraudulent wires initiated across all banking channels, using behavioral analytics to identify suspicious wires and automatically stop the high-risk ones from leaving the bank.
• Ingenico iWB Bio Series-Mobile key devices capable of performing transaction authentication by combining chip, PIN, GPS, and fingerprint factors.
• Situator Express from NICE-An add-on to the NiceVision IP video surveillance system, it monitors, manages, and correlates data from deployed video, access control, intrusion, and fire detection systems.
When will the war end? Who knows? The more pertinent question for battlefield generals, or those in the C-suites, is how does the bank pay for the escalation of defensive tools?
Gartner asked that earlier this year and it seems that the answer will come from air support-the cloud. [Sorry. Enough with the metaphor.]
By 2015, 10% of overall IT security enterprise product capabilities will be delivered in the cloud, according to Gartner. The services are also driving changes in the market landscape, particularly around a number of key security technology areas, such as secure email and secure web gateways, remote vulnerability assessment, and identity and access management. The cloud-based security services market likely will reach $4.2 billion by 2016.
"Demand remains high from buyers looking to cloud-based security services to address a lack of staff or skills, reduce costs, or comply with security regulations quickly," says Eric Ahlm, research director at Gartner. "This shift in buying behavior from the more traditional on-premises equipment toward cloud-based delivery models offers good opportunities for technology and service providers with cloud delivery capabilities, but those without such capabilities need to act quickly to adapt to this competitive threat."
Of course, the enemy can also read this report. It's not too great a leap to say that the cloud might become the next battleground.
Sources used for this article include: