Thursday, June 18, 2009

FBI Cyber Director warns industry of fraud risk

Shaun Henry, Assistant Director, Cyber Division, FBI spoke recently at the MasterCard Global Risk Management Conference. Among the things I found either interesting or scary were:

  • Businesses don’t understand the cyber threat today. They can't feel it, touch it or imagine it, so it is hard to worry about is and prepare for it.
  • Criminals are breaching systems everyday and waiting for the opportune time to steal the information. Their breaches leave little trace until a compromise occurs. They cover their tracks and wait to harvest cardholder information. Their presence is not removed after scanning, reloading computers, password changes, network reconfiguration, etc.
  • Some Malware waits for specific vulnerabilities to appear before acting, for instance, when a patch is found that has not been applied. They go back to a breached system to see if the patch has been applied, and if not they exploit the vulnerability.
  • There are three types of groups that are attacking systems today.

1. Individuals and Hacker Groups

2. Terrorist Organizations and Sympathizers

3. Advanced and Developing Cyber States

  • Overall, criminal attacks are escalating

1st – Steal data for themselves and convert to cash
2nd – Steal data and sell it to others for exploitation
3rd – Hijack you systems for extortion (T-Mobile?)

  • You need to rethink everything, all your assumptions about data security.
    How do you know your downloads are safe? How do you know they have not already been infected? How do you know the hallmark card an employee downloaded simply contained malicious software and not malware designed to steal cardholder data? Look for criminal entry and data exodus everywhere - not just where you might expect them.
  • Adversaries with the interest, ability and intent to get your information can and will breach your system.

0 comments:

Post a Comment