Crime Wave: IT Security Attacks on the Rise
Crime Wave: IT Security Attacks on the Rise That figure is startling, Stiennon admitted, but it only reflects what has been happening over the last two years.

“A great case in point is the attack at TJX, which occurred more than a year ago and resulted in losses to the tune of $8 million,” he said. “Crunch the numbers and you see that the attackers had to execute against some 23,000 credit cards to do that.”The TJX Company, which operates over 2,000 retail stores in the U.S. and other countries, reported in January that it had suffered a massive security breach in the part of its network that handles credit and debit card transactions.When the Secret Service eventually collared the crooks responsible for the scam, they found they’d billed TJX mostly by using counterfeit credit cards based on stolen data to purchase $400 gift cards that they would then use to buy merchandise.

Mafia 2.0

Industry, and particularly the retail industry, has to change its attitude about security, Stiennon said, because the new reality of hacking based on a traditional organized crime model is upon them.“Recreational hacking is now just one percent of the problem,” he said. “The other 99 percent is due to this criminal element, and they are in it for the money and they don’t give up. Whereas someone who hacks for fun and the challenge might (give up) when things get tough, these criminals just keep going.”If they can’t get in through the network from the outside they’ll get in through physical access points such as doors and then get into the network closet, Steinnon said. If they have to, they’ll even dumpster-dive for the information they need.“It’s going to take a completely different kind of mindset” to counter this threat, he said.If there is any good news, Stiennon feels it’s in the fact that companies have had this experience before when dealing with pilfering by sales assistants and tellers. To stop that they kept detailed paper trails of where the money went, and installed cameras to keep an eye on tellers.

Prescriptive Paranoia

To meet this new threat from cyber criminals “we need to see that same level of paranoia for such things as credit card and identification data,” he said.The “entrepreneurial criminal” could also have a field day in the burgeoning area of Web 2.0 applications such as YouTube and MySpace, Steinnon said. The simplicity of access that’s needed to deploy applications such as those is also an easy way for cyber criminals to get into systems.He thinks YouTube and others will be forced into tightening their controls this year because of those threats, though it could be a delicate balancing act because the social networking premise that’s led to the stupendous success of such sites could be threatened.At least first the threat might be handled by putting general security controls in place, because the saving grace is that these areas of the Web are not involved in handling much money.“They’re not dealing yet with large dollar transactions,” Stiennon said. “If they were, they would already be at war with the hackers.”

Denial of Service on SteroidsThe threat from cyber criminals is also forcing a change on the vendor side of the security industry, he said, though it’s happening only slowly. Most companies grew up producing solutions to counter specific threats and have mostly lost sight of the need to mesh security with company’s operational needs.But change they must. Stiennon sees the current period as fundamental for the industry as the Nimba worm, which hobbled the Internet around the globe with dramatic denial-of-service attacks, forced on it in 2001.“That was when companies such as Symantec switched from being just anti-virus companies to having everything on the shelf that customers could possibly use,” he said. “There were a lot of changes in the security industry from that one worm.”You now see big computer companies starting to buy up security companies so they have security embedded in their products from the start, he said, and there will be other reshuffling of business models.“I think we are entering a period (for security) that’s the equivalent to the large crime waves of the 1970s and 1980s,” Stiennon said. “We needed major cultural and attitude changes then, and I think the same is needed for cybersecurity now.”