The recent indictment of Albert Gonzalez, as reported in this morning’s Wall Street Journal cover story, illustrates the sophistication and organization of the “underground economy” of cybercrime. Major breaches like those allegedly masterminded by Gonzalez – including Heartland Payment Systems, Hannaford Bros. supermarkets, 7-Eleven and TJX – call into question the safety and soundness of the payment systems these organizations use to conduct daily business.
Connected through IRC chat rooms and Skype channels, cybercrime syndicates like Gonzalez’s crew can now operate in a cell-like fashion, distributed around the globe. As such, over the past 15 years or so, the commoditization of stolen financial data has built to a tipping point where corporations and government entities are being outgunned by attackers like Gonzalez and his co-conspirators. The resultant exponential increase in wire transfer fraud and other attacks on payment systems further underscores the need for a proactive and layered approached to cybersecurity.
For instance, vulnerability to SQL injection was Gonzalez’s modus operandi for penetrating the perimeter defenses of Heartland. This vulnerability should have been internally identified, understood and mitigated by Heartland before exploitation could have ever occurred. Frequent risk assessments including penetration testing, or “ethical hacking,” could have helped the company to discern their vulnerabilities by proactively viewing their systems as an attacker would.
As long as companies take a reactive approach to cybersecurity, they will continue to fall prey to attacks from Gonzalez’s peers in the underground economy. So, if you’re responsible for securing financial transactions, please repeat after me: “offense must inform defense” – and let that be your mantra for the day.
- Tom Kellermann, Vice President of Security Awareness