Could the NIST Cybersecurity Framework be a better answer to rising payment card fraud than chip-and-PIN?

2014 may well be remembered as the year of high profile data breaches. There have been a lot of large-scale attacks. Target, eBay, PF Changs, The Home Depot, and JP Morgan have been hit. How much is bank fraud costing consumers? And for that matter, how many big names ‘pwned’ (hacker slang) would it take to affect confidence?

I am reliably informed that the magnetic strips from the payment cards stolen in the Home Depot breach laid end to end would stretch 3,000 miles. You can test this finding for yourself. There were 56 million cards stolen.

Should the markets be worried about failing consumer confidence in the payment card system hurting prices? To read coverage concerning the Home Depot breach, you could be forgiven for relaxing to the tunes in malls and warehouse stores. There is an air of ‘just another major card breach involving millions of payment cards… no need for alarm!’ As reported by CNN Money, Home Depot is not getting nailed by Wall Street in the way that Target was. It seems that the system has adjusted to threat not by combating it, but by writing off the losses and playing down the scandal.

When Home Depot gave an update last week about the security breach, it said that sales for the third quarter are “on plan” and that costs related to the breach have been minimal so far. The company’s next earnings report is not expected until mid-November, so the markets are unlikely to receive any further word on sales trends or earnings until sometime towards the end of October at the earliest. Plenty of time for new encryption technology to secure all the data, and for rivals to Target and The Home Depot to put their own damage limitation strategies in place for when it happens to them.

Will Home Depot go bust? No. Unlike Target – which was number two after Wal-Mart – they dominate the home improvement market with around 27.2% share. A combination of strong brand recognition and customer loyalty should see Home Base weather the data breach storm – but at what additional cost?

Read: Home Depot: Could The Impact Of The Data Breach Be Significant?

How is the siphoned-off bank card data turned into real money?

Let me teach you a little about the world of card crime. ‘Dumps’ is the term used on the streets for stolen credit card data that buyers can use to clone (counterfeit) new cards. The carder can then safely go shopping in megastores for high-dollar merchandise that can be resold quickly for cash.

‘Carder’, by the way, is the term used for an individual who uses stolen online credit cards for fraudulent transactions – either online or in-store.

Urban Dictionary has an example of the use of the street use of the term:

“hey man! you got alot of gadgets. are you a carder?”

Only in the world of instant web search could we enter terms like ‘carder’ and ‘dumps’ and see page upon page of ‘dumps shops’ selling batches of cards that have been stolen from a particular compromised merchant or a mix of merchants. A recent innovation by some of the dumps shops has been the search facility that enables carders to select cards by the city, state and ZIP. To quote journalist and investigative reporter, Brian Krebs:

“Experienced carders (as buyers are called) know that banks will often flag transactions as suspicious if they take place outside of the legitimate cardholder’s regular geographic purchasing patterns, and so carders tend to favor cards stolen from consumers who live nearby.”

[Source: Peek Inside a Professional Carding Shop, KrebsOnSecurity, June 14.]

Learn more about carding by viewing one of several YouTube clips

There are even YouTube clips marketing the services of dumps shops for those who need a little more explanation about how to commit card fraud.

…Sell Dumps 201/101, CVV, CCs – EU & USA Dumps/ + Pin verified carder.su

•by [Name Withheld]

•4 years ago

•21,829 views

…I and my team are back to work..with weekly fresh EU & USA dumps and CCs, 201 + 101 Mastercard and Visa allways in stock..

This phenomenon should raise serious political questions in every state:

Has US Law Enforcement lost control to organized cyber crime?

Are the authorities powerless because of the scale of the carders’ activities?

Is there nothing that all the federal and state resources of the greatest nation on Earth can do to block the services of the hackers’ dumps shops?

As class actions queue up in the halls of state courts, there is a fear at the back of law-abiding citizens’ minds: how has it been possible for criminal gangs to have defeated the governance systems of corporate America?

If big-box stores are easy prey, are any retailers safe from cyber attack?

And how long will it be before significant numbers fear to use their cards?

If cybersecurity spend was the issue, there would be no problem

About 60 percent of large companies across the US, Canada, Great Britain, and Australia have increased their spending on cybersecurity since last year’s Target breach, Reuters reports. Global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier, according to Allied Business Intelligence Inc. [Source: The Wall Street Journal: Companies Wrestle With the Cost of Cybersecurity.] Okay, selling hammers at Home Depot doesn’t represent critical infrastructure, but cybersecurity spend is still running high across all industry sectors. BAE Systems Applied Intelligence found that US firms in industries such as banking, technology, law, and mining are now spending up to 15 percent of their entire IT budgets on security. [Source: Reuters, Recent hacks spur new company cyber spending: survey.]

If the cyber crime-wave was really about hardware or software investment, including chip-and-PIN terminals and smart(er) payment cards, you would think with all the money being spent at the moment that major incidents like Home Depot’s breach would be rare. But the fact is, the media is filled with similar horror stories pretty much daily – we can say this with confidence as we keep a fascinating List of Cyber Attacks and Data Breaches, updated every month. Data breach stories affect businesses in parts of the world that adopted chip-and-PIN a long time ago. The thefts due to POS terminals are down where chip-and-PIN has been adopted, but the card crime is still happening elsewhere in the system. The attack vectors are different, but the underlying threat to legitimate business is the same.

Half of US companies said a cyber attack would cost $15 million

Nearly half of the US companies in the survey said a cyber attack would cost them around $15 million, while 29 percent estimated the cost at more than $75 million. But who really pays the bill for breaches of this magnitude when it comes time to pay the shareholders and award executive bonuses?

In an environment where cyber threat information is not readily available, organizations struggle with understanding how much security is enough security, leading to organizations implementing unnecessary cybersecurity protections. Through the use of the NIST framework, standards for care can be established for each critical infrastructure sector. Organizations can leverage these standards to determine the appropriate level of security protections required, ensuring efficient utilization of security budgets.

In February 2014, through a series of workshops held throughout the country and with industry input, NIST released the “Framework for Improving Critical Infrastructure Cybersecurity” (“the Framework”), following an executive order issued by President Obama – see below:

Executive Order — Improving Critical Infrastructure Cybersecurity

For the first time in US industry with a risk-based approach for developing and improving cybersecurity programs. It also provides a common language regarding cybersecurity issues to allow for important discussions to take place between an organization’s ‘IT’ people, and an organization’s ‘business’ people, some of whom may cringe when hearing complicated terms like ‘APT’ (Advanced Persistent Threat). Its common sense, ‘English language’ approach allows an organization and its directors to both identify and improve upon its current cybersecurity procedures. Though the Framework was developed for the 16 critical infrastructure sectors, it is applicable to all companies—at least today—on a voluntary basis.

What is the NIST Cybersecurity Framework and who’s behind it?

Firstly, I recommend that you read the article “Understanding and Implementing the NIST Cybersecurity Framework” by Yaron Nili, co-editor, HLS Forum on Corporate Governance and Financial Regulation (Posted: Monday August 25, 2014). The Framework contains three primary components: the Core, Implementation Tiers, and Framework Profiles.

This is not the place to describe the whole Framework, but a quick view of its Core element will guide us as to its methodology and purpose.

The NIST Cybersecurity Framework – what is at its Core?

The Framework Core (‘Core’) is a set of cybersecurity activities and applicable references established through five concurrent and continuous functions—Identify, Protect, Detect, Respond, and Recover—that provide a strategic view of the lifecycle of an organization’s management of cybersecurity risk. Each of the Core functions is further divided into categories tied to programmatic needs and particular activities. The outcomes of activities point to informative references, which are specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.

The Core principles can be thought of as the Framework’s fundamental ‘cornerstone’ for how an organization should be viewing its cybersecurity practices: (1) identifying its most critical intellectual property and assets; (2) developing and implementing procedures to protect them; (3) having resources in place to timely identify a cybersecurity breach; and (4) having procedures in place to both respond to and (5) recover from a breach, if and when one occurs.

A properly thought through structure for the Framework in a simplified manner could take advantage of already existing standards like NIST SP800-53, ISO 27001, PCI DSS CCS CSC, NERC CIP, ISA 99, and COBIT, among others. In fact, it could set a global standard in fraud prevention.

When it comes to protecting our critical infrastructure, the White House backs the concept of the Cybersecurity Framework. This standards-based approach would give us a timely way to identify data breaches, and ensure that all legitimate organizations worldwide – including major retailers – have procedures in place to both respond to and recover from cyber attacks.

Surely, this is what has been missing from our counter-measures: a robust management system that’s based on tried and trusted methodologies.

We all need standards – especially when it comes to combating the carders!

# # #

What can an ISO27001 ISMS do for your security and credibility?

An ISO27001-compliant information security management system (ISMS) will confirm to both management and clients that your organization is proactively managing its security responsibilities. 22,293 certificates have already been awarded globally to an exclusive group of growing companies and early adopters, including leading US corporations and high-growth smaller enterprises in a variety of sectors. In fact, the number of ISO27001 certificates issued in the US jumped by 36% in 2013 compared to 2012.

They are able to leverage their ISO 27001 certification internationally as a market differentiator satisfying the information security requirements of corporations and government, as well as providing assurance to the public. An ISO 27001 certification is widely accepted globally as proof of a reliable, defensible, standards-based information security management posture.

ISO 27001 certification is a dynamic process, requiring at least annual audits and periodic renewal of the certificate. To your clients and prospects, ISO27001 certification is independent proof of ISMS adequacy and the ongoing benefit of continuous process improvement. Your ISMS enables you to clearly see which security processes are working and which need improvement. You are in no doubt about where to invest time and money.

The risk-based decision-making inherent in an ISO 27001 ISMS means the system shares a common basis with many of the new legal requirements in the US and around the globe. Changes to the ISMS can be made in an orderly, incremental fashion, resulting in substantial time and cost savings.

With ISO27001, the information security function becomes more integrated with the organization as a whole, so there is less chance of ignoring cybersecurity risks that could cost your enterprise its reputation for excellence.

We can help you to implement effective cybersecurity procedures and controls using ISO27001. Spend a minute on our ISO27001 solutions page:

www.itgovernanceusa.com/iso27001-solutions

Put your detailed questions to our consultants and learn from the experts:

Call us on 1-877-317-3454 today.

* * * *

Did you enjoy reading this article? Why not share it with your colleagues?