By Kevin Hamel
More shocking than HeartBleed and so many other cybercrime exploits is the following nugget from Verizon’s 2013 Data Breach Investigations Report: “Most point-of-sale breaches could have been prevented if basic steps had been taken to enhance security.”
What are the basic steps that virtually every consumer and corporate computer user could take?
- Resetting passwords from the factory defaults.
- Not using social media accounts on payment systems.
- Keeping the payment system separate from corporate email and other functions.
None of these steps is difficult, and considering the enormous consequences of not taking them – billions stolen, trust eroded, product and service opportunities squandered – it is more important than ever to convince the general public to embrace the key tenets of cyber security.
Now is the time to reintroduce “defense in depth” – a concept that has minimized the potential damage of cybercrime for years. Bank regulators look for defense in depth – also known as “layered defense” – during examinations. Perhaps non-regulated industries as well as the general public should adapt defense in depth, too.
Here’s how defense in depth can protect consumers and organizations:
Most cybercrime incidents require a series of missed security opportunities in order to succeed. Each step in the commission of a cybercrime actually provides an opportunity to stop the criminals from succeeding.
Let’s look more closely at the major steps and the missed opportunities to thwart the attack:
- A phishing email arrives in a user’s email box. Opportunity missed: Filters to detect and delete questionable emails not in place.
- The user clicks on a link in the phishing email. Opportunity missed: User education sessions on recognizing and not opening suspicious emails didn’t take hold.
- The exploit “phones home” to its controlling computer for further instructions. Opportunity missed: Filters can detect and disable most communications with known criminal computers.
- The exploit installs malware. Opportunity missed: User is logged in as “administrator” – this opens the door for a criminal to install software. As a regular user, this is more difficult to accomplish.
- The exploit takes control of the user’s system. Opportunity missed: System wasn’t current with the latest software updates – these prevent criminals from taking advantage of software “errors,” also known as vulnerabilities.
There’s a bit more involved in today’s breaches, but you get the idea. If a computer user corrects any one of these errors, she or he stands a good chance of preventing the cybercrime. The system is more difficult to compromise. The user’s money, identity, and intellectual property remain secure.
The ultimate irony is that correcting the errors listed above will not cost the typical organization that much money. Consumers can actually find free solutions to correct these errors.
By employing a defense in depth strategy, we might not have to lose $110 billion annually to cybercrime. We might actually take the next important steps toward cyber innovation rather than wring our hands about the next cybercrime exploit.
Are these reasons enough to change our passwords to something other than “password”? To establish user accounts in place of administrative accounts for day-to-day computer use? To keep our software current with the latest security updates? If not, then we will continue to experience breach after breach, and computer users will become even more numb to the ravages of cybercrime.
Perhaps the HeartBleed scare will begin our collective journey to greater computer security – one of the few positive outcomes from the HeartBleed exploit.
Kevin Hamel is vice president and security officer at COCC, a provider of technology services to banks and credit unions since 1967.