As we talked about in last week’s post, the PCI Data Security Standard has established a near-universal set of technical and operational requirements to which all businesses that process credit card transactions must adhere. Accepting card-based payments is the norm in the hospitality sector—it’s a must for any hotel or restaurant hoping to offer the...

As we talked about in last week’s post, the PCI Data Security Standard has established a near-universal set of technical and operational requirements to which all businesses that process credit card transactions must adhere. Accepting card-based payments is the norm in the hospitality sector—it’s a must for any hotel or restaurant hoping to offer the ease and convenience that today’s business and leisure travelers have come to expect.

Hence demonstrating and maintaining compliance is—and rightfully should be—of concern to all industry leaders today. Recent reports do indicate that they’re moving in the right direction: according to Verizon’s most recent Payment Security Report, 55.4% of organizations surveyed were found to be 100% compliant at an interim assessment. This is an impressive accomplishment, especially considering the cost and complexity of full compliance, and considering that this is the fifth consecutive year in which rates have increased.

The hospitality industry’s performance remained below average, though at 42.9% fully compliant, the industry still saw a significant improvement upon last year’s numbers (30.0% full compliance).

Overall, PCI DSS compliance rates are clearly on the rise. But it’s worrying to note that overall rates of data compromise aren’t decreasing in line with these improvements in compliance. Over the same five-year period, according to the 2017 Breach Level Index Report, the total number of breach incidents perpetrated by malicious outsiders rose from 662 to 1,269, with a peak of 1,336 in 2016. In other words, during a time when PCI compliance saw a 44.3% increase, the number of malicious data breaches grew by 91.6%.

Given these troubling numbers—and anecdotal accounts, such the story of the Target breach, which occurred just weeks after the retailer was certified as compliant—it’s tempting to conclude that PCI compliance, though it’s both mandatory and expensive, lacks any real security benefit.

But in the data provided in the aforementioned 2017 Verizon Payment Security Report, which analyzed more than 300 network intrusions involving payment card data, none of the breached companies was found to be fully PCI compliant at the time of the attack. Further, Verizon investigators claim that “of all the payment card data breaches.. [their] team investigated over the past 12 years, not a single organization was fully PCI DSS compliant at the time of the breach.”

How, then, can we explain the apparent disconnect between Verizon’s findings and the Breach Level Index data? A few facts about PCI compliance—its value and its limitations—can cast more light on the real relationship between compliance and information security.

#1: Being Certified Compliant Doesn’t Mean You Really Are

It’s a commonplace—and entirely reasonable—assumption: if your organization passes the annual compliance assessment conducted by a Qualified Security Assessor (QSA), who has been certified by the PCI Security Standards Council, you must be fully compliant. This only makes sense, right?

But QSAs have only a limited amount of time to spend on each assessment. Their methodology necessarily relies upon user-reported information (interviews) and sampling. They simply do not have enough time to review a comprehensive collection of system event logs, check all network and component configuration settings, and comb through all on- and offsite data repositories. Just as the interview—as a method of data collection—is inherently subject to human error, sampling is by nature incomplete. It’s not uncommon for organizations to discover compliance gaps soon after certification—gaps that were missed by QSAs.

#2: True Compliance is a Dynamic Process, Not an Annual Event

Another commonplace assumption among hospitality industry leaders is that PCI compliance is fundamentally a one-time event. If you’re found to be in compliance at the time of your annual assessment, this logic goes, your security is guaranteed for the following year. But nothing could be further from the truth.

In fact, PCI compliance requires ongoing effort, including employee training, monitoring system events and configuration settings, and installing software updates. Failure to perform any one of these tasks can cause your organization to fall out of compliance, even if your certification remains current.

Verizon’s own breach investigations emphasize this point: all the breached organizations Verizon surveyed had failed to maintain full compliance, most often by neglecting to maintain accurate system and user activity logs, disregarding software patches, or mistakenly altering secure configuration settings.

#3: The PCI Standard is Subject to Interpretation by Individual QSAs

The PCI DSI is written in the form of a checklist, with each requirement comprised of a series of sub-requirements, and each sub-requirement defined such that compliance (or non-compliance) can be stated in binary terms (yes/no). This makes it seem that compliance is simple to verify.

But consider, for instance, sub-standard 11.2, which states that organizations must “run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).” At first glance, it seems that determining whether or not an organization performs quarterly network vulnerability scans would be easy to do. But the individual QSA is in fact tasked with deciding which network changes rank as “significant.”

And, on the one hand, because QSAs are paid by the organizations they’re hired to assess, they may be subtly pressured to let small problems slide, or risk not being re-hired for next year’s assessment in favor of an “easier” consultant. On the other hand, a forensic investigator, seeking to determine a breach’s cause after the fact, may be motivated to apply a stricter definition of the term “significant.”

#4 Like the Security Industry Overall, PCI DSS Favors Prevention Over Rapid Detection

The current PCI standard mandates that compliant systems include only two specific software applications or devices (anti-virus software and a firewall), and both are intended solely to prevent incursions rather than increase the speed with which organizations can identify and contain breaches.

Anti-virus software programs are reactive by design, requiring near-constant updating yet still leaving subscribers vulnerable to as-yet undiscovered malware variants. Firewalls, though commonplace and necessary, are intended as a “first-line” defense, blocking intruders at the network’s perimeter, and making their strongest contributions to overall security when serving as part of a multi-layered, defense-in-depth strategy.

PCI DSS does not mandate the use of a SIEM tool or other system event visualization platform, despite the fact that the use of such advanced analytics can significantly reduce the amount of time it takes to detect a breach. And this despite the fact that integrating SIEM and advanced threat protection platforms with firewalls and anti-virus programs demonstrably improves their performance.

In summary, PCI DSS—as you’ll recall from last week’s article—was developed to protect the interests of the banks issuing payment cards, not the merchants who rely upon them to do business. It’s far more difficult for organizations to maintain compliance than it is to obtain it, and quite easy for forensic investigators—and card issuers—to discover noncompliance after the fact—and use it as grounds for finding liability.

Nonetheless, attaining true compliance—an ongoing process that requires effort, care, and thoughtful attention from employees in many roles within your organization—has real value, in terms of both security and protection from liability. Maintaining real compliance for its own sake can seem difficult, complex and costly. But compliance can also come as a simple by-product of choosing a multi-layered, defense-in-depth security platform that includes advanced network monitoring tools and behavioral analytics. And partnering with a managed detection and response provider like Netswitch can make this option surprisingly affordable.

PCI DSS Basics: What Leaders Need to Know When You Required to Comply to PCI DSS The global hospitality industry has long been an attractive target for cybercriminals trying to pilfer credit card data. Hotels and restaurants were among the first businesses to adopt card-based payments: the world’s first charge card—Diners Club—was conceived of when...

PCI DSS Basics: What Leaders Need to Know When You Required to Comply to PCI DSS

The global hospitality industry has long been an attractive target for cybercriminals trying to pilfer credit card data. Hotels and restaurants were among the first businesses to adopt card-based payments: the world’s first charge card—Diners Club—was conceived of when businessman Frank McNamara suffered the embarrassment of forgetting his wallet while dining out at a New York restaurant. And within a decade, American Express had introduced their now-familiar plastic charge card into the range of financial services it was offering to business and leisure travelers. From the outset, hospitality businesses have been pioneers in terms of credit card acceptance, catering to their guests’ wishes for simplicity and convenience.

As ever-increasing numbers of hotels and restaurants accept credit cards, however, the number of data breaches and the amount of data theft and card-based fraud have continued to climb as well.

Hotels are uniquely vulnerable to these types of crime for several reasons. Their payment systems are inherently complex, with POS terminals often situated in multiple, varied locations across their properties. And these point-of-sale systems must be integrated with an abundance of other IT systems that contain and administer customer data—running the gamut from online booking engines to electronic room key management to guest WiFi access to golf tee time or spa reservation systems. Each of these systems, and the interfaces that link them, represents a point of potential vulnerability.

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was developed in response to a dramatic increase in credit card fraud that took place at the start of the digital age. It established a common security framework for all organizations that accept major credit cards for payment or process their transactions. The standard sets out clear technical and operational requirements for these organizations, as well as for the software developers and device manufacturers who create the systems they use.

Over the ten-year period between 1988 and 1998, Visa and MasterCard lost $75 million to credit card fraud. By the year 2000, as increasing numbers of merchants began to adopt e-commerce and to roll out websites with payment processing capabilities, annual losses to credit card fraud had risen to $1.5 billion. By 2016, losses topped $24 billion.

At the start of this period, each of the major credit card companies had its own unique set of security standards and policies. Visa’s, called the Cardholder Information Security Program, was the first to be implemented, in 2001. But MasterCard, American Express and Discover soon followed suit. Any merchant wishing to accept multiple credit cards had to adhere to multiple different sets of standards.

In an effort to reduce the fraud which had by then become rampant, and to encourage merchants to accept their cards, all five of the major credit card companies banded together to create a universal and comprehensive set of security standards. This new standard, PCI DSS 1.0, was introduced on December 15, 2004. Compliance was made mandatory for all merchants accepting any card offered by Discover, Visa, MasterCard, American Express or JCB.

Since then, the PCI data security standard has been updated eight times, roughly on a bi-annual basis. New versions are introduced to keep pace with changes in available technologies and best practices, as well as transformations in the threat landscape. The current version, PCI DSS 3.2.1, went into effect in May of 2018.

What’s Included in the Standard?

PCI DSS outlines twelve major facets of payment card information security. Within each area, the minimum security measures necessary for compliance are defined.

To maintain compliance, your business must:

Build and Maintain a Secure Network and Systems

#1: Install and maintain a firewall configuration to protect cardholder data.

Firewalls monitor traffic at the network’s perimeter, inspecting all incoming and outgoing packets to ensure they meet a set of predetermined security standards. A firewall establishes a barrier between secure internal networks and the untrusted “outside world” of the Internet. This PCI standard details how firewalls and routers must be configured, as well as how organizations should document the ways data flows within their systems and networks.

#2: Do not use vendor-supplied defaults for system passwords and other security parameters.

It’s easy for cybercriminals to find or discover the default passwords in place when software developers and hardware manufacturers initially ship their products. PCI DSS requires that all vendor-supplied passwords be changed to strong, unique passwords, and that all system components be individually configured in accordance with industry best practices.

Protect Cardholder Data

#3: Protect stored cardholder data.

To secure data at rest, a PCI-compliant merchant must employ an encryption method that ensures that an intruder to the network would be unable to read stored data without access to a strong cyptographic key. This standard also stipulates that no data should be retained unless absolutely necessary, and outlines secure destruction procedures for data that is no longer needed.

#4: Encrypt transmission of cardholder data across open, public networks.

Credit card data should also be secured while in transit. Whenever payment-card information is transmitted over public or wireless networks or the Internet, it must be encrypted, and a secure transmission protocol must be employed.

Maintain a Vulnerability Management Program

#5: Protect all systems against malware and regularly update anti-virus software or programs.

This standard mandates the use of anti-virus software on all systems commonly affected by malware. The AV software must be regularly updated and maintained, and be configured so that it runs actively and cannot be disabled by users.

#6: Develop and maintain secure systems and applications.

The security community frequently discovers new vulnerabilities in software and systems already in widespread use, and vendors subsequently issue patches. PCI DSS calls for all appropriate software patches to be installed in a timely manner, and requires that industry best practices for secure coding be followed if custom applications are developed to handle payment card data.

Implement Strong Access Control Measures

#7: Restrict access to cardholder data by business need to know.

Simply put, the more people have access to cardholder data, the greater the risk of data compromise. “Need to know” is when access rights are granted only to personnel who absolutely require them in order to perform their jobs.

#8: Identify and authenticate access to system components.

Each individual who accesses a system containing sensitive payment card data must have a unique user ID. This ensures that user actions can be traced. In case of a breach, authentication and access control logs also enable forensic investigations to be conducted more readily. This standard also mandates the use of strong passwords and multi-factor authentication for system administrators.

#9: Restrict physical access to cardholder data.

Any comprehensive data security policy must also take into account physical access to the devices and systems that hold the data. Systems that store, process or transmit payment card data should be monitored by video cameras or access control mechanisms. Processes and procedures should be developed to ensure that visitors, including third-party service providers, are identified and granted only necessary levels of access. And all physical media containing sensitive data must be appropriately secured and completely destroyed once no longer needed.

Regularly Monitor and Test Networks

#10: Track and monitor all access to network resources and cardholder data.

This standard stipulates that all processes and user activities be logged on any system or network that stores or processes payment card data. These system activity logs must be retained and made available for audit.

#11: Regularly test security systems and processes.

The threat landscape is constantly evolving. All system components, including hardware, software and procedures, should be subject to regular testing—including vulnerability scans and penetration tests—to ensure that security remains robust in the face of current threats.

Maintain an Information Security Policy

#12: Maintain a policy that addresses information security for all personnel.

A comprehensive information security policy enables all employees, contractors and consultants to understand their individual roles in keeping sensitive data safe. The policy should include usage guidelines for individual and company devices, an annual risk-assessment process, and procedures for ongoing training and documentation.

How Can I Ensure That My Hospitality Business is Compliant?

Which specific steps your organization must take depends in part on the number of Visa transactions you process annually. Merchants are classified into four levels, with transaction volumes ranging from under 20,000 to over six million per year. All merchants follow the same three-step process, but what’s required to complete the steps varies with compliance level.

The three steps include:

#1: Assessment.

This consists of identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.

Smaller businesses can complete a self-assessment questionnaire, while those with greater transaction volumes must employ a PCI-approved scanning vendor or security assessor. Compliance assessments are repeated annually.

#2: Remediation.

Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.

#3: Reporting.

Reporting (or validation) involves compiling and submitting the required reports to the appropriate bank and card brands.

Specific reporting and validation requirements vary between card brands and differ for each of the transaction volume-based compliance levels.

Many hospitality businesses outsource the provision and maintenance of their IT systems to third-party service providers. But even if your organization does so, the penalties for non-compliance—including fines, potential legal liability, and increased risk of a breach—remain yours. So, too, does ultimate responsibility for compliance.

Come back for next week’s blog post to learn more about how to answer this question.  Meanwhile, we encourage you to review the Prioritized-Approach-for-PCI_DSS-v3_2 with your team.

Adhering to the PCI standards is mandatory for all hospitality businesses accepting card-based payments, but does compliance mean that your hotel or restaurant is truly secure? Come back for next week’s blog post to learn more about how to answer this question.

Or contact Netswitch today to find out about how you can rely on our advanced managed detection and response services to ensure your business remains PCI compliant—and secure. Netswitch deploys PCI Approved Scanning Vendor solution and integrated the result to provide management the Governance Report and Trending Analysis to reduce threats and shorten response time to hunt the root cause.

Keeping Your Hospitality Business Safe from PoSeidon Malware POS compromise remains alarmingly prevalent among hotel businesses, restaurants and retailers today. Although security breaches involving point-of-sale terminals received a great deal of mainstream media attention back in 2013 and 2014, attackers continue to target hotels and restaurants with malware-based attacks on POS systems in 2018, still...

Keeping Your Hospitality Business Safe from PoSeidon Malware

POS compromise remains alarmingly prevalent among hotel businesses, restaurants and retailers today. Although security breaches involving point-of-sale terminals received a great deal of mainstream media attention back in 2013 and 2014, attackers continue to target hotels and restaurants with malware-based attacks on POS systems in 2018, still seeking to extract valuable credit card data.

Recent industry reports show that these attacks are successful far too often. According to the 2018 Verizon Data Breach Investigations Report, for instance, 90% of the breaches that have affected hospitality businesses in the past year have involved POS intrusions, and hotels are 100% more likely than the average business to be targeted at payment terminals or POS controllers. And although researchers at Trustwave saw a significant decrease in the total number of incidents affecting POS systems globally, the number of hospitality businesses affected remained high. This trend was primarily due to a shift from large numbers of smaller breaches to fewer high-volume breaches, each affecting more businesses. Attackers are increasingly targeting IT service providers, home and head offices, and hardware platforms—giving them access to data from multiple franchises or organizations with a single successful breach.

PoSeidon Malware: An Ongoing Threat to Point-of-Sale Systems

In March of 2015, experts in Cisco’s Talos Security Intelligence and Research Group gave the name “PoSeidon” to the latest strain of malicious software programs they’d discovered. This family of malware was designed to steal credit card data directly from PoS terminals and exfiltrate it to servers located primarily in Russia for harvesting and resale.

PoSeidon is what’s known as a memory scraper: because all PCI-compliant POS systems must ensure that Secure Sockets Layer (SSL) encryption is used to encode payment card data while it is in transit, PoSeidon tries to gather credit card information while it’s still resident within the POS system’s memory. When a customer swipes her credit card at a POS terminal in order to pay for a restaurant meal or make a retail purchase, the data contained in the card’s magnetic strip is read and then prepared for transmission to the merchant’s payment processor. PoSeidon extracts this data from the POS terminal’s memory in the instant after it has been read—before it is encrypted for transit through the network.

PoSeidon includes other features that allow it to maintain persistence—to survive on systems even if they are rebooted—and to self-update, ensuring that it’s always running its most recent version. And most strains of the malware include a keylogger, which tracks keystrokes and mouse clicks, enabling attackers to collect account information and user credentials for remote administration services such as pcAnywhere or LogMeIn. Such services allow organizations to update, configure, and maintain their POS systems remotely. But with stolen remote-access credentials, attackers can compromise additional POS systems, and ensure the further spread of the malware.

Unlike earlier types of malware targeting POS devices, PoSeidon communicates directly and immediately with exfiltration servers—allowing it to extract card data immediately and in real time, rather than in a single, large-scale batched file, as was common previously.

Familiar But Still Dangerous in 2018

This family of malware has been known to security researchers and industry insiders for over four years. Its components have been catalogued, the order in which it executes processes—and the logic it deploys while doing so—has been documented, and a list of the TLDs and associated IP addresses with which it attempts to communicate has been compiled. And, as security experts at Palo Alto Networks noted soon after its discovery, early versions of the malware weren’t “terribly sophisticated.” Lacking features such as a complex command-and-control system or strong encryption, PoSeidon initially relied on tried-and-true techniques rather than highly innovative attack methods.

Nonetheless, PoSeidon continues to be found in the wild in 2018, and researchers are still observing new versions and updated variants. But the fundamental tactics and techniques relied upon by this malware remain unchanged.

The persistence of this threat—initially said not to be “terribly sophisticated”—raises a number of urgent questions, which need to be taken seriously by all business leaders charged with managing brands whose reputations depend upon the safety of consumer credit card data.

Attackers Continue to Seek Soft Targets

The market for stolen credit card information remains strong. Black market operatives generate billions of dollars in annual revenue by buying and selling stolen card numbers in bulk. Payment card data can be obtained online for as little as $5 to $8 per number, including CVV2 code.

For this criminal activity to remain profitable, however, attackers must focus their efforts on easily accessible sites likely to provide large amounts of data. POS terminals naturally fit the bill. Usually located in public areas and operated by employees who may lack training or a clear understanding of the importance of information security, point-of-sale systems are inherently vulnerable.

Further, many POS systems in operation today are often running older or more vulnerable operating systems, such as Windows XP or Linux. Such systems may no longer be eligible to receive manufacturer-issued updates and patches. Even when patches are available, not all POS systems are updated regularly.

Far too many businesses try to cut costs by failing to upgrade older POS systems or neglecting to install more expensive Secure Card Reader (SCR) systems that encrypt data at the time of swipe.

How to Ensure Safety for Your Business and Customers

Hardware systems lacking end-to-end data protection measures remain prevalent among POS devices. As long as this is the case, it’s vital to adopt an “assume breach” attitude towards the security of your network as a whole. This means taking steps to ensure that typical patterns of user and network behavior are monitored on an ongoing basis, so that any anomalies (like a POS terminal making frequent connections to a DNS server in Russia) are detected rapidly and automatically. It means blocking known malicious IP addresses and domains proactively. And it means relying on threat intelligence that’s regularly updated with the latest insights from open, commercial and governmental sources.

To learn more about how Netswitch’s Secureli advanced threat protection platform can give your hospitality business deep visibility into your network, and protection from POS-based malware attacks, contact us today.

2017 was a peak year for data breaches. In terms of both size (number of records compromised) and frequency of attacks, 2017 stands among the worst years in history, with 2,600,968,280 records breached in more than 1,765 individual incidents, according to the annual Breach Level Index (BLI) report. Though large-scale incidents like the Equifax breach—in...

2017 was a peak year for data breaches. In terms of both size (number of records compromised) and frequency of attacks, 2017 stands among the worst years in history, with 2,600,968,280 records breached in more than 1,765 individual incidents, according to the annual Breach Level Index (BLI) report.

Though large-scale incidents like the Equifax breach—in which more than 147 million individual credit card data records were compromised—received the most media attention, the hospitality sector also saw multiple high-profile attacks, including incidents at InterContinental, Hyatt Hotels, and Hilton.

The most significant breach affecting the industry, however, came from an outside partner. In May, the international travel technology company Sabre announced that it had hired cybersecurity firm Mandiant to investigate a suspected data breach incident. By July, more information had come to light: Sabre disclosed that an unauthorized third party had obtained access to its SynXis Central Reservations system, and had viewed customer data including payment card information and personal details such as names, home and email addresses, phone numbers and travel dates.

As one of the world’s largest hotel and airline reservation aggregators, Sabre serves more than 100,000 hotels and 70 airlines, processing transactions worth over $120 billion each year. Given the company’s size and its enormous reach within the hospitality sector, the news of a possible breach was troubling at best.

Sabre Corporation was quick to reassure its customers, partners and investors that the incident was not nearly as damaging as it could have been. It was ultimately revealed that the total number of compromised records was relatively small: fewer than 15% of the average daily bookings on Sabre’s Hospitality Solutions reservations system were viewed, and that system served only a fraction (bookings for about 39,000 hotels) of Sabre’s total client base. Nonetheless, Sabre was required to notify payment card providers, its partners and its customers—as well as the media—about the incident.

It was also subject to a class-action lawsuit filed in California.

Because the attackers had access to the system for a period of seven months (from August 2016 until March 2017), and SynXis retains data only for 60 days, the exact number of records compromised remains unknown.

And the precise identities of the victims cannot be recovered.

Although the consequences of this particular data breach were not nearly as severe as industry experts had initially feared, the incident should serve as a wake-up call to leaders and decision-makers throughout the hospitality sector. Without question, the total number of data breaches in the industry is on the rise. And as attackers continue to innovate in order to uncover new vulnerabilities and deploy more effective strategies, reactive approaches are doomed to fail.

Lesson #1: POS Compromise is the Industry’s Most Prevalent Threat, But Credit Card Data is Vulnerable Elsewhere, Too

According to the 2018 Verizon Data Breach Investigations report, 90% of the breaches that have taken place in the hotel industry so far this year have involved POS intrusions, and the average hotel is 100% more likely than the median business to be targeted at a payment terminal or POS controller.

But the Sabre hack demonstrates that large-scale industry vulnerabilities extend well beyond POS: sensitive and valuable data can be accessed and extracted at many points within the complex IT systems that today’s hospitality industry depends on, and all data needs to be secured everywhere.

Although it’s possible to segment a POS terminal from the rest of your network and limit the number of external systems with which it’s allowed to communicate, it is by definition impossible to prevent a third-party software provider who handles your customer reservation data from accessing sensitive financial information or the Internet.

In fact, the integrated nature of the reservations system could well have been its greatest vulnerability. As risk management experts have observed, the compromised Sabre system was interconnected with multiple other software solutions, including more than 150 different property management, revenue management, CRM and content management applications. The widespread integration of Sabre’s APIs within the travel industry means that a single breach could potentially be exploited in many ways, affecting large numbers of partner companies.

Lesson #2: You Are Only as Secure as Your Weakest Password

The Sabre data breach took place by way of compromised credentials: that is, the attacker leveraged a weak, stolen or unchanged default password to gain access to the system. This remains the most common means by which attackers gain access to vital systems across all industries in 2018.

But complex, integrated platforms like Sabre’s reservation system are particularly vulnerable because they are accessed by many employees within a wide variety of industries, some of which are too liberal in granting user permissions.

The Sabre system also allowed its users to gain access from multiple devices by supplying only a single username and static password. This access management method, known as single-factor authentication (SFA), has repeatedly been proven far less secure than methods relying upon multiple types of credentials to verify user identities. But SFA remains in widespread use due to its low cost and ease of implementation.

Lesson #3: Prevention is No Longer Possible

Despite their inherent vulnerabilities, large-scale booking engines like Sabre’s SynXis system will remain part of the hospitality landscape for the foreseeable future. The advantages they offer to industry partners and customers are obvious: they make it easier than ever before for consumers to find available hotel rooms, compare prices, and obtain reservations. And they allow independent and boutique hotels to compete successfully with major brands in marketing themselves to worldwide audiences.

With advance knowledge of the vulnerabilities inherent to such systems, hospitality industry leaders can begin to adopt new ways of thinking about data breaches. The simple truth is that intrusion prevention has become impossible, and approaches to data security that are solely preventative in nature will inevitably result in failure.

The necessary mindset shift is clear: leaders must begin thinking of breaches as unavoidable, and being planning to reduce their costs and mitigate the consequences when they occur.

A managed detection and response provider like Netswitch can help you protect your data by implementing a multi-layered security platform including advanced behavioral analytics able to identify anomalies quickly and reliably—to recognize unusual patterns of file access, network traffic or user behavior—so that intrusions can be stopped before they become breaches, and breaches halted before they have significant consequences.

As we discussed in last week’s blog post, businesses are paying more than ever before for cybersecurity solutions, and market forecasters predict that this spending will only increase in years to come. Every time a large-scale attack gets media attention, publicly-held companies rush to reassure investors that their IT security spending is enough to reduce...

As we discussed in last week’s blog post, businesses are paying more than ever before for cybersecurity solutions, and market forecasters predict that this spending will only increase in years to come. Every time a large-scale attack gets media attention, publicly-held companies rush to reassure investors that their IT security spending is enough to reduce their vulnerability. But is the protection that they’re buying truly worth its cost? And how can smaller organizations ensure that they’re receiving the best value for their cybersecurity investments?

Today’s cybersecurity marketplace is crowded. Buyers are confronted with an ever-expanding array of options when selecting vendors, products and services. Faced with limited budgets and nearly unlimited alternatives, decision-makers can easily find themselves overwhelmed. And armed with the knowledge that organizational investments into cybersecurity have failed to curb the growth of cybercrime, how can you ensure that the protection you’re paying for is real?

Too Much Focus on Endpoints

Traditionally organizations have based their defenses on malware detection and intrusion prevention, primarily attending to the interfaces between their private networks and the public Internet. Legacy solutions like firewalls and anti-virus software programs are primarily preventative in nature, aiming to keep malware from reaching enterprise networks and devices. These preventative approaches become less and less effective with each passing year.

Nonetheless, organizations continue to spend more on endpoint protection than on any other category of security tool. And this spending continues even though these protection platforms are often ineffective: in one survey, 53% of companies who fell victim to a ransomware attack were running multiple antivirus software products simultaneously. And only 52% of these solutions were able to detect a simulated ransomware attack in test conditions. In the 2018 Thales Data Threat report, endpoint security solutions were ranked dead last in terms of their effectiveness.

Too Many Vendors

The cybersecurity market also faces the challenge of oversaturation. With more than 1,200 vendor-specific solutions available, it’s becoming increasingly difficult to choose between them. Decision-makers are tasked with evaluating multiple vendors’ competing claims, but often lack a thorough understanding of what’s actually needed to keep their businesses safe.

The results can be chaotic: in one recent survey, major enterprise CISOs said that—on average—they were relying on more than 80 security vendors each. Although it might seem that such an abundance of solutions would result in ample protection, the opposite is often the case. These solutions are often poorly integrated, failing to communicate with each other or requiring users to log into multiple separate management consoles in order to monitor their performance.

As attack surfaces rapidly expand and attacks grow in sophistication, it can be tempting to simply add another vendor’s product for each newly-discovered vulnerability or threat. But doing so guarantees ever-rising costs, without ensuring that that the solutions will work well together. Organizations already struggle with the complexity of cybersecurity solutions, and when multiple products from competing vendors are being used, it can be even more difficult to extract meaningful threat intelligence from the alerts generated—and to do so quickly.

Cutting Through the Hype

Given these challenges, how can you choose the best security solution for your organization? One answer is to find experts without a financial stake the cybersecurity industry: look for independent authorities to validate any claims made by individual vendors.

One such organization is MITRE. Chartered to work in the public interest, MITRE is an independent nonprofit that operates federally-funded research and development centers. Their objective is to conduct scientific research and analyze technological challenges and cybersecurity threats. For the past five years, MITRE has worked to develop the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework, a detailed, globally-accessible knowledge base of the tactics and techniques used by attackers, according to real-world observations.

The ATT&CK model’s key characteristic is a shift in primary focus: from prevention to detection. Developed with the goal of detecting advanced persistent threats (APTs) more quickly, ATT&CK is founded on an “assume breach” premise. Researchers at MITRE operate with the expectation that it’s simply impossible to keep attackers off your network, and instead seek to categorize and catalog attackers’ most common post-breach behaviors, with the goal of reducing the amount of time it takes to detect an intrusion.

By making this information available to the public, ATT&CK’s creators hoped to improve the sharing and coordination of intelligence across the cybersecurity industry, and thus to enhance all vendors’ ability to predict attacker behavior and to create stronger dynamic defenses. Instead of concentrating on identifying particular malicious domains, IP addresses or file hashes, which attackers are always changing, the researchers sought to document the general tactics and techniques used by adversaries interacting with real systems.

Lessons from ATT&CK: What to Look for in a Solution

Today’s most effective security platforms are built upon the same foundational premises as the ATT&CK framework: they construct dynamic defenses by focusing on post-breach detection.  The threat landscape is constantly evolving: it doesn’t make financial sense to purchase a new solution each time a new attack vector is discovered. Instead you need a multi-layered platform-based approach that can evolve right along with the challenges. A crucial component of such approaches is their reliance on behavioral analytics powered by comprehensive dynamic threat models, which incorporate intelligence from both commercial and open sources (including ATT&CK). An ideal system’s behavioral analytics can be adapted and tuned for your particular environment.

It’s also important to find a system that’s seamlessly integrated, ensuring that components from various vendors will work together to improve overall detection rates, rather than merely generating alerts that you don’t have the resources to investigate or interpret.

As the number and complexity of threats continue to increase, monitoring them is beginning to exceed human capability. Thus moment-to-moment traffic and threat analysis must be increasingly automated, and machine learning and artificial intelligence relied upon to perform this task. How well this “learning” works to set effective network policies is critical to the strength of your defenses.

To learn more about how the Secureli platform incorporates advanced behavioral analytics powered by artificial intelligence into a comprehensive threat detection and remediation system, contact Netswitch today. Our integrated services are available for a flat monthly per-device fee—pricing that will remain stable no matter what happens in the threat landscape.

Cybersecurity spending today is at all-time high, and is poised for further growth. But cybercriminal activity—attacks, breaches and resulting damages—has also peaked. CEOs, CIOs, and budget-conscious investors are all asking: are the available IT security solutions worth their cost? Would it make more sense just to pay off the hackers? Do proactive approaches even work?...

Cybersecurity spending today is at all-time high, and is poised for further growth. But cybercriminal activity—attacks, breaches and resulting damages—has also peaked. CEOs, CIOs, and budget-conscious investors are all asking: are the available IT security solutions worth their cost? Would it make more sense just to pay off the hackers? Do proactive approaches even work?

There’s little doubt that companies are investing more than ever before into IT security. Analysts at Gartner, Inc. estimate that enterprises worldwide will allocate more than $96 billion to their cybersecurity budgets in 2018, an increase of 8 percent from 2017 spending levels. Not only is spending forecast to increase, but the rate of increase is also expected to climb dramatically. In their 2018 Cybersecurity Market Report, for instance, researchers at Cybersecurity Ventures predict that total global expenditures on cybersecurity products and services will exceed $1 trillion between 2017 and 2021, with year-over-year growth rates between 12 and 15 percent.

And actual spending may well be even higher than these predictions suggest, since cybersecurity-related expenses are often incorporated within other areas’ budgets. Security services may be bundled with other IT solution costs, such as software development or infrastructure maintenance. Or they may be classified as “general operational expenses,” or compliance costs. This makes it increasingly difficult to accurately account for them.

What’s most troubling about these numbers, however, is that despite the high levels of spending that they clearly reveal, costs and losses attributable to cybercrime are also on the rise.

In IDG Research’s 2017 State of U.S. Cybercrime Survey, 68 percent of respondents indicated that despite spending more, their monetary losses due to cybersecurity events were the same or greater than the previous year. 6 percent fewer businesses did not report losses, and the number of events resulting in damages increased. Researchers at Cybersecurity Ventures predict that cybercrime will continue to increase in the coming years, and that by 2021 will cost global businesses more than $6 trillion annually.

Given statistics like these, and faced with tight budget constraints, it is tempting for business leaders to conclude that investing in cybersecurity is simply not worthwhile.

Would You Be Better Off Paying the Ransom?

Many decision-makers do in fact take this “save now, pay later” approach. More than a third of the 1,800 companies surveyed in NTT Security’s 2018 Global Threat Intelligence Report said that they’d consider paying a hacker’s ransom rather than investing in information security.

Worryingly, this data reveals that many executives remain unaware of the scope of the risks their organizations face. In the wake of highly publicized ransomware attacks like WannaCry and Petya/NotPetya, the report suggests that these decision-makers tend to overestimate the cost of preparedness while grossly underestimating the financial implications of failing to prepare.

Adding Up the True Costs

It is difficult to perform an accurate cost-benefit analysis when the costs involved are concrete and fixed, and the benefits are less tangible. When considering new cybersecurity investments, executives are presented with finite and predetermined costs: for hardware and salaries if developing in-house capabilities, or on a per-employee or per-device basis if outsourcing. The actual costs of an attack or breach are far more difficult to quantify, however.

Damage to brand image and reputation is of major concern to cyberattack victims. In the NTT Security Report, a majority of respondents feared that “loss of consumer confidence” or “damage to brand/reputation” would result from an information security breach. Although the consequences of tarnishing a brand are undeniably real, it is notoriously challenging to express these losses in financial terms. But in any industry with significant competition, customers lost because they no longer trust you in the wake of data compromise most likely will never return.

Other potential costs, too, are frequently ignored in cybersecurity risk calculations. Would your cybersecurity insurance premiums increase? Or might your insurer even refuse to pay out if you were shown to have neglected your responsibility to follow best practices? What would it cost to replace top talent if high-level employees resigned in the wake of the incident? And what damage would be done to your relationships with other vendors or business partners?

Tomorrow’s Risks Will Be Even Greater than Today’s

The threat landscape is ever-changing, and cybercriminals will continue to employ the tactics that give them results. The use of ransomware, in particular, is on the rise. SonicWall recently reported a 229% increase in ransomware attacks from 2017 to 2018. This includes high-profile cases like the SamSam attack that crippled the city of Atlanta as well as numerous smaller-scale incidents. Taken together, ransomware costs have spiraled into the billions, and are likely to grow further as threats become increasingly strategic, targeted and sophisticated.

If even a small percentage of victims pay the ransom, threat agents are strongly incentivized to continue to develop and deploy ransomware, and to target increasing numbers of organizations. And if it becomes widely known that one-third of companies would be willing to pay up, we can expect to see exponential growth in the number of attacks.

You Don’t Know If You’ll Get What You Pay For, Or What the True Cost Will Be

A few years ago, some experts advocated paying the ransoms demanded by cybercriminals, arguing that an “honor among thieves” mentality prevailed, and most would decrypt or relinquish or return control of your files once paid. Real-world data belies the wisdom of this approach, however. In a recent research report by the Cyber Edge group, only 19% of the victims who paid actually got their data back.

Some criminals never intended to return the data, while others—through ineptitude or poor coding skills—find themselves unable to fulfill their promises to decrypt the files.

There’s simply no way to be certain that paying a ransom will restore your data.

With so many attackers today demanding payment in Bitcoin or other new cryptocurrencies, and with the value of these digital assets fluctuating daily, it’s also incredibly difficult to estimate—in dollars—how much the ransom will actually cost.

While it is possible to estimate the cost of a data breach—the Ponemon Institute puts it at $148 per stolen record, for an average total of $3.86 million—predicting the impact of a future ransomware attack is more challenging. Real-world examples show that the costs can be extremely high, and that a single incident can cripple your business. Or even destroy it. This isn’t a risk worth taking.

A proactive approach is without question the best one.

Stay tuned for our next blog post, where we’ll discuss the most cost-effective ways to fight ransomware and data compromise, and how to stay proactive on a budget. Or contact Netswitch to learn more today.