Electronic Payment System: Issues05/04/2020
- Sophisticated (and Zero-Day) Malware
Malware has gotten very sophisticated, tracking everything from keystrokes to learning passwords, to infiltrating laptop cameras and microphones. URL scraping can see where you’ve been online, and bots can be installed in your system without you ever knowing it. This all adds up to bad actors knowing who you are, what you do, your passwords, etc. This is all bad news.
With malware and ransomware (encrypting your files until you pay a ransom to a hacker) on the rise, you must have the latest and greatest security software installed and running. You also must be vigilant in the links you click, the pages you visit and the people you interact with online.
- Poor Patching
Patching is a critical activity for any progressive, security-conscious organization. Unfortunately, patching demands must be addressed on operating systems, applications and network infrastructure, making it a bit of a hindrance in some minds.
It’s important to patch often and completely. Back in 2014, about half of all exploits went from the publishing of the vulnerability to being hacked in less than a month. Last year, 99.99 percent of vulnerabilities compromised were done so more than one year after they were identified.. You must patch frequently and patch often.
- Application/Middleware Vulnerabilities
Breaching the perimeter is no longer the preferred attack vector. Attackers are now taking advantage of the proliferation of applications across the typical enterprise. Most vendors will do the right thing with vulnerabilities and patches, but you must remain vigilant.
Establish an application security program to address this need. Scan internal apps and do frequent code reviews. Keep your security program up to date by always installing the latest versions of all security solutions.
- Service Providers
Third parties have become a large part of many infrastructures owing to their cost-savings, expertise and capabilities. Many are trusted with sensitive info, making them a very tight extension of your organization. Sadly, the Ponemon Institute states that third-party organizations accounted for (or were involved in) 42 percent of all data breaches.
Be strict in your third-party service provider evaluations. Ensure they have a solid track record of security.
- Failed Understanding of InfoSec and Cyber Risk
We’re sometimes our own worst enemies and what we don’t know can hurt our organizations. Risk is always seen through the eyes of the risk-taker, and if you’re unable to articulate the risks, people won’t see them.
Make education a priority. Don’t assume that everyone will value security as highly as you do. Put yourself in the shoes of the risk-taker and formulate a plan to address their risks.
- Mobile and BYOD
Mobile devices are prevalent in our enterprises, and not all of them are company issued (bring your own device). Unmanaged mobile devices present many threats. Non-compliant and jail-broken devices are often easy to exploit, and employees frustrated by multiple-authorization requests may simply get around your controls.
Anticipate this by developing a comprehensive mobile device management (MDM) strategy and stick to it. Work to understand how your employees are using these devices and implement policies to address said usage. Also, make it a priority to know all the devices using your network.
- Smarter Phishing and Spear Phishing
Phishing used to be easy to identify. Poor spelling and grammar were dead giveaways, as was the non-personal nature of the email. Well the “Dear sir/madam” intro has been replaced by very targeted messaging. “CEO Wire Fraud” attacks accounted for $2.3 billion in losses, according to the FBI. This “spear phishing” features language that is very specific to the recipient, and often high-level folks with top access and the ability to authorize payments.
Never authorize access or payments to people you don’t recognize. Follow up with people in your organization responsible for such things.
- Cloud Unpreparedness
Everybody is rushing to put their data into the cloud, and it makes sense. The cloud offers many benefits and is undeniably the way forward, but migrating to the cloud should be done with care.
It all starts with asking the right questions. Who will own the data? What data should be in the cloud? What data should be omitted from the cloud? How is data handled once it is no longer needed? Finally, take the time to understand what data protection controls YOU are responsible to provide.
- Over-trusting Encryption
Encryption is a great thing, but it’s not everything. Encryption of data is only as safe as the encryption type you use and how the keys are managed. Payment Card Industry (PCI) compliance does not allow encryption to take data out of PCI scope.
Simply put, encryption should be employed as part of a total solution, not as the only solution.
- Internet of Things (IoT) Attacks
As a society, we certainly don’t seem to have trust issues when it comes to IoT devices. But the fact is, if something is internet-enabled, it can be hacked. Cars, refrigerators and even children’s toys can be accessed by bad actors.
With Gartner estimating that 50 trillion gigs of data will be sent by IoT devices by 2020, hackers are sensing a massive opportunity. Always change passwords and factory security settings when employing these devices.