On Friday, April 13, Global Payments’ previously rising stock plunged from $52 to $46. The drop came swiftly after the announcement that the major credit card payment processing company’s database had been hacked, and 1.5 million credit card account numbers had landed in the talons of cyberthieves. No one stands immune.
The FBI reports that over the last seven years, more than two-thirds of American businesses have detected at least one cyber crime — and that’s only the ones they have caught. With the boggling amounts of data and dollars companies are entrusting to computer processes in mind, the Association for Corporate Growth’s New Jersey Chapter is presenting “Cyber Risk — What You and Your Business Need to Know About Information and Data Security Breaches” on Tuesday, September 11, at 7 a.m. at the Hilton Woodbridge in Iselin.
The panel moderator is Darryl Neier, certified fraud examiner with Sobel & Co.; with panelists Ken Citarella, managing director, Guidepost Solutions; attorney Sandra Jeskie, partner with Duane Morris LLP; and Sean Murray, assistant vice-president at Chubb Specialty Insurance. Cost: $75. Visit www.acg.org/newjersey.
Cyber investigator Citarella says he always tells his New York University Law students when he enters the classroom, “You cannot buy your way into security, but you can train your way into security.” As one of cyber crime’s very first investigative prosecutors, he should know.
Still living in his home county, Citarella was raised in Westchester, New York, by a shop owner father and homemaker mother. Graduating from Manhattan College with a business bachelors in 1973, Citarella brought with him the unusual (for then) knowledge garnered from several computer courses.
Upon entering the U.S. General Accounting Office, Citarella quickly employed these skills on the government’s early computer systems.
After earning an MBA from Pace university, Citarella went to work for the Westchester Prosecutor’s office where he became one of the nation’s first white collar/computer crimes specialists.
To enhance his effectiveness, he earned a law degree from New York University Law School, where he still serves as an adjunct professor. After a brief stint with Prudential Insurance, Citarella joined the security international giant Guidepost Solutions, where he continues to hunt down the bad guys and save the data.
“Look at your hand held device,” says Citarella. “As all your information becomes more centralized into that thing in your pocket, the greater the risk of it being stolen.”
What you are capable of doing may not always be the wise thing to do. You can carry all your worldly money in your purse. You can carry every information file and access code on your Blackberry. Doing either, however, is downright stupid.
A wise course, Citarella suggests, is to use a USB flash drive in your laptop with only the information you plan to use on your immediate trip. It might be more forward thinking than having your whole office wide open on your lap, “just in case.”
Security is only human. “The best firewall in the world cannot save you from the CEOs clicking on an invasive attachment from some unknown sender,” says Citarella. It is people who must be trained in certain levels of security consciousness, and people who must think through the safeguarding policies they make.
Citarella cites an embezzlement case in a major firm that had recently decided to go entirely paperless. The result of the paper-free policy was the creation of an E-mail swamp that was drowning nearly every employee. One executive got so sick of the time wasted on E-mails, he broke the company policy, and gave his username and password to his assistant so she could screen his E-mail.
His assistant took to the task with a will, and in short order realized that she could send a travel voucher for herself to her boss, and verify it for him, and have the money sent to her personal account. Meanwhile, the boss never saw what “he” had verified, and was delighted with the diminished E-mail onslaught.
“She made the one embezzler’s cardinal mistake,” says Citarella. “She took a vacation. Otherwise we never would have caught her.” In her absence, her substitute noted this odd cash flow, the assistant was caught, and the executive had to admit that he had broken policy by giving her his username and password.
But here’s the surprise ending: instead of coming down on the executive, Citarella turned on management, saying that this understandable action was brought about by careless policy. Why were dual-access E-mail systems not set up with varying powers? Why did it not take two people to sign off on such voucher payments?
Spear phishing expeditions. Of course, fixing blame is seldom the key to fixing security. Hackers increasingly are very crafty and even the most savvy may be fooled, admits Citarella. Imagine the cybercon today targeting a particular company with a series of what’s termed spear phishing E-mails. He picks his target, and researches the CEO.
Reading the CEO’s speeches and profile on the company website, he gets the basic facts. The website’s events calendar shows that the company leadership is going to a particular conference in late September. From the CEO’s LinkedIn and Facebook pages, our hacker discovers that the CEO likes to play golf. Now the trap gets set.
Checking out the conference’s letterhead, the hacker duplicates it and sends the CEO an invitation to a golf tournament. When he hits “Click to Register” a Trojan horse program downloads and rampages through the company’s data system. Files are copied, downloaded, financial records are breached, and perhaps vital documents are destroyed. Then of course, news of the break-in leaks to the media. Like Global Payments, the targeted company’s stock takes a nosedive.
Two-pronged counterattack. “Each new piece of technology is invented by a company to make money by using it in one or two ways,” says Citarella. “The second users are the bad guys, who seek and find a mutated use. Then, only third-hand does it get to security and law enforcement people, after the crime is committed.”
The recent goal is to reverse this trend and build security steps into the original customization of the piece. To achieve this, security experts are channeling efforts into both building stronger walls and making a quicker, more effective response to a breach.
Security guards realize the unevenness of the game. They have to be right 100 percent of the time, while the hacker needs be right only once. Penetration of a system does not necessarily indicate sloppy security. How quickly you can isolate the attack, assess the damage, find the access points, and act to expel the problem — these are the true measure of a security team.
Much of this responsibility rests within the company. “Most firms don’t know what data they have and where it is located,” says Citarella. A secure system keeps a running tab on the number and location of each file group. Automatic logs should be established recording when a file is altered or copied, and by whom.
Such a recording method can issue exception reports. If file #123 is shown to be copied by Ms. Smith who is not an accepted administrator for that file, the alarm goes off. Either Ms. Smith or someone using her ID is copying that file. If you keep constant count of the mares in your corral, it will become much more obvious when a Trojan horse sneaks in among them.
Security’s road will not get easier in the near future. URLs are soon to be operating in 14 basic languages. Protocols are expanding to hexadecimals to provide more room for our explosive online use. Hackers and fraudsters can hide behind national borders.
“We have really got to speed up the rate of international cooperation — fast,” warns Citarella. And then, of course, there is the exponential advance of new types of cyber crimes. Every crook has a new angle. How does Mr. Citarella hope to keep up? He replies, “Nothing keeps me current as looking at the files on my desk.”