Strategic incident response to increase information security after breaches

Another day, another breach, and more credit cards are on the open market. I’m not sure what the thieves are going to be doing with the credit cards at this point but let’s take a look at where we are going and take a moment to reflect on what we’re doing here in infosec land.

There will be the normal requirements that credit card companies reissue the credit cards to impacted users.

The consumers will be asked to watch their bills for unexpected charges. The normal post breach process. Then again we have some consumers from one breach now getting issued new cards faster than the breach. Say, you were impacted by Jimmy Johns breach, now the Kmart breach, but your card was the same in both previous breaches. You are already golden for some amount of time.

Why so many breaches? In the incorrectly reported immortal words never utters by Mr. Sutton “It’s where the money is…” More to the point the edge of the enterprise is made of utilitarian devices and yet they are the point of trust in the transaction. Until we determine a strategy beyond architecturally failed concepts like defense in depth breaches of this type will continue. The defensive strategy for a point of sale system should look more like a crunchy candy with a soft center. Even more important is the enterprise has to make some very large leaps in cognitive reasoning of infosec.

Think of it this way. When the board sits down to meet they are talking shareholder value and are likely using one of many risk management tools for how to budget for information security. That is good and the principle thoughts of strategic information security leaders has matured greatly in the last few decades. What has to happen now is an added cognitive component to the discussion. The enterprise has to realize that they are protecting their consumers from themselves. The enterprise has to realize that the trust equation at the consumer transaction is as important as the mail server, financial register, and banking balance. The entire point of sale system is the heart of the business trust equation not an added value to efficiency of commerce.

Where are we going? Credit cards are dead. Put a fork in them, take them off the barbecue, they were a 1960s technology that had a great run. They are getting crispy. Don’t spoil the enterprise for want of a little more profit eeked out of ancient credit card tech. What’s next? Between Speed Pass, Apple Pay, and various other technologies a rolling transaction non-resident key based system seems the best option. Something that is dual banded so the merchant controls one element, the consumer controls another part of it, and the payment clearing house controls the third part seems to be the future.

Business should get in front of this and start demanding credit card issuers be open to innovation. As much of the payment liability is reversed onto the corporation with the breach and the subsequent fraudulent spending there is a market opportunity available. Government will see this as an opening for a SOPA/CIPA/DMCA/CFAA type policy fulcrum and that isn’t good for consumers or corporations. Though some liability relief may occur the consumer choice/freedom/controls will back fire on industry. Anybody seen RIAA/MPAA lately?

The strategic value is in getting in front of the issue. It is hard when we are tactically engaged in breach response to realize that some of what we are seeing is great evidence toward a strategic plan for mitigation. Draw from the patterns of these breaches as much thinking as you can toward what would stop them.

Malware is a fact of life, but what if you have a technical solution beyond patch and pray to mitigate the malware capability? Moving to out of band communication controlled by the consumer is a simplistic but available answer. Moving the credit card processing to a full PKI and hashed response algorithm so the store maintains nothing is fraught with issues (charge back, refunds, etc). It still may be a better answer. Draw some ideas from the breach and determine a better response plan itself. Finally gather evidence and metrics. From other breaches metrics beyond the silly number of credit cards can be derived. That allows for root cause analysis that can inform strategic direction.

Leave a Reply