Amid escalating tensions in Eastern Europe, the Department of Homeland Security (DHS) recently issued a bulletin warning of potential Russian cyberattacks against targets in the United States. Reportedly, these attacks could range from a “low level denial-of-service attack, to ‘destructive’ attacks targeting critical infrastructure.” The abundance of news headlines about the heightened threats has prompted many questions ranging from “what is a cyberattack” to “who are prime targets” to “what can I do to protect my business?”
For answers to these questions and more, we turned to Wind River’s own security expert, Douglas Buan. As chief information security officer, Doug brings extensive experience in law enforcement, payment fraud investigation, and cybercrime investigation to Wind River and our customers. We sat down with Doug to get a better understanding of the cyberattack threats and just how concerned US businesses should be.
Buan: A cyberattack is really any unauthorized attempt to steal data, disable computers, or interrupt business operations. Attackers try to access networks and sensitive data often for monetary gain or simply to sew discord, misinformation and chaos. Cyberattacks pose a serious threat to all businesses – particularly the small and mid-size companies that don’t think they’re a target. In fact, the vast majority of cyberattacks actually occur to SMBs. We don’t hear much about them because most SMB breaches do not make the headlines. Sadly, 60 percent of small businesses that have a data breach or fall victim to a cyberattack go under within six months.
Buan: The general answer is yes, the payments industry is susceptible, just like any other industry. That said, I believe the payments industry defenses are ahead of many others since we have been targeted for many years by threats trying to steal financial and identity data.
We can’t rest on our security laurels though. We need to always take a cyberattack threat seriously.
Buan: According to alerts from various federal agencies, businesses that are part of U.S. critical infrastructure, such as financial services, utilities, and petroleum, should monitor for elevated attack activity. Examples of cyberattack activity include things like phishing attempts to employees, elevated activity or exploit attempts against firewalls, website defacement or injected code. Basically everything “bad.”
Depending on their size or complexity, businesses not in critical infrastructure should also be looking for these signs using automated scans and reports. It’s a good business practice even if there isn’t a heightened alert.
Buan: If you do discover elevated attack activity, you can report it to federal entities such as The Cybersecurity and Infrastructure Security Agency (CISA): https://www.cisa.gov/uscert/report.
Buan: Yes, there is definitely involvement between the card brands, various entities within the payments industry, and federal agencies and task forces. There are communications to which the public is not necessarily privy. Security is a top priority for the federal government and for the card brands. In fact, many of the senior security leaders at some of the major card brands are former federal law enforcement personnel so there are tight networking connections from this aspect as well.
Buan: A key phrase in the DHS bulletin is “critical infrastructure” targets. CISA has identified several sectors that are essential to public health and safety and national security. These include Financial Services, Communications, Manufacturing, Energy, Healthcare, Transportation and Nuclear – among several others.
Buan: It affects Wind River Financial as we’re part of financial services. Generally, we try to assess: 1) what is the threat, 2) what is the potential level of impact of the threat, and 3) are there things we need to specifically alert our customers about? We try to keep customers in-the-know when there is an event to which they should be aware and offer ways in which they can protect themselves or better respond.
Buan: The base level really is the payment card industry data security standard (PCI-DSS). It contains roughly 350 requirements that businesses need to adhere to in order to protect their data. Employees should be trained regularly to identify phishing and other malicious items that can arrive in various communication channels. Over 90 percent of compromises originate with an employee clicking on something in an email that they should not. It’s easier to socially engineer an employee than it is to exploit a network with code – despite what you might see in the movies.
In conjunction with training personnel, we also recommend placing layered defenses within your technology stack. For instance, if you use an email and business app solution like Microsoft 365, there are certain security solutions that Microsoft bakes in, but there are additional protections that can be turned on or configured as well.
Lastly, I’d say be extra vigilant with monitoring – particularly while this heightened cyberattack threat is in place. If you have an ecommerce website, monitor for activity that looks out of the norm. Ask your web developer to regularly review the code to look for abnormalities. There are certain solutions that can review your code in an automated fashion.
Over the past couple of years, there has been a very significant increase in automated testing of stolen credit card numbers on legitimate e-commerce websites. A large number of small transactions such as $1 is usually indicative of stolen card number testing. Anti-automation tools such as Google’s ReCaptcha can help stop this type of activity for little or no cost. Also, pay attention to your external vulnerability scans (part of Wind River’s PCI Partner program) and remedy identified vulnerability as a priority. These may seem like little things but they can go a long way toward protecting your payments and other data.
Buan: Specific warnings like these can be a wake-up call. This stuff goes on every day, and small businesses, in particular, are targets as they can provide access to financial and other services. My advice is to closely monitor and manage the tech side of things. It really is a must-have in today’s environment. Those businesses that don’t have staff to manage their technology may want to consider working with external resources to identify security vulnerabilities and strengthen their protection.
Like insurance, you hope you never need it, but when the worst happens, you’re very glad you have it.