Millions of Koreans are reeling from the fact that their personal details were stolen and sold to marketing firms by a technician hired by the Korea Credit Bureau, a ratings firm that the credit card companies had hired to help improve their systems to protect client data.
According to news reports, the stolen data of customers from KB Financial Group, the NongHyup Financial Group and Lotte Card included names, phone and South Korean social security numbers, email and residential addresses, salaries, monthly card use and other credit-rating information of clients, the Financial Supervisory Service, a regulatory agency, said in a statement. In many cases, card numbers were stolen as well.
Any business will be at risk from such a significant loss of data said Hayato Koeda, VP of South APAC, and President and CEO of A10 Networks in Japan. “The incident has shown that enterprises cannot be complacent and need to take information security seriously. It goes beyond data loss at an individual company; the incident creates distrust toward the industry, the social system and the economy,” he said, “Businesses must always take safeguards and security measures to mitigate scandals caused by the people who are using the technology, particularly employees and partners who are working within or closely with the organization.”
The theft of data via USB device represents one of the more difficult aspects of security to prevent, say most experts.
According to Forrester’s Senior Analyst for Security & Risk, Manatosh Das, the data theft incident in this case went undetected over a period of time as the computer contractor had official access to the databases in the banks. “The ‘Human Factor’ is as strong as the weakest link in the chain. At Forrester, we encourage our clients to adopt a Zero Trust model towards Information Security, which means security must be “ubiquitous throughout the network, not just at the perimeter”,” Das said.
Steve McWhirter, Vice President Asia Pacific and Africa, Check Point Software Technologies Ltd said that, unfortunately, without proper control on authorized USB devices that are allowed to be connected to their machines, resentful employees or contractors can easily connect their own USB devices and copy confidential data, or even worse, upload malicious programs into the organizational servers. He added the a lack of encryption and access control (document security) on these confidential customers information also makes it easy for copied data to be sold or used outside of the organization without approval.
The Big Data Approach
In 2013, Big Data security analytics and the analysis of networking logs were added to help defend the network.
Das is of the opinion that the use of such would have helped the banks detect an anomaly. However, he stressed that just deploying Security Information Management (SIM) tools is not the solution, but rather applying stringent rules on these SIM technology is very important e.g. if a particular user ID access some critical data it will send an alert to the data owner / manager.
Paul Pang, Chief Information Security Officer, Asia Pacific, Splunk Inc. agreed saying that a company should monitor all inappropriate access, and send a warning and an alert in real time to indicate company is aware of this.
Pang further added that while Big Data analytics could help in detecting anomalies, the problem lies in being able to do so at a speed that was meaningful for the company as the bigger the organization, the bigger data set of user activities and system records.
But McWhirter cautioned that Big Data is not necessarily the “be all and end all” technology or the answer to all things as the time and resources needed to identify file actions by thousands of workers across thousands of computers every day would be extremely difficult for big data analytics to pick up a few illegal downloads of confidential files across a period of weeks or even.
“The huge amount of audit logs from each computer would make the task of archiving and maintenance costly for many organizations,” he said.
Beyond looking at Big Data, Koeda said that businesses also needed to implement security solutions such as Data Loss Prevention (DLP) that can manage the use of removable devices and access to sensitive data. In addition, network devices with “SSL intercept” capability, which enables the inspection of SSL-encrypted traffic, can prevent the transfer of confidential data to external servers through the internet. Security measures such as Web Application Firewall (WAF) solutions can also validate server output, and mask sensitive data such as credit card numbers or social security numbers. Multiple, layered security measures are vital for securing an organization’s infrastructure.
Handling the Aftermath
According to news reports, a number of senior executives at the three affected credit card offered to resign on Monday. The South Korean Government also took steps to try to ease the jitters with Prime Minister Chung Hong-won saying that the government would “significantly boost punishment” for those responsible.
A report in the New York Times stated, “Prosecutors have also indicted two phone marketing company managers on charges of buying the stolen data from the technician. Prosecutors said they found no evidence that the data had circulated any further, but fears spread that the information may have fallen into the hands of financial scammers.”
A10 Network’s Koeda said that affected businesses need to regain trust through activities that can help increase awareness of personal information protection. This needs to be done throughout the business environment – starting from the individual to the organization to the industry and society at large. The efforts and actions by an organization to protect personal identifiable information must also be clear and visible to all. Only then can businesses start to regain trust and ensure the safety of their customer information, he concluded.
What businesses may have to be constantly aware is that IT security in terms of networks and data is as strong as their weakest link, McWhirter noted, and this will include upstream stakeholders (such as service providers and suppliers) and downstream customers. This means security breaches involving internal or contract stakeholders are not uncommon, he added.
He also felt that an honest admission on the full extent of any security breach, with a detailed explanation on damage control, should be communicated promptly to all stakeholders, including customers.
Communication was also important for Splunk’s Pang, who said that it was important for the banks to communicate to customers: their aftermath strategies to take the situation into control and ensure such incidents don’t happen in future. There was also the need to for the banks to replace their affected customers’ credit cards.
Das said that customer trust is crucial for businesses to flourish and any security breach makes big dent in customer trust. Regaining the customer trust after security breach is big challenge for businesses, for example the Sony Playstation data breach incident, he explained, “breaking trust takes minutes but building trust can take years.” after an inicdent like this, Das said that organizations need to be more transparent with their customers in the way the collect, store and use customer data.
Dealing with the Insider
Eric Chan, regional technical director for Southeast Asia and Hong Kong at Fortinet said that there are some measures that organizations can take to deal with insider threats:
1) Monitor all user activities and establish a user profile or baseline.
Companies need to understand things like: which user accesses which databases; what database tables users access regularly; where do users come from and what tools do they use (IP, source application, etc); what is normal behavior and what is suspicious. Once a profile or baseline is established, it will be easier to detect any activities which are outside of the norm.
2) Implement proper access control. This includes having a periodic review of each users’ privileges and roles. For example, a guest user account should not have administrative access.
3) Implement a data loss prevention solution which monitors and alerts on sensitive data (such as trade secrets and personal information) entering and leaving their network and IT infrastructure.