Last month, I had the opportunity to meet some new peers and old known ones at a small gathering in San Antonio. Just a few friends talking about the world cyber crime problems and discussing the steps being taken by our country to protect us from the perpetrators. For the readers who do not know me personally, it was back to the future to my Air Force roots.
The meeting was to discuss cybercrime on a world scale and give a status report of the standing of the 24th Air Force, which given the work progress should become operational in the next few weeks. Some of you may ask what airplanes have to do with this, and the answer is nothing. The USAF is responsible for much more than flying the troops around or neutralizing a target; they also are the primary ISR (Intelligence, Surveillance and Reconnaissance) agency in the DOD and are a multi-service support organization. The ISR and the 24th will have primary duties in monitoring and protecting us from Foreign and NGO attacks on the Internet. Contrary to popular belief, the Internet is used by our government as much as by the private sector and when it is attacked it affects all users equally. A long time acquaintance of mine Howard Schmidt, Cybersecurity Advisor to the President gave a very interesting keynote outlining the need for greater cooperation between all sectors (public, business, education and government) to combat Internet cyber crime. It is not about the big hit anymore, but the small frauds in the under $10 level of value per transaction, that cyber criminals are after, because when multiplied by millions of transactions they become huge takes that mostly go unnoticed or the siphoning of data that can be used in gaining an advantage in the marketplace, courtroom or field of battle..
Referring to a recent posting, even a few years after the Heartland heist by Mr. Gonzalez, banks are just now finding out that their credit cards were compromised in the heist. They stole millions of numbers, but they did not use them all at one time, so no one knows what other card numbers are out there in the hands of the criminals. And banks do not change account numbers very often even when cards are renewed. I have had personal incidents were American Express allowed charges to be passed through on a card number expired over 3 years prior to the date of the charge. After getting caught they reversed it, but only after a complaint was filed and I refused the unauthorized charge. The bank makes money on every charge processed, hence their approach to processing. By the way if want to have fun, ask your credit card company why they have not implemented the chip on the card system used by all credit issuers in Europe for your account in the US. Some banks are starting to change because US international travelers are finding that they cannot use their credit cards overseas in automated systems, the chip requires the use of a pin in addition to the card being read. It makes fraud much more difficult.
A consensus amongst the attendees was that finally we are starting to see a unified concerted effort in the cyber security arena. But it is just beginning and Cyber-Hygiene is a long-term proactive approach. Another topic of interest was the sale of counterfeit computer parts that contain built in hacks to divert data packets to criminals or foreign operatives. Do you have a policy that controls the sources of hardware to known legitimate vendors and manufacturers, or is the lowest price the purchase determinant? In many large organizations price is the ultimate decision maker, if I wanted to hack someone, all I have to do is sell them very low price Ethernet cards or complete systems, the question is: what is the value of your data?
To learn more about Internet security or to conduct a security assessment, contact For-Sec at 281-549-4751 or email Ernesto Rojas at efrojas@for-sec.com.