Preparing for Hack Attacks

As the EMV reality squeezes card fraudsters out of the card-present business, they are all crowding into the online racket. U.S. retailers should be ready.

With retailers seeking advice about this, the first question I ask usually raises eyebrows. I don’t ask about protocols or gadgets. I ask to check out the people.

Here’s why. Following the 2008 financial crisis, many “soft” professionals lost their jobs and began seeking “hard” skills. As a result, many literature majors gravitated toward the computer-security schools that had popped up opportunistically around the country. Laid-off journalists, disappointed art critics, and forlorn geography graduates took a quick, targeted course to earn a common cyber-security certificate that wound up landing them well-paying jobs with nervous retailers.

The sad fact is that too many security professionals have a very shallow background in computer science. They are neither programmers, nor hardware people, nor network specialists, nor encryption mavens. They may write policy and read performance indices on firewalls and security monitors, but they have little chance to spot—let alone intercept and neutralize—a smart hack.

So here’s an ironclad rule: Hire hard-core computer-science graduates, not information, communication, or media students graduating from private academies where “general life experience” counts as credit. Yes, you can hire the latter people for less, but they will cost you much more if you suffer a hack they should have prevented. A security professional can only defend you against a hacker who is dumber, or at least no smarter, than she is.

Among the well-known security measures that are repeated in every code, I emphasize two: obscurity and enterprise. The industry has evolved into dangerous standardization. We use the same hardware, we operate on the same operating systems, and we subscribe to the very same application packages. As such, we serve as a naked, stationary target for our attackers. They know everything about our data processing except the data itself (to begin with). But to the extent that you use a device, a trick, a method not anticipated by your hacker, you confound him.

Example: Unlike ZIP codes, Social Security numbers are usually not searched in “ranges.” That means that a simple transposition of digits will be okay with the analytics team and will also protect the entry. You don’t need a robust cipher. Any programmer can mix and unmix digits. Transposition can be applied in many surprising ways, and a surprised hacker is a failed hacker!

End-to-end encryption is a good form of obscurity as well, but here several factors are critical. If you mismanage your keys, the strength of your cipher is irrelevant. If you lose your root key, then however careful you are down the line to store and protect the working (derived) keys, your security is compromised. Create “air” between these keys and your online apparatus. Remember: A flash drive may be contaminated with malware that the operating system does not see or does not report.

Now, enterprise. Assume there’ll be a cyber breach and plan to minimize the damage. You may want to tolerate a slight inconvenience and part your data into two or more distinct databases with different security protocols. Intrusion intervention and recovery are hard. Don’t start thinking about them under the fog of stress. War-game various scenarios, and involve all security personnel and others in make-believe attack response. Train every person who has data privileges in security matters.

Side note: The market is flooded with “smart data miners” who crunch all available data about anyone logging online and then compute a suspicion index for them. In many cases, this is oversold. Such a device must be tuned either to minimize the chance of admitting a hacker or to minimize false alerts. The problem is that when you squeeze one side, you loosen up the other. Vendors will tend to tune their tools to minimize the chance of a hacker coming through. Unwittingly, the tool will reject many good customers, and you will have no good statistics as to how much business you lose that way.

In closing, bring in a fresh consultant. We all get stale. If you bring a new security professional into my territory, she will see much that I overlook. And vice versa.

—Gideon Samid • Gideon@BitMint.com