Wednesday, December 31, 2014

Developers vertrouwen ten onrechte op open-source

Developers vertrouwen ten onrechte op open-source

door         
opensource, logo, open-source
    
Nieuws - Open-source is in 2014 diverse malen zeer onveilig gebleken, kijk maar naar de paniek die ontstond door de openbaring van lekken als Heartbleed, Shellshock en Poodle. Dit waren geen incidenten, waarschuwt Jake Kouns, CISO bij beveiliger Risk Based Security.
Kouns stelt tegenover de IDG News Service dat het een mythe is dat open-source veilig is omdat iedereen ernaar kan kijken. "De realiteit is dat hoewel iedereen de code kan onderzoeken, het in de praktijk nauwelijks gebeurt en verantwoordelijkheid voor de kwaliteit wordt afgeschoven", zegt hij.
"Developers en bedrijven die gebruikmaken van third-party bibliotheken steken nauwelijks resources in het testen van andermans code. Iedereen denkt dat een ander wel lekken zal vinden en dat wat gepubliceerd wordt veilig is."
Afgelopen jaar zijn verschillende kwetsbaarheden gevonden in open-source bibliotheken als OpenSSL, LibTIFF, libpng, OpenJPEG, FFmpeg en Libev, terwijl deze door miljoenen bedrijven gebruikt worden.

'Projecten moeten serieuzer worden genomen'

Bij OpenSSL bleek bijvoorbeeld dat maar één developer zich full-time met het project bezig hield. Te weinig coders op een project en gebruikmaken van verouderde code zijn de grootste redenen voor de onveiligheid van open-source, stelt Risk Based Security.

Tuesday, December 30, 2014

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

The explosive growth of electronic credit and debit card transactions has increased the possibility of data breaches for financial institutions. The ongoing data breach litigation by financial institutions against Target is just one example of what could be the new normal with card-swipe electronic transactions now dominating commerce: according to Javelin Strategy and Research, only about twenty-five percent (25%) of point-of-purchase sales are currently made with cash, and that percentage is expected to continue to decline in the coming years.
This surge has been beneficial to the bottom line of many financial institutions, but the spike in electronic transactions has also increased the potential for data breaches and related liability. According to the Ponemon Institute's 2014 Cost of Data Breach Study: Global Analysis1 the average cost of a data theft from financial services companies in 2013 was $236 per customer account. The primary reason for the increase is the loss of customers following the data breach. Financial services providers continue to be most susceptible to high rates of customer defections as a result of data breaches. (Ponemon, 2014)
As the volume of electronic transactions has increased, hackers and cybercriminals have become more sophisticated and successful, as evidenced by recent high-profile data breaches involving Target, Neiman Marcus, eBay, and Jimmy John's. While mega-breaches tend to grab the headlines, most data losses involve fewer than 10,000 customer records. (Ponemon, 2014) Nonetheless, these data losses can be costly, averaging $5.9 million per breach incident in 2013. (Ponemon, 2014)
What can financial institutions do to minimize their losses, when both large and small institutions can fall victim? Below are four proactive steps that may be taken by any size institution:

1. Preparation

Statistically, four factors are most important to reducing the cost of a data breach: a strong pre-incident security posture, a current incident response plan, business continuity management involvement, and leadership by a Chief Information Security Officer. Together, these can reduce the per capita cost of a data breach as much as 30%. (Ponemon, 2014) Good preparation should also include data security audits and breach response exercises to test preparedness.

2. Purchasing Data Breach and Other Insurance

One in three companies has insurance to protect against data breach losses (Marsh LLC, Benchmarking Trends: Interest in Cyber Insurance Continues to Climb, 2014)2. Covered risks typically include disclosure of confidential data, malicious or accidental loss of data, introduction of malicious codes or viruses, crisis management and public relations expenses, business interruption expenses, and data or system restoration. In 2013, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped significantly. (Marsh LLC, 2014) Given the potentially tremendous costs associated with a data breach, cyber insurance policies are no longer a niche or specialty product, and are quickly becoming a necessity in the financial services industry and a key component of risk management for financial institutions.
In addition to policies specifically covering data breaches, it is important to consider whether an institution's losses may be covered under the terms of an existing policy. Some courts have found that traditional policies include coverage for data breach claims. In Netscape Communications Corp. v. Federal Insurance Co., decided in 2009, the Ninth Circuit Court of Appeals held that personal and advertising injury coverage in a commercial general liability ("CGL") policy applied to claims alleging that the insured had violated the plaintiff's right of privacy in private online communications. In Retail Ventures, Inc. v. National Union Fire Insurance Co., the Sixth Circuit Court of Appeals found that coverage may also apply under a financial institution's crime policy. In WMS Industries, Inc. v. Federal Insurance Co., the Fifth Circuit Court of Appeals affirmed the district court's holding that all-risk and first-party property policies may provide coverage for data damage and business interruption arising out of data breaches. Lastly, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals found that an insured's loss of a computer tape containing third-party data was "property damage" and, therefore, was covered by CGL insurance.
Even if there may be a question as to whether coverage is available, notice of the breach should be given to the insurer immediately. Financial institutions should consider consulting with their insurance providers to confirm whether or not their standard policies cover data breaches and, if so, whether there are any coverage limits or exclusions. "Too often, the close scrutiny of policy coverage does not occur until after a claim is made. This makes misunderstanding and disappointment a distinct, and potentially costly, risk. Even sophisticated companies stumble. In 2011, SONY suffered a series of cyber security breaches affecting data in its online gaming systems. The SONY insurer said the company did not have a cyber insurance policy, that SONY's existing policies only covered tangible property damage, not cyber incidents, and therefore the insurer would not provide any coverage for the company's nearly $200 million loss. SONY spokespersons contested these statements, expressing their belief that at least some of the losses were covered. (Mark F. Foley, Digital Lex: Insurance Coverage for the Cyber World (Feb. 19, 2013), at http://www.WTNNews.com. See, Insurance Against Cyber Attacks Expected to Boom, New York Times online, December 23, 2011)
Banks, or their counsel, should also proactively review vendor or third-party contractor agreements to confirm that the vendor or third party contractor has an obligation to indemnify the financial institution for losses related to a data breach, and that the financial institution is named as an additional insured under the vendor's or third-party contractor's insurance policy covering such breaches. Contracts that do not provide these protections should be updated.

3. Using Regulatory Tools and Guidance

In September 2014, FDIC Chairman Martin Gruenberg stated that "internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks." As a result, the FDIC now defines cybersecurity as "an issue of highest importance" for itself and the Federal Financial Institutions Examination Council.
The FFIEC recently formed a Cybersecurity and Critical Infrastructure Working Group that works with the intelligence community, law enforcement and the Department of Homeland Security on cybersecurity issues. The Working Group is currently assessing the banking sector's preparedness to combat and respond to cybersecurity threats. The report will include a regulatory self-assessment to evaluate readiness and identify areas requiring additional attention.
The FDIC also created a "Cyber Challenge" online resource that features videos and a simulation exercise. As part of this effort, the FDIC also requires third-party technology service providers (TSPs) to update financial institutions on operational threats the FDIC identifies at a TSP during an examination.
The rollout of these resources, coupled with the recent guidance from the OCC and the Fed regarding the management of third party relationships (for a more in-depth discussion, please see our January 2014 Commercial Law Update, "Managing Third Party Relationships: New Regulatory Guidance for Banks"), demonstrates the increased scrutiny regulators are giving to these issues and why they are hot-button topics for financial institutions to tackle.

4. Filing Lawsuits Against Parties Responsible for Data Breaches

A recent example of financial institutions going on the offensive with regard to a data breach by a service provider is the lawsuit brought by several banks against Target, In re Target Corporation Customer Data Security Breach Litigation, Case No. 14-md-02522, which is currently pending in Minnesota federal district court. The banks are seeking class-action status for banks across the country arising out of the compromise of at least 40 million credit cards, which affected up to 110 million people whose personal information, such as email addresses and phone numbers, were stolen.
The banks seek millions of dollars of damages to recover money spent reimbursing fraudulent charges and issuing new credit and debit cards.
The court recently denied Target's motion to dismiss all of the claims, concluding that Target played a "key role" in the data breach. In denying the motion, the court held that "Plaintiffs have plausibly alleged that Target's actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers' attack began – caused foreseeable harm to plaintiffs" and also concluded that "Plaintiffs have also plausibly alleged that Target's conduct both caused and exacerbated the harm they suffered." At this stage, the banks are proceeding with claims for negligence and violations of Minnesota's Plastic Security Card Act.

Monday, December 29, 2014

Bank Leumi fined $400 million, bans former U.S. compliance chief from compliance role

Monday
Dec292014

Bank Leumi fined $400 million, bans former U.S. compliance chief from compliance role

Israel's Bank Leumi will pay $270 million to resolve federal charges and $130 million to settle New York regulators' allegations that it helped U.S. taxpayers hide assets and income in unreported accounts in Israel and around the world.
Under the settlement with the New York Department of Financial Services (DFS), Bank Leumi USA agreed to ban its former chief compliance officer from conducting any activities related to compliance. The employee is currently chief administrative officer.
The DFS settlement also requires Bank Leumi "to terminate and ban individual senior employees who engaged in misconduct, install an independent monitor, selected by DFS, to conduct a comprehensive review of the bank's compliance programs, policies, and procedures."
In 2008, the DFS said, Bank Leumi USA's CEO appointed an employee with no compliance experience to be the chief compliance officer. The employee held the post until 2010 and approved parts of the tax evasion scheme.
Bank Leumi Group entered into a deferred prosecution agreement with the DOJ. Prosecutors filed the DPA in federal court in Los Angeles last week.
Bank Leumi admitted criminal conduct over a 10-year period. The scheme was designed to conceal U.S. taxpayer accounts in Israel, Switzerland, Luxembourg and the United States, the DOJ said.
Federal law requires U.S. taxpayers to pay taxes on all income earned worldwide. U.S. taxpayers must also report foreign bank accounts if the total value of the accounts exceeds $10,000 at any time during the calendar year. Willful failure to report a foreign account can result in a fine of up to 50 percent of the amount in the account at the time of the violation.
Bank Leumi is one of Israel’s biggest banks. It has subsidiaries in seven countries and more than 13,000 employees.
Subsidiary banks included in the federal deferred prosecution agreement are The Bank Leumi le-Israel Trust Company Ltd., Leumi Private Bank S.A. (Switzerland), Bank Leumi (Luxembourg) S.A., and Bank Leumi USA, an FDIC-insured commercial bank with offices in California, Florida, Illinois, and New York.
New York financial regulators said Bank Leumi-Israel helped U.S. clients conceal accounts by:
  • "Hold mail" service for about 2,450 U.S. accounts, whereby every statement of account, notice, or other document associated with the account would be held abroad at the foreign bank and would not be sent to the customer's address in the United States
  • "Assumed name" and "numbered" accounts, where the name of the account holder would not appear on any correspondence or account statements, and the bank would accept wire transfers using these assumed names or numbers in lieu of actual customer names
  • Referring U.S. clients to outside lawyers and consultants who would establish and maintain offshore corporations in jurisdictions like the British Virgin Islands, Panama, and Belize, to nominally hold the undeclared accounts and hide their true tax status from U.S. authorities, and
  • Suggesting U.S. clients open accounts through Bank Leumi Trust in order to add an "extra level of secrecy" to the account.
The DOJ settlement requires Bank Leumi Luxembourg and Leumi Private Bank to stop providing banking and investment services for all accounts held or beneficially owned by U.S. taxpayers.
Bank Leumi Group cooperated with investigators, the DOJ said.
During the ten-year scheme, Bank Leumi sent private bankers from Israel and other locations to the United States. They met secretly with U.S. clients at hotels, parks, and coffee shops to discuss their offshore accounts, the DOJ said.
The bank also gave loans to U.S. clients from Bank Leumi USA against assets in the clients' nominee offshore accounts. That allowed the clients to leverage their offshore assets "to obtain and use capital in the United States while keeping their foreign accounts secret and undetected from the U.S. government," the DOJ said.
In 2008, the DOJ announced criminal investigations into UBS and other Swiss banks for aiding U.S. tax evasion. Bank Leumi viewed that as an opportunity to land more clients. It opened and maintained accounts "for U.S. taxpayers who left UBS and other Swiss banks due to the investigation in an effort to continue to avoid detection by the U.S. government," the DOJ said.
As part of its agreement with the DOJ, the Bank Leumi Group turned over the names of more than 1,500 of its U.S. account holders. The bank also agreed to disclose information to the DOJ about its cross-border business and give testimony and information as part of other investigations.
The New York DFS said a private banker who worked at Bank Leumi-Israel for over 25 years wrote to a supervisor in 2011, "Nearly every client who has an account with us has used the bank as a tax haven, and is aware that by not declaring his account in the U.S. is committing an offense, [and] we have by virtue of the services we provided assisted the clients with what they wished to achieve."
Some employees involved in the U.S. tax evasion scheme have already left the bank. Bank Leumi also agreed to terminate the current head of Bank Leumi Trust who was a regional manager during the tax evasion scheme, the DFS said.
*     *     *
The DOJ's December 22, 2014 release is here.
The New York Department of Financial Services' consent order In the Matter of Bank Leumi USA, Bank Leumi Le-Israel, B.M. dated December 22, 2014 is here (pdf).
- See more at: http://www.fcpablog.com/blog/2014/12/29/bank-leumi-fined-400-million-bans-former-us-compliance-chief.html#sthash.D9bH3yii.dpuf

Monday, December 22, 2014

Forse schade bij Duitse staalfabriek door verfijnde hack

Forse schade bij Duitse staalfabriek door verfijnde hack
                                                                                                                                                                                                                                                                                   
Een staaloven in actie
Een staaloven in actie
Een zeer goed voorbereide aanval op een staalfabriek in Duitsland heeft tot grote schade geleid doordat normale veiligheidsroutines waren geblokkeerd.

Volgens deze overheidsdienst was er sprake van hackers met zeer geavanceerde capaciteiten. Er werd onder meer gebruik gemaakt van een verfijnde manier van spearfishing om toegang te krijgen tot de systemen van de staalfabriek. Werknemers waren duidelijk eerst vergaand geanalyseerd om uit te vissen hoe ze het best waren te misleiden. Nadat de hackers binnen waren, wisten ze precies hoe ze de industriële systemen moesten manipuleren. Het gevolg van hun actie was dat een van de hoogovens niet meer op een gecontroleerde manier kon worden uitgeschakeld, waardoor ernstige schade ontstond aan de fabriek.

Cyberwar krijgt steeds meer fysieke gevolgen

Het incident is een nieuw geval in de lijst waarin hackers met vergaande kennis van zowel IT als productieprocessen, doelbewust schade aanrichten in een bedrijf om het buiten bedrijf te stellen. Het bekendste voorbeeld is de aanval van de Amerikaanse en Israëlische overheid op de Iraanse nucleaire opwerkingsfabriek waarbij met het Stuxnet-virus zo'n 1000 ultracentrifuges onklaar werden gemaakt. De vrees is dat hackers er binnenkort ook in slagen de energievoorziening in bijvoorbeeld de VS voor een belangrijk deel plat te leggen waardoor de economie grote schade oploopt. De Nederlandse waterwerken vormen ook een potentieel zeer gevaarlijk doelwit.


Sunday, December 21, 2014

Staples breach may have affected over a million credit cards



Staples Possible Breach


Good grief, the hacks just don't stop. Now office-supply store Staples believes that it suffered an attack that compromised some 1.16 million payment cards. Between August 10th and September 16th this year, 115 stores were afflicted by malware that "may have" grabbed cardholder names and payment information, and two stores possibly fell victim from July 20th to September 16th this year as well. The retailer isn't fully owning up to the attacks just yet, but it's offering a mea culpa all the same: free identity protection, credit reports and a host of other security services to anyone who used a card at the affected stores (PDF). And even though four Manhattan locations had reports of fraudulent payment use from this April to September without any malware or suspicious activity taking place, the outfit is extending the aforementioned benefits to customers of those stores as well.
Staples' numbers are a drop in the bucket compared to Home Depot's 56 million compromised cards, sure, but the fact that another retailer was hacked is still an issue. Maybe, just maybe, we can go the rest of the year without news of another data breach. Is that asking too much? Sadly, it probably is.

Thursday, December 18, 2014

Keep encrypted files encrypted when you back them up to the cloud

Keep encrypted files encrypted when you back them up to the cloud

Freelance journalist (and sometimes humorist) Lincoln Spector has been writing about tech longer than he would care to admit. A passionate cinephile, he also writes the Bayflicks.net movie blog.
More by
After reading my article on encrypting sensitive data, Ian Cooper asked if it was safe "to use one of these encryption tools in conjunction with an online backup service?"
In that previous article, I discussed two separate ways to encrypt a folder filled with sensitive files: Windows’ own Encrypted File System (EFS) and VeraCrypt, a free, open-source fork of the well-remembered TrueCrypt. This time around, I'll look at how files encrypted with either of these work with two popular online backup services, Mozy and Carbonite.
[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]
Both Mozy and Carbonite encrypt your files and keep them encrypted on their servers. However, the default settings provide a backdoor to that encryption. It's therefore theoretically possible for a hacker, a disgruntled employee, or the NSA to access your files.
Both companies offer a more secure option where you and only you have the key, and therefore, there's no backdoor. Mozy calls this a Personal Encryption Key; Carbonite calls it a Private Encryption Key. The problem, of course, is that if you lose the key, you lose your backup.
But even if the backup service has the key to your files, they don't have the key to your EFS encryption. And the files are useless without that. When I tested this, Carbonite wouldn't let me download EFS-encrypted files onto another computer. Mozy let me download the files, but those files just contained gobbledygook.
VeraCrypt's container approach makes this a non-issue. Remember that VeraCrypt keeps your sensitive files in one or more encrypted container files. Open a container with the password, and your files become available in a virtual drive. Close the container, and your files exist only in the encrypted container.
The simple solution: Don't back up the virtual drive. Just back up the container. That will effectively back up the files, but they'll be encrypted before Mozy, Carbonite, or any other online service will ever see them.

Wednesday, December 10, 2014

7 Lessons from Target's Breach

7 Lessons from Target's Breach

One Year Later, What Retailers, Bankers Have Learned

By , December 10, 2014.           
 

It's been a year since the breach at Target Corp., which exposed 40 million debit and credit cards along with personal information about an additional 70 million customers.
See Also: Account Takeover, Payment Fraud and Spoofed Identities: The Common Thread
Although the attack drew attention to the need for bolstered cybersecurity measures, retail breaches show no signs of abating. Other major payments breaches at retailers since Target have included Sally Beauty, Michaels, Home Depot, Kmart and Staples, to name a few.

Target was a watershed event that put the spotlight on payment card security. Here's a review of seven important lessons learned from the huge breach incident.

1. EMV Alone Is Not Enough

Target's breach spurred congressional hearings and renewed debate among retailers and bankers about the need for a speedy migration to EMV chip technology to help prevent breaches (see Target Hearings: EMV Not Enough).
It also was a catalyst in October for a presidential order to push adoption of EMV chip technology among U.S. retailers and banks.
Visa had years earlier set October 2015 as the counterfeit fraud liability shift date for U.S. merchants and issuers that had not yet transitioned away from magnetic-stripe card technology. But EMV didn't get that much publicity until the Target attack.
In the wake of the retailer's breach, experts and industry groups, including the Payment Card Industry Security Standards Council, said that in addition to EMV, merchants also should implement tokenization and end-to-end encryption, to ensure card data is completely devalued.
"Among all of the large retailers that I talk to, their attitude is that they won't talk to vendors unless they offer tokenization with EMV," says Avivah Litan, an analyst for the consultancy Gartner. "It has to be part of the POS solution."
End-to-end encryption, on the other hand, can be an add-on, she says. "But retailers want to work with vendors that can provide all three."

2. Network Segmentation Is a Necessity

The Target breach also proved how easy it is for hackers to tunnel from one part of a corporate network to another, which is why merchants have to segment their networks.
Hackers broke into Target's POS system after they stole network credentials from Fazio Mechanical Services Inc., a vendor that serves the retailer (see Target Vendor Acknowledges Breach).
Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says network segmentation would have prevented many of the breaches suffered by retailers, including Target, over the last 18 months (see OCC: Retailers Accountable for Breaches).

3. Third-Party Oversight Is Part of Compliance

The Target breach put a spotlight on vulnerabilities related to third parties. In August, the PCI Council issued new guidance on managing third-party vendor risks that retailers and bankers alike can put to use.

Banking regulatory bodies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. also have, in the wake of Target, repeatedly reminded banking institutions that they are responsible for ensuring the security of the third-party vendors and service providers with which they work.
See Also: Payments Security & EMV: Join CEO Bob Carr of Heartland Payment Systems

4. Log Monitoring Needs Analytics

A forensics investigation into the Target breach found that transaction logs raised alarms about anomalous activity, but no one picked up on the warnings, according to multiple reports. Thus, the breach went undetected for several weeks.
In November, the PCI Council announced it will issue guidance specifically aimed at log monitoring (see Why PCI Will Issue Log Monitoring Guidance). But experts says log monitoring has to be coupled with additional analytics to be truly effective.
"Everyone is inundated with alerts," Gartner's Litan says. "One retailer may get a half million alerts a day, so it's impossible to go through all of those. By putting context awareness and behavioral analytics to the transaction logs, you can start profiling users and devices. With this context-aware view of transactions, you're able to correlate anomalies across different systems. Then you can go from a few thousand high-priority alerts to a couple hundred."
Analyst Julie Conroy of the consultancy Aite says without analytics, basic log monitoring is counterproductive because of the high rate of false positives. "A key lesson is the ability to apply analytics to the tens of thousands of false positives that these solutions throw off, to help security teams separate the wheat from the chaff," she says.

5. Executives, Boards Are Accountable

In May, Gregg Steinhafel resigned as Target's chairman, president and CEO. In the statement issued about Steinhafel's resignation, the company noted that he "held himself personally accountable and pledged that Target would emerge a better company."
Steinhafel's announcement came just two months after the resignation of Beth Jacob, Target's CIO during the time of the breach.
The two resignations came shortly after Target's chief financial officer, John Mulligan, was first questioned about the breach before Congress (see Target, Neiman Marcus Differ on EMV).
The congressional attention given to Target's breach, coupled with the resignation of two of its key officers, made waves in the financial services industry, too. Over the summer, banking regulators launched a pilot cyber-exam program at 500 community banks to review the cyber-awareness of C-level executives and boards of directors at those institutions.
In November, the Federal Financial Institutions Examination Council noted that cybersecurity awareness among executives and boards was in need of improvement, and that cyber-awareness had to be a higher priority across the board (see FFIEC: Boards Need Cyber Training).

6. Retailers May Be Liable for Breaches

The debate over who should be liable when card data is compromised at the retail level also has heated up since the Target breach. For months, banking groups and retail associations have been at odds about who is responsible for bearing the losses associated with card breaches (see Hold Merchants Accountable for Breaches?).
While bankers argue they're stuck with expenses related to card reissuance and fraud, retailers say they indirectly cover these costs for banks through the interchange fees they pay to the card brands (see Card Breaches: Retailers Doing Enough?).
~Banking regulatory bodies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. also have, in the wake of Target, repeatedly reminded banking institutions that they are responsible for ensuring the security of the third-party vendors and service providers with which they work.
See Also: Payments Security & EMV: Join CEO Bob Carr of Heartland Payment Systems

4. Log Monitoring Needs Analytics

A forensics investigation into the Target breach found that transaction logs raised alarms about anomalous activity, but no one picked up on the warnings, according to multiple reports. Thus, the breach went undetected for several weeks.
In November, the PCI Council announced it will issue guidance specifically aimed at log monitoring (see Why PCI Will Issue Log Monitoring Guidance).
But experts says log monitoring has to be coupled with additional analytics to be truly effective.
"Everyone is inundated with alerts," Gartner's Litan says. "One retailer may get a half million alerts a day, so it's impossible to go through all of those. By putting context awareness and behavioral analytics to the transaction logs, you can start profiling users and devices. With this context-aware view of transactions, you're able to correlate anomalies across different systems. Then you can go from a few thousand high-priority alerts to a couple hundred."
Analyst Julie Conroy of the consultancy Aite says without analytics, basic log monitoring is counterproductive because of the high rate of false positives. "A key lesson is the ability to apply analytics to the tens of thousands of false positives that these solutions throw off, to help security teams separate the wheat from the chaff," she says.

5. Executives, Boards Are Accountable

In May, Gregg Steinhafel resigned as Target's chairman, president and CEO. In the statement issued about Steinhafel's resignation, the company noted that he "held himself personally accountable and pledged that Target would emerge a better company."
Steinhafel's announcement came just two months after the resignation of Beth Jacob, Target's CIO during the time of the breach.
The two resignations came shortly after Target's chief financial officer, John Mulligan, was first questioned about the breach before Congress (see Target, Neiman Marcus Differ on EMV).
The congressional attention given to Target's breach, coupled with the resignation of two of its key officers, made waves in the financial services industry, too. Over the summer, banking regulators launched a pilot cyber-exam program at 500 community banks to review the cyber-awareness of C-level executives and boards of directors at those institutions.
In November, the Federal Financial Institutions Examination Council noted that cybersecurity awareness among executives and boards was in need of improvement, and that cyber-awareness had to be a higher priority across the board (see FFIEC: Boards Need Cyber Training).

6. Retailers May Be Liable for Breaches

The debate over who should be liable when card data is compromised at the retail level also has heated up since the Target breach. For months, banking groups and retail associations have been at odds about who is responsible for bearing the losses associated with card breaches (see Hold Merchants Accountable for Breaches?).
While bankers argue they're stuck with expenses related to card reissuance and fraud, retailers say they indirectly cover these costs for banks through the interchange fees they pay to the card brands (see Card Breaches: Retailers Doing Enough?).


While courts have dismissed numerous class action suits filed by consumers against breached retailers, a class action suit filed against Target by banking institutions, seeking to recoup their breach-related costs, has won court approval to proceed (see Target Breach Suit Won't be Dismissed).
See Also: Account Takeover, Payment Fraud and Spoofed Identities: The Common Thread
If banks win that suit, it could send a strong message about the financial responsibilities retailers should bear in the wake of a breach.

7. Cyberthreat Intelligence Sharing Must Improve

The Target breach also raised awareness about the need for more cross-industry information sharing. The sharing of cyberthreat intelligence among banking institutions has been on an upward swing since 2012, after numerous distributed-denial-of-service attacks targeted leading U.S. banks.
But it wasn't until the retail breaches of the last year that serious consideration was given to the need for similar information sharing among retailers, as well as across the payments and financial landscape.
In May, the Retail Industry Leaders Association announced the launch of the Retail Cyber Intelligence Sharing Center - an effort to improve sharing among retailers and other public and private stakeholders, including the Department of Homeland Security and law enforcement.
Then in June, Tim Pawlenty, CEO of the Financial Services Roundtable, explained why information sharing in the retail sector needed to mimic information sharing within the financial sector.