The result of an attack of this nature by a terrorist organization could have crippling effects on our world. Millions of business and consumers would not be able to accept or use credit cards to make purchases. Massive aggregate loss in revenue could occur at the small business level. For the credit card companies and the world’s largest financial institutions — and everyone else involved or dependent on payment cards — core business activity would be paralyzed. This is the “Virtual 9/11” — as many businesses would be paralyzed.
You can imagine where this goes next. The global shutdown of credit as a method of payment for even a few days would have lasting effects on the economy. Businesses large and small would be affected. Individual consumers relying on credit would have to start using cash (if they have it) and many will defer purchases typically made via e-commerce.
For executives and managers who are tasked with ensuring their company does not suffer a security event, the following few strategic initiatives will be a good place to start to develop a defense-in-depth strategy.
• New technology: Invest in modern hardware and get rid of old systems, especially those that have been decommissioned by the vendor.
• Patching systems: Implement a Web application firewall (WAF) and apply a virtual patch to protect applications based on the result of the security testing. The development teams can then create a fix for the vulnerability — once it has been validated, the Virtual Patch can be safely removed from the WAF.
• Control remote access to closed networks: Third-party vendors and their products introduce vulnerabilities, mostly as a result of default, vendor-supplied credentials and insecure remote access implementations.
• Empower Incident Response Teams: The incident response team should have access to the security team’s notifications or information stored within log aggregation or analysis systems, such as a security information and event management (SIEM) system. Empower the team to investigate even the most obscure issues.
Cybercriminals will never stop trying to obtain valuable or proprietary data. By reviewing your information security infrastructure, paying particular attention to existing vulnerabilities, the assignment of security responsibilities to specific individuals or groups, and how data flows within the organization, business leaders can reduce the threat and impact of a security incident.
While taking these actions may not prevent every attack, the outlined initiatives above can be either be the start of a good defense, or affirmation that a good security strategy is in place. A comprehensive, defense-in-depth strategy for information security can help reduce risk, protect sensitive information and ultimately safeguard a company’s reputation.
Nicholas J. Percoco is senior vice president and head of Trustwave SpiderLabs, with more than 14 years of information security experience. Percoco acts as the lead security advisor to many of Trustwave’s premier clients and assists them in making strategic decisions around security compliance regimes.