Lessons Learned from TJX
Interview with Cyber Crime Expert Eric Fiterman In the wake of the arrests of 11 hackers tied to the TJX data breach, security experts everywhere are warning of bigger, bolder threats to come.So, what should banking institutions have learned from TJX-style breaches, and what can they do now to protect their customers and critical financial/informational assets?
In this interview, former FBI agent Eric Fiterman, founder of Methodvue, offers:
TOM FIELD: Hi, this is Tom Field with Information Security Media Group. We are here today to talk with Eric Fiterman, founder of Methodvue. And the topic is information security and investigations into cyber crimes. Eric, thanks so much for joining me today.
ERIC FITERMAN: Thanks for having me.
FIELD: Eric, tell me a little bit about your background as it relates to information security and cyber crime.
FITERMAN: Sure. Well, I'm a former FBI Special Agent and I've worked computer crimes as a member of several different high tech crimes task forces, including cases I've worked jointly with the United States Secret Service, who appears to be the primary investigative agency in the TJX case. I'm also the founder of Methodvue, which is a company that provides computer forensics and litigation advisory services for intellectual property and trade secrets misappropriation cases. And I've spent the last five years supporting investigations and security programs in the U.S. intelligence community, and currently provide security and computer forensic services for commercial and federal clients.
FIELD: Eric, you mentioned TJX, and that is sort of the case that brought us together and got us started with this discussion here. When you read about the arrests behind TJX and the other major breaches that we've seen in recent years, what do you see that the rest of us might not see?
FITERMAN: Well, the first thing that I think probably surprised most people was the amount of time that has lapsed between when the breach was first disclosed and the indictments that were announced last week. But having worked in the federal environment for some time, you understand that when a case like this, which appears to be very significant and involves strong international mixes, you are going to have a lot of jurisdictional and legal barriers to the investigation involving evidence that was overseas-- in this case in Eastern Europe, we've indicted co-conspirators in China and other locations around the world. So it just involves a tremendous amount of coordination, not only across the U.S. Attorneys offices here in the United States but the diplomatic liaison channels with legal attachés overseas, and other federal agencies and so on.
The bottom line is just that it is really massive investigation, and because of that it will take some time. The quality of the work will be very high, and in those cases they typically lead to guilty pleas outright because the subjects and the conspirators are typically presented with such an overwhelming amount of evidence that they typically plead out when faced with these charges.
FIELD: But what is the real message from this incident or these arrests, to the banks and the merchants and the other businesses?
FITERMAN: Well, while it is great to see indictments and arrests, it is much better for institutions to prevent getting into this position in the first place, which means having a strong emphasis on a good security program that addresses your compliance and regulatory environment, understanding your risks and just being generally proactive about some of the threats your organization is facing.
I think what is also interesting about cases like these is that they demonstrate that really any industry and any organization can be held accountable for the theft of confidential information and sensitive information, even when that company itself is a victim of crime. And that is a very different concept because typically there have been certain implicit or perceived protections for companies that have been victimized during a crime, but this clearly shows that any firm with sensitive information can face the prospect of litigation if its assets have been threatened or exposed.
FIELD: Eric, just a follow up question. We know banking institutions have got regulatory agencies coming around to examine them to make sure that they are compliant and that they are taking the precautions that they need to. Where is the pressure going to come from for non-regulated businesses to make sure that they've got the information security practices to keep their houses in order?
FITERMAN: Well, I think almost in any case, especially if you are dealing with sensitive financial information or personally identifiable information, there will be some type of either applicable law or regulation. Whether it is PCI, BSA, or in the federal government we've got regulations and obviously the financial institutions has their sets of compliance and statutes as well.
But I think another big motivator, as I mentioned before, the realization that organizations are being held accountable for failures to address information security. So that is a big driver in addition to the compliance driver that has been obviously more important in the last few years. But you've got organizations like PCI and the PCI Council that are stepping up and making organizations aware of what their requirements are if they are going to handle, in this case, credit card information or sensitive financial data.
FIELD: Now one of the things that sort of surprised me in the last week since we started publicizing this latest story is the real anger from banking institutions. Because TJX didn't happen because of a bank or a credit union, and yet they are the line of fire when it comes time to have to replace these cards that have been compromised. How are the banking institutions going to sort of channel this anger positively and effect some good change?
FITERMAN: That's a great question. And I mentioned before the PCI Council, and one of the things I would recommend is for lending institutions and banks to get involved with industry organizations like the PCI Council, to really sit down and re-think whether we need to take a closer look at how we are building in security into these systems from the get go; so digging in security in the architecture of these systems that authorize and process credit card data.
And actually I spoke with Dave Hogan, who is a Senior VP and CIO of the National Retail Federation, earlier this year about the TJX breach and what his organization was doing to address the threat, and he pointed me to a letter that he had sent to the PCI Council that suggested that maybe there were provision of PCI/DSS that actually were more of an enabler of electronic and financial crime -- in particular provisions of the regulation that require merchants to store credit card data for some period of time. And while I think that argument does have some merit, if you look at the indictments, in this case the conspirators were actually capturing data as they were being processed. So they weren't attacking and stealing data at rest, restored or archived or encrypted data; they were capturing the information as it was going over the wire.
And I think it is important to understand that distinction. It's subtle, but that is an important discriminator and again, my personal belief is that we really just need to take a close look at the fundamental way that we are doing business, particularly with retailers and merchants to learn how we can make these systems more secure.
FIELD: And that's the same thing that people have found with the Hannaford case too. Is that right?
FITERMAN: Yes, I believe so.
FIELD: Now, the message that we keep hearing from experts in the last week is to expect more breaches, and that this is not going to be an isolated thing, it's going to be more sophisticated and different kinds of threats. So I am curious: What are the types of cases that you are looking at now and what source of crimes should banking institutions be paying the most attention to?
FITERMAN: Well, in addition to my security engineering work, I support cases involving confidential data theft breach and trade secrets, misappropriation cases, and just to explain a little bit about what that means, that is anytime an organization has confidential or proprietary information that they believe maybe an employee or a competitor or an associate has misused or exposed, and they want to determine what exactly the damage was or how that was facilitated, I support those kinds of cases. And I am seeing more of that kind of activity because you are seeing a lot of technology companies and private capital firms that are making major investments in intellectual property, and information has become a very valuable asset and companies have a reason to protect that investment. So whether you are talking customer data or financial statements, proprietary information or like in TJX, credit card data, people are trying to get access to that information.
As far as you asked the question about what kinds of crimes banking institutions should be paying attention to, one things jumps out at me in particular is the case of the French bank earlier in the year where the trader had single-handedly facilitated a $7.2 billion dollar fraud by manipulating the inner workings of the organization. I think that is an important case because as you said before, these types of crimes aren't going to go away, and so it is important to understand how these crimes are committed and what we can do to detect or deter people from committing these really egregious acts of crime.
And it is important to understand, too, that when we talk insider threat or insider security, it's not really a new concept. Actually the first documented bank robbery in the United States was considered to be an inside job. So I think we are going to see more of these kinds of events as the credit markets and financial institutions come under increased pressure as they are today. And the other thing I think is important for banking institutions to be aware of is how vulnerability disclosure trends are going to affect their external systems and their customers, just like the domain system vulnerability that was disclosed last month. Whether you agree with it or not, security firms and researchers are going to continue to feed vulnerability information into the public domain, and at that point it is essentially a race between the criminals who are listening and crafting attacks to export that vulnerability and the IT systems and mangers who need to patch their systems so they are not vulnerable.
So we need stay one step ahead. We have a saying in the FBI that the good guys have to be right all of the time, and the bad guys just need to be lucky once. And I think the same is true in this case.
FIELD: That doesn't seem very fair!
FITERMAN: No, it's not, but it is the hand we've been dealt, so we just have to be proactive and aggressive about it to make sure that we are being secure.
FIELD: So Eric, some final words of wisdom for our banking institution executives; how do they avoid either being the next TJX or cleaning up after the next TJX?
FITERMAN: You know, I would say let's learn from our mistakes and that we are not going to repeat them. Criminals are not complicated or hard to understand, but if we can get better at seeing things the way they do, we can identify our weaknesses and make improvements before someone moves in to exploit them.
FIELD: Excellent insight. Eric, I appreciate you time and I appreciate your insights this morning.
FITERMAN: Thank you very much. I appreciate your time.
FIELD: We've been talking with Eric Fiterman of Methodvue and the topic has been banking and cyber crimes and investigations. For Information Security Media Group, I'm Tom Field. Thank you very much.