August 31, 2015
Interviewed by: Mike Straka
Video Clip
Login to view full video

Cybersecurity: Protecting Financial Data

RSM’s director of security and privacy for the Northeast, Keith Swiat, explains the dangers of cybercriminals and how easily they can acquire credit card and personal information if basic cybersecurity measures are ignored.

RSM’s director of security and privacy for the Northeast, Keith Swiat, explains the dangers of cybercriminals and how easily they can acquire credit card and personal information if basic cybersecurity measures are ignored.

Cybersecurity: Protecting Financial Data
With Keith Swiat of RSM

Mike Straka, Privcap: We’re joined by Keith Swiat, Director of Privacy and Security for RSM in the Northeast Region. Welcome to Privcap.

Keith Swiat, RSM: Thank you, Mike.

Straka: How big of an issue is cybersecurity in the financial industry right now?

Swiat: I think it’s a very large issue. When you have companies in the financial services area that have information that’s very easily monetized, it’s going to be on the top list of targets for cybercriminals.

For financial services, cybersecurity is a very large issue, mainly because companies within the sector have access to very sensitive information that could be easily monetized. And, because of that, cybercriminals are going to put financial services companies on the top of their list, as far as organizations they are going to attack.

Straka: How much money should a financial institution invest in their cybersecurity?

Swiat: I hate to use the consulting phrase “it depends,” but it really does. Of course, it’s going to take a lot less money to secure a 10‑person shop than a 10,000‑person organization that has multiple locations. I think what’s more important is to look at what’s at risk. Look at the kind of information these organizations have and how it could be monetized and then take that number and feed it back in to see how much an organization should spend on cybersecurity and security awareness and hardening their environment.

Straka: You’ve been doing this for over 22 years, your thought leadership is all over the web and I see that people book you for conferences all the time. What is the most obvious thing you tell all of these folks? I mean, you probably repeat yourself over and over again because it is sort of a theme, isn’t it, where it’s not as difficult as it sounds, is it?

Swiat: That is probably the most recurring theme. Hollywood has really glorified these attacks and breaches in hacking in a way that it requires these crazy guys in black hoodies, going around in dark rooms. But, in reality, anybody could perpetrate these attacks. There are tools freely available on the Internet to provide pointandshoot functionality. I probably spend the most time making people aware of how easy these attacks are actually carried out. That’s usually the icebreaker. Then, that can lead into the more mundane and boring stuff and talking about security controls. But it’s really getting the word out that people are being enlisted every day to do these sorts of things.

Straka: On the flipside, isn’t it easy to protect your data? It’s just a matter of being vigilant, isn’t it?

Swiat: It is. I think probably the most time and resources spent after creating a security framework within an organization is just enforcement of that and keeping it up. It’s as simple as…looking at a simple social engineering attack called “piggybacking,” [where] you get yourself into an office building and you follow someone into their office after they [swipe their] badge. There’s something that doesn’t cost any money. You educate the employees to not let someone walk in behind them.

It really comes down to getting the word out and making people understand that they’re responsible for safeguarding the information of an organization.

Straka: One thing I read that you wrote was that the bigger the organization, the harder it is to protect because they’re all over the place, geographically, in different time zones.

Swiat: When you have a geographically diverse company, the biggest challenge is going to be time zone because, even if you have a very well-defined incident response program, you’re going to be waking up people in the middle of the night and their ability to make snap judgments or decisions on what to do during a breach might be hindered. So, when you have theselarge global organizations, the clock is probably one of the biggest enemies.

Another issue with that is people might wait until people are woken up the next day on the other side of the world. I think timing is probably the most crucial element when you deal with an incident. The other thing, too, is local regulatory requirements for data privacy. The reporting and incident response requirements are very different in the EU than…in the U.S. Looking at all the legal issues and regulatory requirements that come into play—that’s also a huge challenge because now you don’t just have something that’s for a company in, say, South Carolina. You just follow the state’s guidelines. Now, you’re dealing with every country that that organization is in and that’s going to require a lot of legal talent to actually pull that stuff together.

Straka: [In] the big credit-card breach with Target, I think it was a year ago, people were saying that…[using] your debit card and [putting] in your PIN number was the reason so many credit cards were breached. Is that true or is it a myth? Because when I go into stores now, I use [my card] as credit, but I won’t put in my PIN number.

Swiat: That’s a myth, mostly. There are inherent dangers with a breach [at space] on PIN debit and credit. I would say that it’s easier to breach credit, because you’re only looking at the magnetic strip on the back. With a PIN debit transaction, you’re looking at the magnetic strip and you also have to capture that PIN. Also, those transactions, for debit transactions, have a specific encrypting key for each transaction. It’s not an encryption key for all the transactions.

It’s much more difficult to compromise PIN debit, because of the skills needed, than it is to compromise a creditcard transaction.

Straka: When you’re talking about credit-card transactions and protecting your customers’ personal information, what is the most vulnerable that these companies or any company could end up being?

Swiat: I think it depends on region, Mike. In the U.S., we have a very high…mag-stripe usage that’s not protected or encrypted. So, when we’re talking about credit-card information, a lot of times we see breaches where the attackers are going after large stores of credit-card information that is stored onthe mag stripe on the back of your credit card.

For systems that are not secure or not configured to properly safeguard that information, that data on the back of the card might be inadvertently stored on a server someplace within the environment or within the actual POS terminalswithin a merchant. What happens is that, over time, those cards build up and build up and they just amass into a big, clear text file worth of credit-card information.

…If they manage to get into an environment and get onto these systems and circumvent any type of physical controls on the systems, [the attackers] could get access to these files that have this credit-card information. And with mag-stripe data, it’s a relatively trivial task to take that and transform it into fake cards. Then, the attackers can either [send] those fake cardsto organized crime to perform fraud or they could perform fraud themselves.

Straka: Do you know how much money cybercrime costs the country?

Swiat: I would imagine it is quite large, because one thing [I saw] when I did incident response is that, for every breach that’s reported, there are probably100 breaches that never go detected or reported at all. There are probably some statistics out there where someone will raise their hand and say, “I have this dollar amount of what it costs companies.” But that’s kind of a foolish number to put out there.

Straka: In general, how dangerous is cybersecurity for companies?

Swiat: I think the danger is not the cybersecurity—it’s the lack of. What we’ve seen over the last year is an increasing amount of creativity when it comes to how attackers are getting into environments. What used to be simple “smash and grabs,” if you will—going in and stealing creditcard information through easy attack factors, that is, the methods the criminals get into the environment—[are now] very elaborate schemes in which the attackers will do a long-term staged attack to get into an environment.

These attacks could include many different ways and different levels of access. One of the most popular ways or trending ways we see people getting into environments is [starting] with a socialengineering attack, whether that’s email, like a phishing scam, or even physical misrepresentation. You’ll see people going into retail establishments, acting like they’re a part of a governing body or they’re law enforcement or something, to get access to the systems in the back room that might have this data.

When you have the phishing attack, it’s very easy. We actually perform these types of services where we’ll go in and do phishing campaigns. And even if we havejust 50 addresses to send, we’ll get somebody to click on something. When I say “Click on something,” [I mean] they’ll have a link with an email, someone could click on it and that could actually load malware onto the system or provide us access into that system to be able to exploit and do the testing for them.

Of course, we’re doing this for the good side and we’re trying to find these vulnerabilities and to find gaps in the securityawareness program before the bad guys do. But, right now, the socialengineering attack factor is probably the most popular because there’s a lot you can do to fortify a perimeter of a system. You can have firewalls, intrusion detection or antivirus—to some degree, there’s a lot you can do to harden that exterior wall of an organization electronically.

Attackers are notoriously lazy. They’re going to go for the low-hanging fruit. So, what happens is, instead of attacking the fortified wall that is presented to the Internet, they’re just going to hack a human. It’s much easier to take advantage of that inherent level of trust that exists between two people when they interact, even if it’s through email.

Straka: We talk about private equity here at Privcap and a lot of the firms out there in the private equity world are sort of archaic when it comes to technology because the practice of raising money hasn’t changed. Through technology or whatever, they raise money the same way they’ve been raising money for the last 30 years. So, is it difficult for you to let these people know they really need to pay attention to technology?

Swiat: Yeah, it’s always a challenge. I mean, it’s become easier with some of the very highprofile breaches that have come up in the last year or so. That’s made our job easier. But still, we have a lot of funds and even there are portfolio companies that might be momandpop shops or might be, say, a furniture [company] out in the middle of Pennsylvania who are like, “We’ve been doing this work for 200 years. Who is going to hack a furniture company?”

But what we see is that if you look at some of the breaches lately, the attackers are looking for just that kind of attitude. A place that doesn’t think they have much to offer is not going to secure their platform, but they may. There could be connectivity between their portfolio company and the fund. We see funds take a varying level of control or connectivity into the portfolio companies. And if you had, say, a fund that had a VPN line into one of these companies, one of these small companies could be breached easily and there’s a chance that breach can actually move into the fund and then affect other companies as well.

Straka: Who is the governing body that overlooks and tries to protect customers’ information, to protect data? For instance, who do these companies have to show compliance to?

Swiat: There’s a number of governing bodies. We’re talking about credit-card information, so there’s an organization called a PCI SSC, which stands for Payment Card Industry Security Standards Council. They’re a group that is basically formed by five different card plans and they provide a framework and security standards to which all merchants should apply. They also provide a bunch of other different frameworks. They provide security standards for applications handling credit-card data and the PIN entry devices.

They are the group in that area that will form these regulations, these rules and these requirements. But, when it comes to the actual enforcement of the rules, that falls on different parties, such as the acquiring bank and what not. So, if there is a breach, usually the card brands will see it first in their traffic or people who are calling and reporting fraudulent activity. They’ll push that down to the merchant’s acquiring bank and then the acquiring bank will enforce the standard from there.

Register now to watch this video and access all content.

It's FREE!

  • I agree to the Privcap terms of use and privacy policy
  • Already a subscriber? Sign In

  • This field is for validation purposes and should be left unchanged.