Identity theft has been all over the media during the past year, and with good reason: It’s an increasing problem for both consumers and merchants. According to the Identity Theft Resource Center, a San Diego-based nonprofit organization, more than 19,000 people a day are victims of identity theft. The Federal Trade Commission (FTC) estimates that some 10 million people were victims in 2004.
When it comes to the economic impact of identity theft, however, it has been the merchants that have borne the financial burden. Of the $53 billion in annual damages from identity theft, retailers pay for $48 billion, or more than 90% of the total. Moreover, when merchants lose sensitive customer information to cybercriminals, they lose the trust of their customers and even open up their businesses to government prosecution. In short, identity theft can have severe consequences for your company.
UNDERSTANDING IDENTITY THEFT AND SPYWARE
The starting point for fighting identity theft is to understand the most common way that confidential customer information is stolen electronically. Identity theft today is often linked to spyware, a form of software that gathers and stores information about the user’s Web activity and other private data, usually without the user’s knowledge. In one recent case, cybercriminals used Web-based Trojan horses (programs that appear benign but actually perform some sort of illicit activity, such as locating passwords from the user’s hard drive) that contained keylogger programs (which capture and store the user’s keystrokes) and backdoor programs (which gain undocumented access to a computer program or system) to steal credit-card details, Social Security numbers, usernames, passwords, and other private information from an estimated 27,000 customers of a particular Website. A computer user who visited the spyware-hosting Website, perhaps as a result of a browser redirect or phishing e-mail, would be attacked automatically and secretly by Trojan horse and backdoor spyware. Spyware and identity theft are closely linked, so a key to fighting identity theft is to stop spyware.
SPYWARE AND WEB TRAFFIC
In the past decade, e-mail traffic was the main avenue for virus and worm attacks. In the next decade, Web traffic is expected to be a growing source for spyware and other malware (malicious software) attacks. The above example involving the international identity theft ring is one well-publicized case of Web-based spyware attacks. No doubt, many other cases exist but are still undiscovered. Unsuspecting computer users need only surf to an infected Web page and their computers are automatically attacked, without any user interaction. For that reason, any defense against identity theft should include protection against Web-based spyware.
THE PCI STANDARD
The credit-card industry’s response to identity theft at retail organizations is the Payment Card Industry (PCI) Data Security Standard (see “PCI pain, June 2005 issue.) With a compliance deadline of June 30, 2005, this industry standard set the minimum requirements for protecting private customer data. Mandates include installing a firewall, not using vendor-supplied defaults for system passwords, protecting stored data, encrypting transmission of cardholder data and sensitive information, using and regularly updating antivirus (AV) software, developing secure systems and applications, restricting access to data, assigning unique IDs to computer users, restricting physical access to cardholder data, tracking and monitoring access to cardholder data, regularly testing security systems, and maintaining a policy that addresses information security.
While comprehensive, the PCI standard is silent on defending against Web-based spyware. Requirement 5, “Use and regularly update antivirus software or programs,” makes mention only of viruses that “enter the network via employees’ e-mail activities.” It makes no mention of protecting Web traffic from spy programs. Although the PCI standard acknowledges in Requirement 1 that “seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems,” it does not address Web traffic as a potentially wide-open avenue for malware attacks. By allowing open ports for Web traffic, the PCI standard leaves the network perimeter open to both good and bad Web traffic. Even with PCI-standard compliance, merchants remain vulnerable to Web-based spyware attacks intended to steal customer data (see figure 1, opposite page).
GATEWAY ANTI-SPYWARE SECURITY
A company may deploy a firewall, restrict access to customer data, and use regularly updated e-mail AV software, but its perimeter security could still let through Web-based spyware, such as a keylogger spy program inserted by a spyware-infected site. The keylogger could then capture password information that unlocked confidential customer data. Therefore, a mission-critical addition to the PCI standard is gateway protection against Web-based spyware.
Gateway anti-spyware is a proactive measure that prevents spyware from entering the network and installing on individual computers (see figure 2 below). If spy programs can be stripped out of Internet traffic at the gateway, before they can install themselves on desktop computers, then the threat of spyware, and retail identity theft, may be substantially reduced.
The core of any gateway anti-spyware defense, as with desktop and e-mail gateway AV software, starts with scanning for malicious code. Other technologies such as Web filters and file blocking software may be useful complements, but the most reliable and effective way to identify and remove spyware from Web traffic is signature matching — using software that looks inside files for certain tell-tale patterns, or signatures.
Gateway scanning for spyware, however, is problematic. It requires an extremely high-performance scanning technology that can handle real-time Web traffic for large numbers of computers without turning the gateway into a network bottleneck. If a product cannot deliver real-time performance, then it cannot scan high volumes of Web traffic for spyware. If it cannot scan enterprise-class Web traffic, then it cannot truly protect against spyware, since Web traffic is the main avenue of spyware attacks. So in this case, it is no longer a matter of a trade-off between security and performance. An organization must have both. Therefore look for real-time scanning performance that is enabled by, for example, stream-based scanning technology.
Besides the requirement of real-time scanning of Web traffic for spyware, a gateway anti-spyware product should also comply with the PCI standard. Some relevant requirements of the PCI standard include:
- “Antivirus software must be used on all e-mail systems and desktops to protect systems from malicious software.” A gateway anti-spyware product should ideally be an anti-malware product that protects against both spyware and viruses. All known malware should be covered in the signature library. Look for industry certification of 100% detection of malware in the wild (as offered, for example, by ICSA Labs, a division of security specialist Cybertrust that sets industry standards for commercial security products) for gateway antivirus detection. The product should not only protect Web traffic, but also e-mail and File Transfer Protocol (FTP) traffic.
- “Ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs.” To ensure that its library of all spyware and virus signatures is current, a product should automatically update itself at least once each day. The product should also include detailed log data that may be queried easily.
- “Encrypt all nonconsole administrative access. Use technologies such as SSH, VPN, or SSL/TLS for Web-based management and other nonconsole administrative access.” A gateway anti-spyware product makes this administration easier, but Web access should nonetheless be secure.
WHERE REAL-WORLD DATA AND THE PCI STANDARD MEET
Companies today are understandably focused on identity theft. Because Web-based spyware is a major factor in identity theft, companies should therefore focus more attention to such programs, especially as they are becoming ever more prevalent. Although the PCI standard is relatively new, it does not address this present and growing threat.
The combination of real-world data and the PCI standard indicate that a gateway security product should meet the following requirements for securing a merchant against identity theft through Web-based spyware:
- Stop spyware, viruses, and other malware
- Scan Web (HTTP, HTTPS), e-mail (SMTP, POP3, IMAP), and FTP traffic without slowing performance
- Automatically and frequently update malware signatures
- Provide detailed log data that may be easily queried
- Provide secure (encrypted) Web administration.
A product with this set of features would address not only identity theft but also merchants’ other major concerns about keeping customer information secure. Gateway protection against worms and viruses would keep these mass-propagating malware programs out of merchants’ networks and therefore maintain network and computer availability. These requirements also reflect government and industry efforts to raise the level of minimum security practices. Therefore, such a gateway anti-malware product would ensure customer data privacy, business continuity, and compliance with government and industry regulations. And perhaps we could all sleep a little easier.
Joshua Lin is director of marketing and business development at CP Secure, a Cupertino, CA-based network security company.