cybersecurity - socal exporussian hackers stole more than 1.2 billion username and password...

Cybersecurity: The New Challenge for Treasurers

THOUGHTS AND BEST PRACTICES FROM AFP

Cybersecurity: The New Challenge for TreasurersCybersecurity is on the top of treasurers’ minds these days, and for good reason. Reports of massive data breaches at major companies surface on what feels like a weekly basis. Yet there are measures that treasury departments can take to mitigate these risks, such as purchasing cyber insurance, making improvements to overall security systems, and working with law enforcement when a breach is detected. In Cybersecurity: The New Challenge for Treasurers, AFP has compiled some of its most recent coverage on the cyberthreats that your company needs to be aware of. From the Target breach, to the GameOver Zeus botnet, to Heartbleed, AFP looks at each incident and pulls out relevant takeaways for treasury and finance professionals. In this compilation, you will find the tools you need to adequately prepare your organization for the threats of today, and tomorrow.


13

4

5

6 8

10

12

15

16

19

21

Was August’s Megahack Just Megahype?

600 Retailers Affected by Malware

StubHub Turns the Table on Cybercriminals

U.S. Treasury Calls for More Information Sharing Legislation

Cyber Risk: The New Frontline of Risk Management

Treasurer Relives Her Firm’s Cyberbreach

Payments Professionals Focused on Fraud, New Standards

An Insider’s View of GameOver Zeus

Cyber Insurance a Top Priority for Retail Treasurers

Cybersecurity: From Prevention to Intelligence and Proactive Detection

How Treasury Should Respond to Heartbleed

Supermarket Breach Compromises Millions?

www.AFPonline.org ©2014 Association for Financial Professionals, Inc. All Rights Reserved Page 1


If you followed the news in early August, you undoubtedly heard about The New York Times’ explosive report that Russian hackers stole more than 1.2 billion username and password combinations, along with about 500 million email addresses. You were likely encouraged to change your passwords immediately—for everything.

What you may not have heard is that all of the panic could be over nothing.

To recap, Hold Security, which discovered last year’s Adobe hack, told the Times last week that the Russian cybercriminals have gathered confidential material from more than 420,000 websites. Alex Holden, founder and chief information security officer of Hold Security, said that hackers were not simply targeting U.S. companies. They were targeting any website they could find, from Fortune 500 companies to very small sites. “And most of these sites are still vulnerable,” he said.

Hold Security refused to name any of the hacked sites, citing nondisclosure agreements. However, an unnamed security expert told the Times that major companies were among the victims. Supposedly no credentials have been sold online; the hackers are reportedly using them to send spam on social networks.

Was August’s Megahack Just Megahype?Andrew Deichler

©2014 Association for Financial Professionals, Inc. All Rights Reserved www.AFPonline.org


Why you should be skepticalSo what’s the problem with the story? For starters, some

experts question the accuracy of the Times’ report. Forbes contributor Joseph Steinberg listed a number of reasons why he is skeptical, such as the claim that the stolen credentials were used to send spam rather than execute fraudulent transactions. With more than a billion credentials stolen, “there should have been be a dramatic uptick in fraud in recent months,” he wrote. “There wasn’t.”

AFP Fraudwatch spoke with a financial services cybersecurity industry expert who said that the media “just took this story and ran with it,” even though the claims came from a source that he believes is not credible. “Essentially, it’s just a vendor trying to sell its product,” the expert said. “There has been no confirmation from any credible sources such as law enforcement, Department of Homeland Security and private intel companies that this ‘breach’ is anything new.”

Furthermore, the cybersecurity expert noted that information provided on the nature of this alleged breach has been “sketchy and contradictory.” Many industry experts have noticed no change in the threat landscape as a result of this alleged breach, and therefore believe it is not legitimate. “A similar story was given a few months ago from BAE Systems about an alleged major data breach at a U.S. hedge fund. They later acknowledged that the breach never occurred,” the expert said.

To be fair, Brian Krebs of Krebs on Security, who broke the Target breach story back in December, vouched for Holden, saying that his research and data is legitimate. Krebs believes that it is entirely possible that cybercrooks could be using these stolen email account credentials to spam victims’ contact lists. “Spam is such a core and fundamental component of any large-scale cybercrime operation that I spent the last four years writing an entire book about it, describing how these networks are created, the crooks that run them, and the cybercrime kingpins who make it worth their while,” he explained.

Guilty of self-promotion?In addition to sketchy details, skeptics believe the

megahack disclosure may be nothing more than a high-tech version of self-promotion. That’s what fraud expert Chris Mathers, who spoke at the AFP Canadian Forum in 2013, thinks occurred in this case. “The problem these days is everyone is so preoccupied with the loss of private

information, that some organizations are using that to promote their own company name,” he said. “We’ve gotten to the point where we have to look at every report of a breach and first determine whether it actually happened and then decide what the impact of the breach is.”

If an incident did occur, then Mathers believes Hold Security has a duty to inform the public about which organizations were hit. “The longer it goes, the more suspicious it is to me,” he said. “All I say to them is, if it happened, who did it happen to? You have an obligation to disclose it. You’ve been so vocal about how great you are at detecting it—you’d better tell us who it was.”

Regardless of whether the claim is accurate, experts agree that both businesses and consumers should change passwords regularly. “All this does is reinforce that you’ve got to keep changing your password—all the time,” Mathers said.

More pressure on businesses Whether or not it was real, experts are still calling for

companies to increase the security on their websites. Avivah Litan, a security analyst at the research firm Gartner, told the Times that companies that rely on user names and passwords need to do more to protect user data. “Until they do, criminals will just keep stockpiling people’s credentials,” she said.

The problem with adding additional security measures is that it inconveniences the user. It is for this reason that Fred Butterfield, CTP, treasury manager for Trust Company of America, believes companies will resist adding more authentication to their websites. “How many users actually follow recommended guidelines for different, more secure, user IDs and passwords? Using an out-of-band authentication method, while increasing security, will cause a large portion of users to complain about the added complexity, which will cause the website owner to resist changes,” he said.

Butterfield believes that any hacked website should be required to inform its users that a breach occurred, and that any site that has access to personal information should be required to increase its security to a level above the mid-range. “Since businesses are created and run by people, I don’t think either outcome is all that likely, which means we will continue to have hacks, thefts of information, and bad guys trying to make money off of information they steal, until such time as the whole world can agree on a set of rules governing the use of the internet,” he said.



600 Retailers Affected by POS MalwareAndrew Deichler

More than 600 retailers may have point-of-sale malware installed in their stores, according to government officials.

The U.S. Computer Emergency Response Team (US-CERT), in conjunction with the National Cybersecurity and Communications Integration Center (NCCIC), the U.S. Secret Service (USSS), the Financial Sector Information Sharing and Analysis Center (FS-ISAC) and Trustware

Spiderlabs, has issued a warning to retailers about new point-of-sale malware dubbed Backoff.

Karl Sigler, threat intelligence manager at Trustwave, told Time that while many of the affected businesses are small independent shops, large national chains have also been hit. An official of the Department of Homeland Security said that large chains were particularly vulnerable when acquiring a smaller business that could have weaker security protections.

Cybercriminals are reportedly targeting businesses that use remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2,Pulseway, and LogMEIn Join.Me. Through brute force attacks, the criminals have been able to log into the remote applications. If they can gain access to administrator or privileged accounts, the Backoff malware can be deployed to steal payment data via an encrypted POST request.

Some studies show that targeting remote desktop applications with brute force attacks is on the rise. Jaime Blasco, director of AlienVault, told TechNewsWorld that a botnet was recently brute-forcing remote desktop applications by using common usernames for POS devices, “because, by default, most POS systems have common usernames and passwords,” he said.

US-CERT has identified three primary variants of Backoff. First spotted in October 2013, the malware can scrape memory from running processes on the victim machine and search for track data. It can also inject malicious code into Internet Explorer so if it crashes, it can be re-launched. In more recent variants of the malware, keylogging functionality has been discovered. Finally, Backoff has a command and control (C2) component that can upload discovered data, update the malware, download additional malware, and uninstall it.

“The Backoff point-of-sale malware has multiple components which aren’t overly sophisticated, but it does try to hide itself on affected systems and also maintain persistence if a machine is restarted,” Jerome Segura, senior security researcher for Malwarebytes, told TechNewsWorld.

Backoff has been found in at least three POS data breach investigations. Backoff variants have a low to zero percent antivirus detection rates. However, US-CERT noted that antivirus vendors should soon begin detecting the existing variants, so companies should maintain up-to-date antivirus signatures and engines as antivirus solutions are continually being updated to address new threats.



StubHub Turns the Table on CybercriminalsAndrew Deichler

Here’s an all-too-common story with an uncommon twist. Six individuals were arrested in late July in connection with

an international cybercrime ring that hacked more than 1,600 customer accounts. What’s different in this case is that the company detected the cybercriminals first instead of receiving the news of the hack, as usually happens, and then it alerted law enforcement.

Eric Boles, senior manager of the Global eCrime Investigations Unit at StubHub, the online ticket broker that thwarted the cyberhackers, told the news site Card Not Present that StubHub worked closely with authorities throughout the entire process. “The way I see it, private industry needs to do more of this,” he said.

StubHub itself was not hacked. Instead, StubHub users were victims of account takeovers. Criminals intercepted customer logins and passwords by breaching other websites and installing keylogger malware on victims’ computers, StubHub explained in a statement.

According to Manhattan District Attorney Cyrus R. Vance, Jr., the criminals used the stolen credentials to purchase more than $1 million in electronic tickets for concerts, sporting events and Broadway shows, and then resold them within hours of the events. Proceeds were transferred to a global network of accomplices in the U.S., UK, Russia and Canada. The New York State Supreme Court has charged the defendants with money laundering, grand larceny, criminal possession of stolen property and identity theft.

“Today’s arrests and indictment connect a global network of hackers, identity thieves, and money-launderers who victimized countless individuals in New York and elsewhere,” said Vance. “The coordinated actions of law enforcement officials in New York, New Jersey, the United Kingdom, and Canada demonstrate what can be achieved through international cooperation.”

StubHub first detected the unauthorized transactions last year, notified authorities, and refunded affected customers.

Suspects were apprehended in New York, New Jersey, Spain, London and Toronto. Vadim Polyakov, a Russian national who police picked up in Spain, is believed to be the mastermind behind the operation. He is currently facing extradition to the U.S.

Robert Capps, senior director of customer success for RedSeal Networks, told Brian Krebs of Krebs On Security that many online retailers are still unprepared for the for the large influx of fraud that account takeovers can generate. “In the last year online retailers have come under significant attack by cybercriminals using techniques such as account takeover to commit fraud,” he said. “Unfortunately, the transactional risk systems employed by most online retailers are not tuned to detect and defend against malicious use of existing customer accounts. Retooling these systems to detect account takeovers can take some time, leaving retailers exposed to significant financial losses in the intervening time.”



U.S. Treasury Calls for More Information Sharing LegislationAndrew Deichler

U.S. Treasury Secretary Jacob Lew called on the financial services sector in July to improve its efforts to protect consumer data and strengthen defenses against cyberattacks, thefts and disruptions. He also called for legislation that advances public-private sector information sharing.

In a speech, Secretary Lew urged financial institutions and firms to use the cybersecurity framework commissioned by President Obama via executive order and crafted by the National Institute of Standards and Technology (NIST) to evaluate outside vendors.

“The consequences of cyber incidents are serious,” Lew said. “When credit card data is stolen, it disturbs lives and damages consumer confidence. When trade secrets are robbed, it undercuts America’s businesses and undermines U.S. competitiveness. And successful attacks on our financial system would compromise market confidence, jeopardize the integrity of data, and pose a threat to financial stability.”

Lew noted that cybercriminals do not have to target a bank to damage the U.S. financial system. “Risks to the system can be found at the vendors, suppliers, and contractors that keep our financial system running,” he said. “They can be found within industries that underpin the markets—like telecommunications and energy. And they can be found across the physical infrastructure that supports the U.S. economy, like our transportation system and water supply.”

Lew referenced the Target breach, which occurred because cybercriminals infiltrated the network of one of its vendors. The same thing could easily happen to major financial institutions. “It is essential that all critical third parties have protections for both physical infrastructure and cybersecurity,” he said.

The Treasury Department was closely involved in the development of the NIST framework. But while Treasury considers the framework to be an important milestone, Lew is adamant that more work needs to be done to combat today’s cyberthreats and is advocating for action from Congress.

“As it stands, our laws do not do enough to foster information sharing and defend the public from digital threats,” Lew said. “We need legislation with clear rules to encourage collaboration and provide important liability protection. It must be safe for companies to collaborate responsibly, without providing immunity for reckless, negligent or harmful behavior.”

Lew also called out private companies for keeping too many cyber incidents to themselves. “Disclosing security breaches is often perceived as something that could harm a firm’s reputation,” he said. “This has made many businesses reluctant to reveal information about cyber incidents. But this reluctance has to be put aside. There cannot be a code of either silence or secrecy about the steps necessary to protect our basic security. Sharing information is far too essential.”



Cyber Risk: The New Frontline of Risk ManagementKonstantine Kastens

An alarming recent surge in cyberattack incidences on many of the largest U.S. companies, exposing widespread vulnerabilities to payment card data security, has ushered into corporate boardrooms a new axiom of executive management: cyber risk. From shareholders and consumers to watchful regulators, public companies face mounting pressure to bolster cybersecurity protocols and incorporate these surfacing threats within their businesses risk management operations.

With a rapidly-evolving threat, corporate executives fear that their businesses could be next. Moreover, whether they can successfully fulfill their own managerial responsibilities without the requisite technological understanding to factor into risk models the reality of cyberattacks has executives recalibrating their management oversight.

A handbook recently published by the National Association of Corporate Directors (NACD) outlines five principles that corporate boards should adhere to in adequately managing cyber risks. Confronted with a threat



From shareholders and consumers to watchful regulators,

public companies face mounting pressure to bolster

cybersecurity protocols and incorporate these surfacing

threats within their businesses risk management operations.

characterized by “its complexity and speed of evolution; the potential for significant financial, competitive and reputations damage; and the fact that total protection is an unrealistic objective,” the report concludes, “the economics of cybersecurity still favors attackers.”

The Securities and Exchange Commission (SEC) has in recent months begun turning its attention to cybersecurity regulation. In March, the agency held corporate governance public roundtables looking into how cyber threats may impact capital markets and weighing the possibility of breach disclosure standards for public companies.

The SEC’s newly-formed investor advocate’s office also announced plans to study the landscape of protocols currently in place that protect investors from cyber threats. The study intends to examine efforts by the Financial Industry Regulatory Authority and participant stock exchanges in responding to attacks and will consider whether SEC rulemaking to require new technology standards would be effective.

It was reported in July that the SEC was pursuing a multi-front investigation of recent cyberattack incidences on companies. The study is to examine the internal controls of affected companies for protecting data, how those companies responded to attacks and the extent of breach disclosure to investors.

Speaking before the New York Stock Exchange in early June, SEC Commissioner Luis Aguilar told an audience of boards of directors that the need for cyber risk oversight at the executive management level “is critical to preventing and effectively responding to successful cyberattacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.”

Aguilar called for cyber risk to become a component of overall risk management oversight for corporate boards. He pointed to lax cybersecurity standards at Target discovered in the aftermath of its data breach incident, which also led to the ousting of many of its top directors.

In his final recommendation, the commissioner advised to board directors that they conform their cybersecurity internal controls to the voluntary guidelines put forth in February by the National Institute of Standards and Technology (NIST). Entitled the Framework for Improving Critical Infrastructure Cybersecurity, Aguilar insisted that, at the least, these guidelines be used by corporate directors to measure against current internal policies.

“Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks,” Aguilar said.



Treasurer Relives Her Firm’s CyberbreachAndrew Deichler

What’s it like from a treasurer’s perspective when your company is hit by a cyberbreach?

“It’s a whirlwind,” said Lisa Joublanc, CCM, CFA, vice president and treasurer for Atlanta-based credit card processor Global Payments.

Speaking at the recent CTC Corporate Treasurers Forum in Chicago, Joublanc provided an insider’s view of the security breach that her organization incurred in 2012. The breach compromised 1.5 million credit card numbers and resulted in a loss of $125 million for the company.

“You get this call that this is happening and you wonder why you’re not going public,” Joublanc recounted. “But that’s because there’s criminal activity that’s occurred. Law enforcement is going to be immediately involved and the last thing they want to do is tip off the perp about what’s going on. So there’s this period of time where you’re in limbo.”

When it was time to go public, Global Payments announced that it had sustained a breach. Personally identifiable information (cardholder names, addresses and social security numbers) was not leaked, but the numbers on the credit cards were. As it went through this process, Global Payments began to realize that its cyber insurance broker at the time was not adequately prepared to handle such an event, and so the company switched to McGriff, Seibels & Williams.

“We switched brokers midstream, which I wouldn’t recommend,” Joublanc said. “One of the things we learned



“You get this call that this is

happening and you wonder why

you’re not going public. But that’s

because there’s criminal activity

that’s occurred. Law enforcement

is going to be immediately

involved and the last thing they

want to do is tip off the perp

about what’s going on.”

during this process was that your policy is a contract. And if you don’t do exactly what it says in the policy, you probably won’t get coverage. So that means every time you want to spend money, you have to get prior approval.”

Mary Guzman, senior vice president & E&O practice leader for McGriff, Seibels & Williams, added that some insurers will not let companies choose their own vendors for credit monitoring, PR, call center services, forensics, etc. “We’ve had quite a few clients who were with other brokers come to us after the fact and say, ‘We had no idea; it was hidden in the conditions of the policy that we had to use Experian for credit monitoring and XYX company for forensics. We didn’t have the choice to use the people we’ve always used,” she said.

This can become a significant problem for companies who want to control their overall message when a breach occurs, Guzman continued. “Say you’ve already got a relationship with PricewaterhouseCoopers, but they’re not on the approved list for your carrier because they’re too expensive—that’s an issue. So it’s something to be very aware of when you’re looking at these policy forms.”

Global Payments now gets its vendors preapproved through its insurance carrier. “So if this happens again, we’re not spending a week or two to look at a contract with a vendor; we do that all up front,” Joublanc said.

Choosing a cyber insurance policyJoublanc offered some advice to corporate treasurers buying

cyber insurance. Before a company even has an official claim, there are multiple expenses it is already incurring. Therefore, corporate would be wise to avoid policies that only kick in when someone starts demanding money. “You’re calling your law firm, you’re working on public relations issues, you’re doing forensics and trying to figure out what has happened,” she said. “All those things are very expensive. So the breadth of your policy is very important.”

Guzman noted that so much of the discussion around cybersecurity in the current environment centers around data breaches, which can be extremely expensive and damaging to a company’s reputation. “But we really look at security risk today as a three-pronged stool,” she said. “Privacy is one issue we are concerned about all the time. Supply chain and infrastructure risk has increasing importance in what we do. And then the third leg of the stool, which doesn’t get a lot of attention from an insurance standpoint, is theft or corruption of trade secrets and intellectual property, and/or, on the liability side, intellectual property infringement. We spend a lot of time on trying to develop new products for that.”

Additionally, professional services firms have significant errors and omissions exposure relative to the services they provide. So much of that is done electronically now that it can be difficult to distinguish between an errors and omissions loss and a cyber claim, Guzman explained. “So we do a lot of blended programs where we do the E&O and cyber insurance on a combined basis,” she said. “Most of our financial institutions buy their cyber as part of a blended crime fiduciary EPL program all under one giant aggregate tower of up to $400 million of limits.”

Guzman noted that almost no two cyber policies are the same from one carrier to the next. Corporate treasurers really have to do their homework and know what they are paying for. “If you’ve bought an off-the-shelf carrier policy to lead your program on the primary, you’re not getting anywhere near the broadest coverage you can get,” she said. “Some of the policy forms are pretty good, but there’s not a single one that doesn’t need some sort of significant manuscripting and amendment.”

Joublanc added that there are so many ways that a breach can impact a company, so it is imperative to know exactly where a claim might come from. “Use your broker to talk about scenarios because they’ve gone through it before,” she said. “Also, try to get the broadest coverage that you can.”



Payments Professionals Focused on Fraud, New StandardsMagnus Carlsson

Much of the talk at the NACHA Payments Conference earlier this year related to fraud and the future of payments in the United States.

Payments fraud is always one of the leading topics and seems to have entered a new phase of awareness the past couple of months. This was reflected at the conference, as there were several sessions on the topic. Furthermore, fraud

ties into the future of payments in the United States. With aging payment systems and standards, the vulnerability for fraud increases. Outcomes from the Federal Reserve’s Payments System Improvement Consultation Paper were shared, as were other studies regarding the ISO20022 standard. Migrating to electronic payments was also a major topic of discussion.

Impact of fraud and cybersecurityAfter the security breaches at Target and Neiman Marcus

in late 2013, fraud-related issues have been in the forefront. The question of whether or not the U.S. should adopt EMV, a more secure standard for card transactions, was highlighted during the conference. Many seem to be of the opinion that at this time there really is no alternative to EMV within a reasonable timeframe. With the liability shifts coming in October 2015, the attitude is very much reflected in the title of one of the sessions at the Payments 2014 conference, “U.S. Smart Card Migration: Ready or Not, Here It Comes!”

But not all are happy with the rollout of EMV. Retailers see high investment costs for new terminals capable of chip card transactions without knowing how long these investments will last before a new, more secure standard may surface.

There has been a lot of discussion about potentially leapfrogging EMV to a more modern standard. The problem is that there is no good alternative to smart cards at this



time, if you want more secure card transactions than what a magnetic stripe can provide. There is, however, technology that could be useful, such as NFC and other mobile payments solutions. But these technologies simply do not yet have widespread use.

Meanwhile, card fraud is increasing, and there really is no time left to wait until other measures are taken. Throughout the multiple sessions on fraud and cybersecurity, one message was clear: Companies and banks cannot sit on their hands.

Migration to electronic payments Electronic payments are also gaining more and more

traction. Many companies cite the difficulty of convincing trading partners to switch from paper checks to ACH transactions, as well as problems with ACH remittance information. One of the main barriers is reluctance to provide bank information and account numbers, etc.

However, some companies shared their success stories moving from paper checks to electronic payments in several sessions. During one discussion, treasury professionals from Johnson & Johnson and Ameren Services revealed the benefits they have reaped by switching to electronic payments and remittance alternatives.

The electronic payments issue was also addressed at length at the Remittance Coalition meeting on Sunday prior to the start of the conference. One of the projects discussed was the B2B Directory project, which will help address the issue of sharing sensitive information. The core B2B Directory working group has produced a document addressing pain points as well as clear directions for what the directory should contain and how it should work.

The next step is to address issues related to governance and ownership. To install trust and credibility, it has been suggested that the banks play a significant role. At the same time it is not necessarily in the best interest of users if banks are dominant actors. The meeting ended with a request for comment of the current proposal. The outcome will be shared in future meetings. The in-person meeting at the AFP Conference should be a good venue for this.

Future of the U.S. payment systemThe future of the U.S. payment system was also

highlighted as the Federal Reserve shared some of the findings from the “Payment System Improvement—Public Consultation Paper” published last fall. Overall it seems faster payment features are preferred. What is meant by this is, for the most part, payments notification and confirmation

of good funds at initiation. Fast availability of funds is for businesses the most important feature.

Other findings include priority of domestic payment systems over global systems, problems switching from paper checks to electronic for B2B payments, too many regulations and card fraud. Regarding checks, there seems to be an opinion that they should be allowed to evolve, but not at the expense of the development of electronic alternatives. This could prove problematic as there then is less of an incentive to develop more modern payment systems.

Since many key global markets, such as SEPA, are implementing the ISO 20022 standard, any discussion regarding modernizing the U.S. payment systems should also include the ISO 20022. Some initial steps have been taken, and a business case study has been conducted to assess the potential adoption of the ISO 20022 standard for U.S. companies. This issue was also addressed in sessions at the conference.

TakeawaysClearly, fraud is one of the leading topics of discussion

among treasury and finance professionals handling payments. This is not surprising, given the highly publicized security breaches at the end of last year. If there is a silver lining regarding fraud, this publicity could be one. There seems to have been a shift in focus when it comes to cyber fraud. The publicity has exposed the vulnerability of the system and really heightened the awareness in the industry, which is the first step in fighting it.

Some of the large retailers are now actively taking action in implementing more secure methods of receiving payments, such as EMV, without waiting for the liability shift next year. The main barrier to fraud protective measures has been the complication of the actual transaction, from a customer’s perspective. But given the new awareness of fraud, it seems this barrier is becoming less important.

Related to fraud is the discussion on the aging payment systems and standards in the United States and whether fraud on a global scale is migrating from overseas because the U.S. is seen as the weakest link. The Fed’s consultation paper has helped bring more awareness of what preferences the industry has when modernizing payments. Shifting from paper checks to electronic payment methods makes sense not only from an efficiency and security standpoint, but also from a business case scenario since corporations have the opportunity to save money. Along with electronic payments is the discussion regarding standards and particularly the business case discussion of implementing the ISO 20022 standard for U.S. corporations.



An Insider’s View of GameOver ZeusAndrew Deichler

Treasury and finance professionals who attended the 10th Annual CTC Corporate Treasurers Forum received an in-depth look at GameOver Zeus, the botnet responsible for stealing at least $125 million, including routine $1-million wire transfers. Kory Bakken, Special Agent of the Federal Bureau of Investigation, Chicago Division, went into detail about the powerful botnet, and how law enforcement agencies came together to bring it down.

Treasurers and finance executives need to understand how GameOver Zeus and other botnets operate so they can better secure their organization’s money.

What is GameOver Zeus?Bakken noted that GameOver Zeus is an evolved version

of the Zeus botnet. Zeus, a Trojan with the ability to steal banking log-in credentials, was sold as a package to cybercriminals on the black market from 2007 to 2011. “Anytime somebody would log into their banking website, it would grab the username, password and anything else that might look good,” he said. It would then put all of that data in a spreadsheet and send it back to the cybercrooks.

The author of Zeus eventually “retired” and sold his code to a new up-and-coming programmer. And so in 2011, the new Zeus owner decided to eschew selling off Zeus as a package the way that his predecessor did, and instead opted



“At the FBI, we always looked at this like organized crime; you cut

off the [head] and everything underneath it goes away. That didn’t

happen with GameOver Zeus. So we were left scratching our heads.”

to use it himself. “So instead of a bunch of cybercriminals all over the world using Zeus, he now consolidated Zeus into something called GameOver Zeus,” Bakken said. “This was operated out of Russian and Ukraine.”

One of Zeus’ problems was that it had a command-and-control (C&C) server, with a bunch of victim computers underneath it that the server would use to spread malware. “If you could work your way up and find that command-and-control server—which is what the FBI was very good at—you could cut off the head of that server and then suddenly all of the victims underneath it would dry up, and you would knock out that botnet,” Bakken said.

GameOver Zeus was a different animal. It was written as a peer-to-peer network. Victim computers were not only in communication with the C&C server—they were in communication with each other. So should the C&C server be shut down, a victim computer—which, under the original Zeus, would have thus no head computer to “talk to”—now would search for other victim computers until it eventually finds a new C&C server and eventually the botnet is up and running again.

is now running your banking session in another window. Unbeknownst to you, he is stealing all your money and is also using Webinjects to make sure that your account balance never diminishes. So you don’t realize the money in your account is going down as he’s in there.”

Even multifactor authentication methods are vulnerable to GameOver Zeus. Oftentimes, multifactor authentication for banking websites involves sending a text message to your phone. GameOver Zeus can compromise mobile phones and intercept text messages.

What is man-in-the-browser?With man-in-the-browser (MITB) malware allows

cybercriminals to affect computer browsers and alter the way users view web pages. So when a user with an infected computer attempts to log into a bank website, the site may ask for additional information (check card numbers, PINs, social security numbers, etc.) that that the criminal put in there.

“Your bank is not normally asking you for this, but the customer doesn’t know that,” Bakken said. “They’re used to banks changing their user interface on a regular basis, and

“At the FBI, we always looked at this like organized crime; you cut off the [head] and everything underneath it goes away,” Bakken said. “That didn’t happen with GameOver Zeus. So we were left scratching our heads.”

GameOver Zeus is primarily a keylogger and credential stealer with man-in-the-browser capabilities. It also has a remote desktop controller, similar to GoToMyPC software. “So if your machine has been compromised with peer-to-peer Zeus, they have basically GoToMyPC on your machine and they can see everything you’re doing,” Bakken said.

GameOver Zeus also has session writing, which is its “really scary” capability, Bakken said. This begins when a computer logs into a banking website. A criminal has already compromised that computer and can see everything the user is doing. “That criminal—in the split second that you establish a session on a website—has grabbed that session ID and acts like he’s you. And so in the background, he

they think that the bank now requires them to enter this information, and they blindly do so.”

That information that victims enter does actually end up going back to the banks, as well as the cybercriminals. One would assume that a bank strangely receiving a customer’s social security number or other private information should set off a red flag; however, many banks are not catching this. “This is something that needs to be addressed,” Bakken said. “Banks need to be looking out for additional information being sent from the customers.”

Wire transfersMultifactor authentication methods used to protect wire

transfers have also proven to be vulnerable to GameOver Zeus. The Department of Justice estimates that individual fraudulent wire transfers conducted through Gameover Zeus commonly exceed $1 million.



For large companies that make wire transfers, banks have now instituted a rule that there must be one person who initiates the wire and a second person on another machine must authenticate it. “So you have two people authenticating,” Bakken said. “How credible is it that you’re going to be able to attack two different machines at once?”

With Webinjects, cybercriminals don’t have to. The first user receives an error message, saying that his or her session has been locked out and requests that another authorized user log into the machine. “So that person who initiates the wire transfer sees their CFO walking by, who also has a login at that bank. They say, ‘Can you log into my computer for me so I can open up my account?’ Now that attacker, who has the login credentials and the RSA token for that first person, has the login credentials and the RSA token for the second person. They have everything they need to be able to initiate and approve we transfers out of that company, all from compromising one machine,” Bakken said.

Sinkholing GameOver ZeusGameOver Zeus was designed to thwart law enforcement’s

attempts to bring it down. “We finally caught up to them this month,” Bakken said.

Following Russia’s invasion of the Crimean Peninsula, Ukrainians began working with the U.S. Soon after, the U.S. was able to locate some of the servers that were being used by the operators of GameOver Zeus. “We end up copying those command-and-control servers, and we end up finding some more in the UK,” said Bakken. “Now we’ve got some great intelligence.”

The FBI worked with private partners like FireEye and Microsoft, on a plan that was put in play on June 2. “We moved on all these command-and-control servers,” Bakken said. “We took them down fast. We also figured out their algorithm for creating new command-and-control servers and new domains, and we shut it down. This is called sinkholing. So all these bots—millions of computers that had been compromised throughout the world—they tried to ‘phone home,’ and who they phoned was the FBI. So because they phoned the FBI, we know all the machines that are compromised.”

The FBI estimated that about 30 percent of the affected machines have been sinkholed. Within a day of the FBI executing its plan, Cryptolocker had been completely shut down.

“They estimated that it was over $100 million that went out over GameOver Zeus,” Bakken said. “Also, the estimate was $27 million in two months for Cryptolocker [malware spread by GameOver Zeus]. I think these estimates are low, for what these two programs were doing. Either way, we knocked off two of the biggest problems on the Internet.”

Recommendations: Defense in Depth• Intrusion detection/prevention

• Network and endpoint safeguards

• Architecture with security in mind

• Invest in proper Incident Handling

• Proactive intelligence gathering

• Cyber insurance specific to your risk

• Industry-Specific threats detailed in Verizon 2014 Data Breach report

• Know where your data is

• Legal protections in the cloud

• Audit vendors/partners

• Education/Training

• Develop a Law Enforcement Contact

- NCFTA or similar

- FBI, Secret Service



Cyber Insurance a Top Priority for Retail TreasurersAndrew Deichler

Treasurers of retail chain stores said they expect their companies will spend as much as triple the amount they already pay for cyber insurance in the wake of the Target security breach. That’s on top of devoting additional employee hours preparing reports to show senior manage-ment and board members their cybersecurity measures.

“The board of directors is starting to ask, ‘Could this happen to us?’” said one treasurer at AFP’s Retail Roundtable, held in Dallas in May, who spoke on the condition of anonymity. “We all say we’re PCI compliant; Target was PCI compliant, too. The board wants to know your incident response plan.”

The treasurer said his board also asked many questions about his corporation’s cyber insurance coverage. “Target had an industry-leading cyber insurance policy,” he noted. “Coverages topped out at $100 million. I think the breach cost them about $1 billion—one-tenth of the insurance that they ultimately needed. The rest of us—who probably don’t have the industry-leading position they have—are probably going to triple the amount of coverage we have this year.”

The treasurer estimated that, before the Target breach, only about 30 percent of retailers had policies to cover cybertheft. “Cyber insurance is an interesting industry, because the carriers need a lot of history in order to get comfortable with the risk,” he said. “There’s not a lot of history in cyber, other than one gigantic breach that they’re now afraid of. So they’re now more interested in what your instant response plan is, what vendor you’re going to use for forensics, etc.”

One Retail Roundtable attendee noted that even though there hasn’t been much change in her company’s day-to-day operations, her department has had to produce an extra report to the board to show where the organization is, in comparison to Target. Another treasurer said that when he first learned of the Target breach, he immediately called his assistant treasurer and let him know. “By the next day, we were already preparing for a summarized presentation for executive management,” he said.

Another treasurer at the roundtable theorized that PCI standards will ultimately be enhanced to provide better protection of personally identifiable information, rather than just payment card information. “Things like bank account numbers, social security numbers—all those things don’t have a PCI-level protocol for protection,” he said. “Maybe we should; maybe that’s going to be required in the future.”

Cybersecurity standards also may soon be going beyond debit and credit cards. The treasurer noted that NACHA is currently working on PCI-like rule set for the ACH network. “That would probably be impactful for our businesses; we all use ACH,” he said. “If we had to protect ACH data the way we protect payment card information that could be a big project.”

The treasurer said that for corporates, the Target breach was a lot more significant for businesses than it was for consumers. “There’s a bit of a trust issue with Target but I don’t think even that is a huge issue for consumers,” he said.



Cybersecurity: From Prevention to Intelligence and Proactive DetectionLyon Poh, KPMG

Over the past decade the focus on cybersecurity has grown rapidly, with cyberattacks escalating in both size and complexity. Over the past year, the world has witnessed massive cybersecurity breaches with impact on a global scale.

Last December, Target, one of the world’s largest retailers, confirmed that its U.S. stores chain had suffered a massive data breach of 40m credit and debit card accounts. As of February 2014, the breach has cost Target $61 million.

Also in February this year, a Distributed Denial of Service (DDoS) attack, designed to knock a company’s systems off the internet, broke the 400 gigabits per second (Gbps) mark. This ‘cyber tsunami’ smashed the record of 300 Gbps a year ago.

Separately that month internet security firm Hold Security uncovered stolen credentials from 360 million accounts and 1.25 billion email addresses available for sale on the black market. Again, this surpassed the previous record of 153 million credentials stolen from Adobe Systems last October.

These high-profile cyberattacks all point to a fact which can no longer be ignored: it is not a question of whether systems will be breached, but when.



Cyber risk high on board agendasCybersecurity breaches have become an urgent challenge.

They threaten entire financial systems and, in some instances, have resulted in extensive damage of physical infrastructure across critical national and corporate systems.

The World Economic Forum (WEF) has also identified cyberattacks as one of the top global risks since 2012. In a report released earlier this year, the WEF noted that major technology trends could create between $9.6 trillion and $21.6 trillion in value for the global economy. Conversely, failure to defend against cyberattacks will lead to new regulations and corporate policies, which will cost the global economy some $3 trillion by 2020.

It is no wonder then that organizations today are finding themselves under heightened scrutiny. They are increasingly subjected to legislative, corporate and regulatory require-ments, which demand evidence to verify that confidential information is being protected and managed appropriately.

Cyber risk has also risen in prominence on the board agenda. Investors, governments and regulators are increasingly challenging board members to actively

demonstrate diligence in this area. Regulators expect personal information to be protected and systems to be resilient to both accidents and deliberate attacks.

Current cybersecurity landscapeKPMG’s analysis of the current technology and security

landscape reveals several key megatrends. For one, organizations are increasingly losing control over the computing environment.

Consumerization of information technology (IT) and the rapid adoption of disruptive technologies increase the attack breadth and thus, strains existing defenses. Changing work patterns including remote access, big data, cloud computing and mobile technology are among the factors that increase organizations’ exposure to cyber threats.

Cybersecurity systems are also in a state of continuous compromise. The rise of sophisticated, determined and well-funded attackers performing advanced attacks capable of bypassing traditional protection mechanisms have further increased security challenges. In some instances, threats persist undetected for extended periods.

Another major issue is right-spending and capabilities. With the pressure to optimize capital and operational spend on already constrained IT and security budgets, organizations are forced to make assumptions that existing security measures are sufficient to mitigate against today’s advanced security threats. This has challenged the ability of many of them in acquiring, retaining and enhancing relevant talent in their workforce.

Understanding the cyber adversaryCybercriminals are, of course, also aware of these

vulnerabilities. The motives of cybercriminals are various, from pure financial gain to espionage and terrorism. Understanding the adversary, or the person or organization sponsoring or conducting the attacks, is the first step essential for effective defense.

Adversaries can be divided into four categories:• An individual hacker, generally acting alone and

motivated by being able to show what he or she can do.• The activist, focused on raising the profile of an ideology or political viewpoint, often by creating fear

and disruption.• Organized crime, focused solely on financial gain

through a variety of mechanisms from phishing to selling stolen company data.

• Governments, focused on improving their geopolitical position and/or commercial interests.

Failure to defend against

cyberattacks will lead

to new regulations and

corporate policies, which

will cost the global

economy some $3 trillion

by 2020.



Attacks by these different adversaries have a number of different characteristics, such as the type of target, the attack methods and scale of impact. Understanding the adversary will go a long way towards establishing intelligence, a vital component to effective cybersecurity.

Intelligence is keyThreat intelligence is growing in importance because

solely relying on defense is no longer viable. The determined adversary will get through eventually.

Intelligence will help organizations to know and understand the larger cyber environment out there. This is so that they can quickly identify when an attack has taken place, or when an attack is imminent.

An intelligence capability enables organizations to identify potential threats and vulnerabilities in order to minimize the ‘threat attack window‘ and limit the amount of time an adversary gains access to the network before they are discovered. Organizations that take this approach understand that threat intelligence is the ‘mechanism’ that drives cybersecurity investment and operational risk management.

Prevent, detect, respondHaving a strong intelligence capability will allow organizat-

ions to effectively prevent, detect and respond to threats. • Prevention: This begins with governance and organization.

It is about technical measures, including placing responsibility for dealing with cyberattacks within the organization and awareness training for key staff.

• Detection: Through monitoring of critical events and central safety incidents, an organization can strengthen its technological detection measures. Monitoring and data mining together form an excellent instrument to detect abnormal patterns in data traffic, find the location on which the attacks focus and to observe system performance.

• Response: This refers to activating a plan as soon as an attack occurs. During an attack, the organization should be able to directly deactivate all technology affected. When developing a response and recovery plan, an organization should perceive information security as a continuous process and not as a one-off solution.

Managing cyber threats as part of risk management

Cyber threats should be considered as part of the company’s risk management process. Companies should start with identifying the critical information assets they wish to protect against cyberattack - the crown jewels of the firm - whether these be the financial data, operational data, employee data, customer data or intellectual property.

More importantly, companies should focus on the perspective of the attackers and understand through a robust intelligence framework what the threats are after and the value of assets to cybercriminals.

Companies should also determine their cyber risk tolerance and implement controls to prepare, protect, detect and respond to a cyberattack - including managing the consequences of a cybersecurity incident.

Finally, organizations should monitor cybersecurity control effectiveness and institute a program of continuous improvement, or where needed, transformation, to match the changing cyber threat - with appropriate performance indicators.

Transforming your cybersecurityDealing with cyber threats today is a complex matter.

As the threat landscape is continuously evolving, a shift of focus from relying solely on preventive defense to a more detective and responsive stance is critical.

Intelligence and the insight that it brings is at the heart of next generation information security.

In many large, complex global organizations, moving from a reactive to proactive operating mode requires transformative change. Technological vulnerabilities are only part of the problem. Organizations must also address core people processes, culture and behaviors so that cybersecurity becomes a company-wide approach.

Lyon Poh, is Head of IT Assurance and Security, KPMG in Singapore. The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of KPMG in Singapore.



How Treasury Should Respond to HeartbleedAndrew Deichler

Earlier this year, businesses and consumers were frantically updating software and changing passwords over the Heartbleed bug—a serious vulnerability in recent versions of OpenSSL, software that millions of websites use to encrypt communications with users. Making matters worse was the fact that an easy-to-use exploit that allows criminals to abuse the vulnerability was widely traded online.

Though time has passed, a Venafi study conducted in late July found that 97 percent of the 2,000 largest publicly traded companies are still vulnerable to Heartbleed. “When the Heartbleed vulnerability was discovered in March, many organizations scrambled to patch the bug, but failed to take all of the necessary steps to fully remediate,” Venafi wrote.

What is Heartbleed?Heartbleed puts information

protected by the SSL/TLS encryption—which provides communication security and privacy to more than half a million websites and for applications like email, instant messaging and some virtual private networks—up for grabs. The bug “allows anyone on the internet to read the memory of the systems protected by the



vulnerable versions of the OpenSSL software,” according to Heartbleed.com. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Carnegie Mellon University’s CERT learned that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f, noted Brian Krebs of Krebs on Security. More than half a million websites comprise this group.

CERT also found that a tool is being traded online that allows attackers to intercept up to 64 kilobytes of memory processed by vulnerable website servers. Although attackers can only recover small chunks of data at a time, they can launch as many attacks as they want until they retrieve all the information they need. “I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug,” Krebs wrote.

In addition to websites, it has also been revealed that mobile devices are vulnerable to Heartbleed. Google revealed that it the majority of its Android products are immune to Heartbleed except for Android 4.1.1. Patching information for that version has been sent out to Android partners. Google said that less than 10 percent of Android devices run 4.1.1, however, that number is still very high as nearly 1 billion people use Android.

BlackBerry has also found that users of its Secure Work Space corporate email and its BBM messaging program for Android and Apple iOS are susceptible to Heartbleed. Scott Totzke, senior vice president of BlackBerry, told Reuters that the level of risk is “extremely small” because hackers would have to launch a “very complex” attack in a “very small window.” Nevertheless, BlackBerry plans to release security updates for the messaging service by Friday.

Moreover, smartphone and tablet users who have downloaded applications from commercial app stores are at risk due to apps connecting to vulnerable servers, Forbes noted. At least 66 percent of servers connected to the internet have been exposed to this bug for the past two years. Trend Micro scanned 390,000 apps in Google Play and found 1,300 of them were connected to vulnerable servers, including 15 bank-related apps, 39 online payment-related apps and 10 online shopping-related apps.

After the story broke, the Federal Financial Institutions Examination Council (FFIEC) sent a letter to U.S. banks, requesting that they incorporate patches to systems and services, applications, and appliances using OpenSSL and upgrade their systems as soon as possible. After applying the patch, the regulator also recommended that banks replace private keys and X-509 encryption certificates and require customers and administrators to change passwords. The FFIEC also recommended that banks using third-party service providers ensure they are aware of the bug and take appropriate action.

How should treasurers respond? What should treasury and finance professionals do in

response? Krebs recommended that companies using the vulnerable version upgrade to the latest version of OpenSSL.

Venafi noted that only 387 Global 2000 organizations have fully remediated Heartbleed as of July. The cybersecurity company emphasized that simply patching the Heartbleed vulnerability is not sufficient; businesses must also replace the old private key, reissue the certificate and revoke the old certificate. “Failure to replace the private key allows an attacker to decrypt any SSL traffic for the impacted host,” Venadi wrote. “Failure to revoke the old certificate enables the attacker to use the old certificate in phishing campaigns against the organization and its customers.”

Joram Borenstein, vice president at NICE Actimize, insisted that the Heartbleed vulnerability will be utilized in account takeover fraud schemes. “This reinforces the need for systems that monitor activity for changes in behavior,” he said. “Fraud management in layers is robust even in the face of failures in one layer. The fact that the flaw is in newer versions of the SSL software also indicates a lack of robust software testing in the software development lifecycle used. Functionality testing has to be augmented with vulnerability testing in the SDLC.”

Borenstein acknowledged that there have not yet been any confirmed reports of account takeover fraud occurring as a direct result of Heartbleed. However, he believes this may be due to cybercriminals purloining as much information as possible from vulnerable systems right now, knowing that it is taking some financial institutions longer than others to get of their all systems patched and reconstructed. “In such scenarios, fraudsters can at a later point in time analyze what it is precisely they have stolen and then determine how to use it, whether it be for an account takeover scheme or something else,” he told AFP.



Supermarket Breach Compromises Millions?Andrew Deichler

Supervalu, a Fortune 500 grocery retailer, recently revealed that it had incurred a security breach. At least one security expert believes that “millions” of credit and debit cards may have been compromised.

Supervalu stores include Cub Foods, Farm Fresh, Hornbacher’s, Shop ‘n Save and Shoppers Food & Pharmacy. Cards used between June 22, 2014 and July 17, 2014 at 209 stores may have been affected. Supervalu also warned that the breach may have affected 29 franchised Cub Foods stores and stand-alone liquor shops.

Additionally, AB Acquisitions, which operates more than 1,000 grocery stores in 29 states, admitted that stores it acquired from Supervalu last year had also been breached over the same timeframe. An unknown number of shoppers at ACME, Albertsons, Amigos, Jewel-Osco, Lucky, Market Street, Shaws, Star Market, Super Saver and United Supermarkets have had their credit and debit card information exposed.



AB revealed that Albertson stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. ACME stores in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were also affected.

Details are sparse at this time, but point-of-sale malware, similar to what was used to breach Target at the end of last year, looks like a likely culprit. While smaller than the Target breach, Evan Francen, president of the information security management company FRSecure, noted that this incident could still be far-reaching due to the number of stores Supervalu operates and the length of time the breach apparently went unnoticed. “It’s pretty widespread and it was almost a full month of card usage. Millions of card numbers were probably stolen,” he told the Minneapolis Business Journal. “It’s disappointing that they haven’t been more forthcoming. No one really knows what’s going on.”

In a statement, Supervalu said that the breach may have resulted in the theft of account numbers, cardholder names, expiration dates and other numerical information from its POS systems. However, Francen noted that if this was indeed caused by POS malware, hackers could access all the information contained on the magnetic strip of a card, including unencrypted PINs and internal CVV codes. That information would allow a fraudster to easily clone a card.

At this time, there have been no reports of cardholder data being misused. Supervalu and AB are working together with law enforcement and a third-party IT services provider to investigate the incident.

EMV and other solutionsBrian Krebs of Krebs on Security noted that the recent

influx of retail breaches may be due to the coming EMV liability shift. Most retailers are working to meet the October 2015 deadline established by MasterCard and Visa for retailers to install EMV chip-and-PIN terminals. After that deadline, merchants who have not adopted chip-and-PIN could find themselves responsible for all fraudulent charges involving chip cards swiped through an old mag-

stripe reader. Therefore, merchants have a major incentive to upgrade their POS systems.

Although EMV will not completely protect retailers against POS malware, it can make it more difficult for fraudsters to achieve their goals. “EMV is basically a card-present solution,” Drew Luca, partner and co-lead of PwC’s U.S. payments practice, told AFP Fraudwatch. “It removes a point from which you can collect the data. Some of the breaches that you’ve seen of late, where the data is actually collected in flight in a point-of-sale environment, could potentially be thwarted or at least slowed down.”

Nevertheless, EMV is by no means a panacea for fraud. End-to-end encryption and tokenization are ideal for protecting card data in situations where a card needs to be kept on file, Luca noted. However, some merchants prefer to outsource that responsibility. “We’ve helped a number of retailers where they don’t store the card number at all—they essentially outsource it completely,” he said. “That situation works better with an e-commerce merchant than it does with a big box retailer. But there are some big retailers who have gone down a similar path, where the card is swiped but it never resides on their premises. They push it out to a third-party processor.”

In this new paradigm, retailers need to stop thinking about if they are going to be breached and instead recognize that when they are breached, they contain it quickly, Luca explained. “It’s not a question of whether or not you’re going to be breached. The question is if it will be contained or uncontained,” he said. “Do I notice that you’re at the front door? Do I notice that you’re walking around to the back door? Do I notice that you got into my house? Or do you get out of my house with the jewelry before I know you’re here? That’s uncontained.”

Added Luca: “Contained is, yes, you got in and you touched some things, and I know exactly what you touched and hopefully you can’t get it out. If I know what you touched, I know how to contain the bleeding much faster. That’s the problem with a lot of the breaches. You’re not set up in a way that you understand quickly what was touched and what wasn’t touched. So you have to assume that everything was, and the forensic analysis that goes along with figuring out what got touched is pretty substantial and time-consuming.”

About the Association for Financial ProfessionalsHeadquartered outside Washington, D.C., the Association for Financial Professionals (AFP) is the professional society that represents finance executives globally. AFP established and administers the Certified Treasury ProfessionalTM and Certified Corporate FP&A ProfessionalTM credentials, which set standards of excellence in finance. The quarterly AFP Corporate Cash IndicatorsTM serve as a bellwether of economic growth. The AFP Annual Conference is the largest networking event for corporate finance professionals in the world.

AFP, Association for Financial Professionals, Certified Treasury Professional, and Certified Corporate Financial Planning & Analysis Professional are registered trademarks of the Association for Financial Professionals.© 2014 Association for Financial Professionals, Inc. All Rights Reserved.

General Inquiries [email protected]

Web Site www.AFPonline.org

Phone 301.907.2862

AFP, Association for Financial Professionals and the AFP logo are registered trademarks of the Association for Financial Professionals. © 9/14

Join 16,000 treasury and finance professionals around the world.

Join AFP®

Complimentary Webinars / Original Research / Market Data / Topical Guides / Country Profiles / Membership Directory / Global Career Center / RFP Resource Center

Become an AFP memberwww.AFPonline.org/Join

cybersecurity - socal exporussian hackers stole more than 1.2 billion username and password...

Documents