Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry
Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio
by Avivah Litan | May 14, 2013 | 6 Comments
The recently disclosed $45 million ATM worldwide cashout heist (see bankinfosecurity.com ) points to many practical business and technology issues that payment system participants face.
Here are just a few of them:
a) One of the more troubling issues of these breaches is the difficulty in determining the points of the network chain that were breached by the fraudsters. This makes it very difficult for card issuers to recover their lost funds because they don’t know who is liable for the breach.
b) From conversations I’ve had with various issuer clients regarding recent breaches, the card brands (Visa and MasterCard) are often not has helpful in helping card issuers recover funds as the issuers would like them to be, perhaps because the card brands don’t know where to assign the liability.
c) Frankly, from a holistic viewpoint, companies that accept or process card payments are in a no-win situation when it comes to a breach. They can do their best and spend lots of money and time becoming PCI certified, but this gives them no safe harbor from penalties that are incurred if they are still breached. And the auditors (qualified security assessors) that certify these eventually breached companies as PCI compliant have BIG disclaimers in their contracts that they take NO responsibility if in fact their clients are breached.
d) There are so many parties in the payment chain that it is very difficult to assign blame in these types of breaches. For example, there can easily be seven roundtrip hops or more between an ATM cash disbursement request and the cash disbursement. The leakage can happen at any of those points or hops.
e) A point-the-finger and assign-blame approach is in the end, a dead-end approach and a lose-lose for all parties concerned. A win-win approach would be to strengthen the security of the card payment system through stronger user authentication and more secure media used to request payments or cash withdrawals (e.g. CHIP and PIN based on the EMV standard).
f) Until then, we will continue to try to keep a leaky insecure payment system secure. It reminds me of the little Dutch boy who stuck his finger in the dyke and successfully stopped the sea water from flooding his home town. He was successful because he stopped the leak when it was very small. I think we are too late when it comes to our global card payment systems. We probably need at the least, a major cyber-army, in this instance.
Category: Uncategorized Tags:
by Avivah Litan | May 2, 2013 | Comments Off
Just when you think you understand the trends in DDoS attacks, you hear about a new twist. Today’s latest versions are business logic attacks against primary online ticket sellers – those companies hosting the event or the ticket sellers selling on their behalf at retail prices.
As anyone who has bought tickets on Ticketmaster or any other primary ticket seller’s website knows, you pick your seats at an event and have a few minutes to purchase those seats before they are released for someone else to buy. Well, ticket resellers in the secondary market want to keep the inventory on the event’s available seats low so they can keep their prices high. So in order to restrict the inventory of seats, they use targeted DDoS of the primary event ticketing agents’ websites by keeping those seats locked up (and not purchased) through a business logic attack against their shopping carts.
I’ve heard about business logic DDoS attacks for competitive reasons before, but frankly, this is the first live example I’ve come across. It’s appalling, isn’t it? I wish I could just show up in person somewhere close to buy the tickets and avoid all the ‘games’ and all those ‘service’ fees.
Category: Uncategorized Tags:
by Avivah Litan | April 4, 2013 | 9 Comments
I may be naive and uninformed (I’m not a network security analyst), but it occurs to me that the DDoS vendors need better modeling to distinguish good and bad traffic. It appears that they are rule based and can’t fend off DDoS attacks they haven’t seen or thought about already and therefore programmed a solution for.
The most appropriate technique here would appear to be to model good network and application access behavior so that aberrational behavior can be more easily spotted, rather than wait for identified ‘bad behavior’ to show up – especially when much of what we are seeing has not yet been identified.
The banks and the DDoS vendors should sharpen their tools so that they can more readily distinguish good from bad access behavior. I realize this is much easier said than done and the potential for false positives and for keeping good customers out is very high. Still some great modelers and analytical folks should be able to get the job done. Some banks are very good at behavioral modeling and surely have the expertise to make some of this happen.
Category: Uncategorized Tags:
by Avivah Litan | March 14, 2013 | 1 Comment
That’s a viable hypotheses after hearing that the attackers only used one third of the bandwidth they had staged for their latest round of attacks against U.S. banks last Tuesday. Reportedly, on Tuesday the total size of the DDoS attack was 190 gigabits at one time, with the largest attack against a single bank at 110 gigabits.
Interestingly, the attackers could have easily done even more damage but they chose not to. 9200 bots were identified as attack-capable but the total number of bots actually involved in sending the DDoS traffic to the banks numbered only about 3200. The other 6000 bots sat there doing nothing.
Also reportedly no single bot was used to attack more than one bank. So different bots were allocated for different banks, which is very different than the attack strategy employed when this whole thing started where all 3000 bots were used to attack all the banks that were targeted.
Shifting cyberwar strategies. I wonder what’s going on on the U.S. side. I wonder if the U.S. government is about to launch a counterattack. This whole mess could get a lot messier. It seems to me like an unending losing battle for more bandwidth. We need a paradigm shift in how we secure our websites.
In the meantime, check your bank balance often and try to keep it as low as possible 
While the possibility of fraud against it is still very low, there are increasing reports of fraud associated with the lower level (bandwidth) DDoS attacks that are also being launched, presumably by a different gang than those conducting the high bandwidth DDoS attacks.
Category: Uncategorized Tags:
by Avivah Litan | March 6, 2013 | 3 Comments
Yesterday I had yet another call with a mega-retailer on safeguarding VOIP communications in the enterprise, per the PCI requirements.
The problem is, if you don’t encrypt your VOIP traffic when you implement the telecom system (so that your entire corporate network is not in scope of the PCI audit), you are left having to segment off the VOIP traffic in the enterprise since some of it contains credit card numbers spoken over the phone.
If a general digital PBX supports the entire company’s VOIP system, including hundreds of distributed retail outlets, it would be very expensive and difficult to segment off the use of the network for potential credit card traffic. The same isn’t true if it’s a call center VOIP system only, since then the normal network segmentation practices would apply.
This retailer who does have a general PBX system supporting the entire enterprise operation, had checked with some of their fellow retailers and all were running into the same issue. I didn’t have any solutions that I could pull out that were practical and proven.
If any of you have, please chime in.
Category: Uncategorized Tags:
by Avivah Litan | February 28, 2013 | 5 Comments
I just got back from the RSA Security conference in San Francisco, an invigorating gathering of security professionals which frankly – at least for me – is always a fun crowd to be around. My main takeaway is that the crimes and infractions we should be focused on are either very low or very high tech. Most of the security budget has been spent in the middle and the solutions put in place generally haven’t stopped the attacks executed on these two ends of the spectrum.
Seasoned security managers who I speak with feel the situation is becoming untenable and that the industry needs a ‘paradigm’ shift. There are simply too many things to worry about and too many point security solutions that need to be patched together and integrated. Indeed one colleague cited a statistic about the incredibly high number of man hours his organization spends just keeping the 200 or so security-related applications up to date and working together.
Key takeaways from the conference:
a) Insider fraud is mainly very low tech and does not involve collusion. CERT presented its findings on insider financial fraud at banks and that was its conclusion after closely examining 80 cases of insider fraud at U.S. banks. What did they find? Low and slow crimes (it took an average of 2.5 years to detect after the fraud started) and very low tech techniques such as customer service reps in call centers printing screens full of customer PII data, or bookkeepers changing entries to pay themselves.
Significantly only 6 percent of these insider cases were detected by software. The others were discovered mainly through tips or aroused suspicions (e.g. when a low salaried employee all of a sudden starts driving a brand new BMW). The CERT team didn’t correlate the findings with security expenditures at these organizations, but I would bet that most of those highly regulated banks that were surveyed had spent a lot of money on Identity Access Management systems.
But while low-tech insider fraud should be a major concern for enterprises (it does result in significant financial damage) – I didn’t come across any other mention of it at the conference other than this one presentation by CERT.
b) In contrast, ‘sophisticated’ high tech attacks are capturing most of the R&D and innovation dollars. The ‘hottest’ vendors on the RSA conference expo floor were positioning their software and services as necessary for defending an enterprise and its assets against today’s advanced targeted attacks. Whether it’s the Chinese, Iranians, or Ukrainians, it’s creating a call to cyber-arms that no one wants to ignore. So unlike the unglamorous low-tech threat – this category is getting all the dollars and attention.
c) DDoS continues – meanwhile, while the security professionals were busy at the conference, the DDoS attacks against U.S. Banks continued. Demonstrative of the cat-and-mouse nature of these attacks, the hackers have reportedly increased their botnet network from 3000 servers (with high bandwidth connectivity to the Internet) to 10,000 servers. They are attacking multiple bank domains at a time, rather than one at a time, taxing the resources of the hosting ISPs. And they are reportedly deploying new application DDoS tactics against their target banks’ web applications, further messing around with the banks’ abilities to defend themselves. These shifts in the DDoS attack taxonomies will no doubt spur new spending and solutions by the victims while the offense/defense cycle continues to spiral.
Bottom line – the attack vectors that I see working are either very low tech or very high tech. But not too many people seem interested in investing in the solutions and processes that can stop the boring low tech crimes. Under-the-radar high-tech espionage and crime is getting all the attention and dollars, and I still haven’t heard about any of it being stopped. Meanwhile, the political crazies are flexing their cyber-muscles and embarrassing the heck out of our IT security industry.
Category: Uncategorized Tags:
by Avivah Litan | February 14, 2013 | Comments Off
I know it’s been written about before in the book Startup Nation but having just returned from a two week trip to Israel, where I met with about 60 hi tech security startups and Israeli enterprise users of their technology – I can’t help but reflect on the keys to Israel’s success in this field.
The military unit 8200, a laboratory that fosters technological innovation that helps secure the nation, has become the elite military unit of the country. It used to be that the best of the best were recruited into the Israel Air Force but that has changed in recent years and now the military unit to join if you are super smart, balanced, trustworthy and creative enough is the 8200 unit.
The Israeli government is indeed very progressive when it comes to the 8200 unit. They allow the kids creating all these innovative applications and systems to take their ideas and practical experience to the private sector when they are released from the army. And these ideas and experiences become the seeds for new startups that they invariably start – many of which are understandably in the field of cybersecurity.
The other critical aspect is the relationships these young soldiers form with each other in the military. Thrust into very barren sparse and dangerous situations, for example being dumped in pairs in the desert on a training mission with nothing but a supply or two for a couple of weeks, they form very strong bonds with each other and learn to trust one another in ways most of us never have an opportunity to experience.
These friends are the same guys (it’s usually men) that get together to form companies with each other. And if they don’t end up in the same company on round one, they usually end up working with the guys from their units in round two or three. That leads to another point that really struck me – most of the ‘older’ fellows I met that founded startups were on their second, third or even fifth round. They just keep going at it. Only a few stick with the company they start, and instead of getting acquired, build it into a mega-Israeli company. Some Israeli policy makers would prefer more would end up in this latter category and keep the companies and jobs in the country as they grow into mega corporations.
So what technologies stood out? In fact I was exposed to many interesting and practical ideas. What stood out to me most, however, was bringing behavioral profiling with few false positives to enterprise security. Few false positives? Yes, I am doubtful too but that’s what a couple of these companies claimed. We will see if it really pans out but if it does, these will no doubt be killer apps.
One promising technology brings new meaning to application control. Instead of black or whitelisting applications (which we just saw recently can be broken by signing and trusting a bad application) – the application control checks the behavior of desktop applications to see if it’s malware, and then checks communications from the enterprise to outside servers to look for the same.
A second promising application baselines and profiles communications and activities within an enterprise network – whether from or to devices, nodes, users, files, servers, etc. It claims to be able to see any aberration that reflects an advanced targeted attack, even if the aberrational behavior only appears for a few minutes or seconds periodically over a long period. Believable? Well just maybe when you think about what Stuxnet achieved.
Category: Uncategorized Tags:
by Avivah Litan | December 21, 2012 | 1 Comment
Today the OCC put out an alert to its banks on the recent spate of DDoS attacks. The regulators acknowledged the existence of different attacker groups – some politically motivated and others financially motivated. They are also acknowledging that these DDoS attacks have in fact led to or been associated with fraud and customer account takeover.
The regulators do an excellent job of telling banks what to look out for, i.e. what some of these attacks look like. They are also correct in putting the banks on notice that:
a) They must ensure third party service providers (e.g. ISPs) are prepared for these events and doing all they can
b) They must disclose these incidents to the regulators and law enforcement
c) They must deploy layered security as outlined in the FFIEC guidance to mitigate financial damage from these attacks.
It’s reassuring to see that the OCC takes these threats very seriously. No doubt, they will step up their enforcement of FFIEC guidance on Internet banking security. That’s actually a good thing because regulators drive security action and spending, even though we would all like to think that this focus on security would exist independently in all cases and across the board – even without the regulators.
That simply isn’t the way it is. Some banks do spend enough on security – but many do not. This will help ensure that all – and not just some – of the banks regulated by the OCC at least, are putting the requisite resources into defending against DDoS attacks and their attending damage.
This is definitely a threat to the day to day workings of our financial systems. Thankfully there are lots of backup routes into a bank, e.g. branch, ATM machine, call center. But many users and customers depend on the internet and it’s very disruptive to business when it’s down.
In the meantime, add DDoS attacks to the checklist of things to worry about when trying to prevent fraud. Hopefully this will get the security, networking and fraud folks at the target financial institutions working more closely together.
Category: Uncategorized Tags:
by Avivah Litan | December 18, 2012 | 2 Comments
There has been much talk at the banks and in the press around DDoS attacks allegedly sponsored by Iran and praised by Hamas, and an upcoming “Project Blitzkrieg” threatening costly online theft at 30 U.S. banks.
While many in the industry ‘poo poo’ these threats, I have heard now from a few senior credible sources that the DDoS attacks against major U.S. banks in recent months were definitely linked to online fraud.
Apparently, if you put all the information together, there are three classes of DDoS attackers and attacks:
a) Political hactivists conducting DDoS attacks with no ability to commit fraud (e.g. wire money out of a customer’s account to a mule account and then their own) and no fraud committed.
b) Political hactivists conducting DDoS attacks with no ability to commit fraud but fraud is committed by a different gang taking advantage of distracted bank security staff.
c) One financially motivated gang conducting the DDoS attacks and committing fraud at the same time.
It’s important to note that the megabanks being attacked have many online properties, so a DDoS attack against one specific domain can still leave other domains up and running with the security staff who manage all of the domains very much distracted. The result: online fraud can and has occurred during the DDoS attacks.
So while there are conflicting opinions and accounts over what’s happened, this is how I sum up what I have heard from well-placed professionals.
Solution: layers of fraud prevention, authentication and authorization controls. We’ve got a lot of research in this area, including a research note coming out “Innovation drives Seven Dimensions of Context Aware Security.”
The note also discusses the importance of organizational focus and alignment. For sure the technical solutions are out there – and using them effectively can likely stop 80-90% of the damage. The key barrier to success is lining up the right resources in the right way to stop these bad guys – whoever they are and however real their threats are — head on.
Category: Uncategorized Tags:
by Avivah Litan | November 21, 2012 | Comments Off
Everyone is relieved about the temporary ceasefire between Israel and Hamas and hoping it will hold. Pale as it may sound when physical safety is compromised, there’s been a continuous flow of DDoS attacks against Israeli government and business websites during the Gaza crisis.
The latest one I heard about was today’s attack against the major Israel ISP and email provider, Netvision.
News about recent DDoS attacks against major U.S. banks has faded in the background since Hurricane Sandy (although there was one against a major U.S. bank during the hurricane itself). But enterprises need to remember that according to academic researchers and active industry participants, those attacks were sponsored by Middle Eastern criminal organizations that reportedly have the backing of Hamas.
My colleagues Lawrence Orans, John Pescatore, and Anthony Chuvakin have written research on how best to defend against DDoS attacks that I encourage everyone to read. Enterprises and financial institutions also need to stepw up fraud prevention efforts and intelligent security monitoring. Mark Nicolett and I have a research note on this latter subject coming out shortly titled “Mitigating Breaches with Real-Time Discovery.”
At some point, it may take an all out offensive to take down the cyber-attackers. Some of them may be more dangerous than others. But just as relative amateurs wreaked havoc on a region by launching inaccurate missiles out of the Gaza Strip, even amateur cyberattackers create enough noise to be at best troublesome and at worst dangerous. I don’t think it’s wise to dismiss any of them. For now, they are still out there and operating, and haven’t signed any ceasefire agreement.
Category: Uncategorized Tags:
