Hack-and-Patch Dispatch Number 328 from Cyber Secure Institute; Network Solutions Breach Shows Cybersecurity Weakness of Financial Sector

Today, Rob Housman, Executive Director of the Cyber Secure Institute, a research and advocacy firm released this statement: “Last Friday Virginia-based web services provider Network Solutions disclosed that they were investigating a data breach on its servers. The breach may have led to hackers stealing the credit card data of over 573,000 people who made purchases on Web sites hosted by the company.

“The firm notified 4,343 (nearly half) of its e-commerce merchants on Friday that hackers had broken into Network Solutions servers that handle Web site hosting and payment processing and siphoned off personal information. In addition to contacting the merchants, Network Solutions has also offered to contact individual customers and offer them a year of free credit-monitoring service.

“The data stolen was from transactions completed from March until the discovery on June 8 th . The hackers left behind mysterious code, which allowed them to intercept the data from Network Solutions servers and divert it to outside servers.

“In a statement on the company’s Web site, Network Solutions’ spokeswoman Susan Wade said, ‘We feel terribly about it, to burden them with the notification process, which can be kind of tricky because there is no one federal data breach statute.’

“This is just the latest example of data compromises. The retailers who were impacted in this attack were small to medium size online retailers, whose reputation could be severely impacted by this breach. People inherently trust larger online retailers such as Target or Amazon, but it is the small to medium retailers who stand the most to lose, through no fault of their own.

“Network Solutions notes that it was PCI-compliant at the time of the breach. This underscores the inherent inadequacies of today’s cybersecurity standards, like PCI-compliance. With lowest common denominator standards that are largely process-, not results-, oriented being compliant does not mean that a system is secure. Specifically, it reflects the weaknesses in the PCI system—a system that millions of Americans rely upon to process their credit and debit card transactions at online retail sites.

“What is most disturbing is that these types of attacks are now entirely preventable.

“There is a new breed of inherently secure technologies that are now coming to the market. These technologies, such as those offered by Integrity Global Security and Tenix, are certified secure by the NSA against even hostile and sophisticated attacks, even with the source code. Such technologies could have prevented this attack and countless other serious breaches that we have seen in the past few years.

“The financial sector in particular needs to replace at risk, hack and patch technologies with inherently secure systems. New cyber standards are needed and they must reflect that inherently secure technologies are now available, and they need to drive the adoption of such technologies. If the industry is incapable of addressing this threat then the government needs to step in and drive security.

“Until higher standards are implemented or existing secure technologies are used, we are all at risk when it comes to e-commerce.”

For more information about the Cyber Secure Institute: www.cybersecureinstitute.org