In recent years, the threat posed by malware has grown significantly. Businesses in virtually every sector must now invest in high-quality cybersecurity solutions in order to protect their networks from increasingly sophisticated, determined hackers.
Unfortunately, many firms' current efforts in this capacity are not sufficient, as recent events highlighted. The Department of Homeland Security announced that a new malware program, known as Backoff, affected more than 1,000 American businesses, resulting in millions of incidents of stolen payment card data. The scope and damage wrought by Backoff put into perspective the need for companies to implement superior cybersecurity measures. Static code analysis can and should play a key role in such efforts.
A widespread attack
As The New York Times noted, the DHS announcement revealed that Backoff caused much greater damage than was initially believed. While initially industry experts presumed that only a small number of organizations were affected, later investigations proved that Backoff had successfully attacked at least 1,000 companies, including such major firms as Target and UPS stores.
Backoff first gained attention in late July, when the DHS, Secret Service and National Cybersecurity and Communications Integration Center recommended that companies conduct thorough analyses of their cash register systems, just in case Backoff had managed to gain access to these networks. As the news source pointed out, antivirus programs were unable to identify this malware. This lack of detection allowed hackers to steal millions of customers' credit card data with impunity until affected companies implemented countermeasures.
The nature of the malware
As The New York Times explained, hackers regularly use malware to scan corporate systems in search of remote access opportunities, effectively using these third-party networks as stepping stones to their actual targets. When successful, the cybercriminals than use computers to guess usernames and passwords, until they eventually gain access to the corporate network. At this point, the criminals can steal payment card data, which in turn can be used for fraud or sold on the black market.
A big part of the problem is the nature of payment card technology, as Avivah Litan, a security analyst for Gartner Research, told the news source.
"The weakness is the magnetic stripe. I can buy a mag stripe reader on eBay and easily read all the data from your credit card," said Litan, The New York Times reported. "It's an antiquated technology from the '60s."
Europay-MasterCard-Visa, the new chip-based smart card standard, makes it far more difficult for hackers to counterfeit, and therefore could provide a lot more security for companies and consumers. However, while the credit card industry established a deadline of October 2015, the source noted that many industry observers expect the majority of retailers to miss this date, due to the cost of upgrading payment terminals.
The Backoff malware program is particularly dangerous because it cannot be detected via most traditional antivirus efforts. The DHS therefore recommended that retailers contact their service providers, antivirus vendors and cash register system vendors directly to determine whether their systems have been compromised.
Additionally, during its July advisory, the Secret Service and DHS urged companies to engage in both two-factor authentication and data encryption. The former strategy requires employees to use a one-time password in conjunction with their normal credentials, which can thwart malware programs' data-theft efforts. Encryption offers further protection by making customer data unusable to hackers who gain access to the corporate network.
However, to truly protect themselves and their customers from the threat posed by hackers, companies need to go even further in their cybersecurity efforts. Specifically, they should embrace solutions that can dig even deeper and provide more robust protection. For example, static code analysis tools can identify security holes within the code itself. This allows companies to recognize potential vulnerabilities before they are leveraged by hackers, delivering a more proactive approach to cybersecurity and data protection.
Beyond decreasing the risk of a data breach, static code analysis tools also can help retailers and other companies to ensure they remain in compliance with all relevant industry standards, both now and well into the future. As data breach events become increasingly commonplace and damaging, it is likely that industry standards will toughen, adding greater importance to such compliance efforts.