The former CISO at online auction giant eBay said that a major security offensive at the company has cut fraud by 90 percent and led to 3,000 arrests globally. (Guest Post By Paul Roberts)
Dave Cullinane told an audience of senior security executives meeting in Cambridge, Massachusetts, that a multi-year security makeover at eBay reduced the rate of fraud at the Web-based auction firm by 90 percent and has led – directly or indirectly -- to 3,000 arrests globally in connection with a number of scams in the past three years.
Cullinane declined to spell out where the arrests took place, though many were outside of the U.S. He said increased spending on IT security staff and programs, including cyber intelligence and botnet detection, helped to thwart attacks against the marquis Web firm and provided crucial information that law enforcement could use to build cases.
Despite the company's success on the security front, however, Cullinane, said that the situation facing most companies is "scary," with targeted attacks going down market from large multinationals to small businesses. At the same time, executives are dangerously uninformed about the risks their companies face online, including targeted "spear phishing" attacks, sophisticated malware and hacktivist-inspired attacks by groups such as Anonymous.
"Get paranoid," Cullinane told the gathering of ISSA, The Information Systems Security Association, in Cambridge on Thursday. "This is happening to you, not just eBay or Boeing."
Cullinane served as CISO at eBay Inc. from December, 2006 until May of this year. He has a long career in the IT security sector and served as the CISO for Washington Mutual, the disgraced savings and loan, for five years before joining eBay in 2006. The collapse of his former employer was a great example of the dangers that await companies that mismanage their risk, he said.
He described his former employer as one of the top online targets for cyber criminals of all stripes. With 180,000 servers and 25 major platforms, eBay's online footprint is giant. Until recently, it was also highly susceptible to attack: with a Byzantine application infrastructure and poor visibility into malicious activity occurring within the company's network, he said.
In recent weeks, the venerable dot com has become a Wall Street darling after posting strong financial results. EBay’s revenue for the second quarter, 2012, was up 23 percent from the same quarter last year to $3.4 billion, the company announced on July 18.
Cullinane described a similar makeover in eBay’s security operation. In his time as eBay's chief security officer, Cullinane more than quadrupled the company's IT security budget from $10 million annually in 2006 to $48 million annually in 2011, he said. He said he was able to increase spending by tying security investments to the company's core business, and showing the "business value" of security by sketching out the real cost of breaches and other incidents to the organization.
The business impact of events like data breaches is much greater, Cullinane said, because public expectations of corporations are higher. However, even small investments in security and resiliency can have an outsized impact on a company's exposure to risk, he said.
In recent years, eBay has invested in botnet detection software from companies like FireEye and Damballa, Cullinane said. But it has also undertaken more far reaching programs to reduce its risk: jettisoning legacy code and shifting to an agile development model with security at the ground floor. His greatest accomplishment in reducing risk, however, was convincing eBay executives to sign off on a program to move five major company data centers out of facilities located on a major fault line in California, he said.
All the same, the company faces a constant stream of attacks, including large-scale denial of service attacks and sophisticated, targeted attacks designed to harvest information on company employees and obtain proprietary source code, Cullinane said. Scams directed at eBay customers -- many abusing the company's good name - are harder to snuff out and pose a reputational risk to eBay, Cullinane said. The company has forged relationships with the U.S. Secret Service and equivalent law enforcement agencies in Europe and Asia to crack down on international scams, like one involving bogus sales of used automobiles that claim to be part of eBay's Vehicle Protection Program. The scam is estimated to net its operators $1 million a day in illicit profits, he said.
In his advice to the audience of information security professionals, Cullinane, who now serves as CEO of the firm Security Starfish, based in Livermore, California, said that IT security executives need to have more regular conversations with senior management and board members about the information risks facing their organization. "The CEO and CFO are your greatest allies," he said. "But they shouldn't be hearing about a breach at your company from the press. They should be hearing it from you."
“CISOs are in a tough position,” said Julie Lockner of the firm Informatica, of Cullinane’s speech. “If they don’t do a good job letting management know what the investment –risk break down is and a breach happens, it’s their job on the line.”
The former eBay executive also called on the ISSA audience and the security community to do more to share information and expertise, especially with small businesses, who are increasingly the target of sophisticated and targeted attacks.
"SMBs are at a huge disadvantage," he said. "We in the community need to help them by sharing information and giving them someone to call in a crisis who has been there before and help them out."