FICO Hacks Itself to Prevent Cybercriminal Attacks

Photograph by Peter Parks/AFP/Getty Images

Vickie Miller is trying to break into FICO’s computer network, whose hundreds of servers store essential data for Visa, MasterCard, and many other large corporations and banks.

Don’t mistake this for hacking. Miller is the security director at FICO, the credit-scoring company. She’s using an approach to computer security called penetration testing, which lets her scour a digital map to find ways to break into her own company’s data before a cybercriminal can. “We knew we needed, as aggressively as possible, to be able to find our weaknesses and fix them before anybody else does,” Miller says. “We had been focused on defending and responding. I knew we could do better.”

As the costs of data hacks surge—the average loss is $5.5 million—and information thieves become better-funded and more coordinated, FICO and companies from EBay to Peet’s Coffee & Tea are expanding efforts to prevent attacks. They’re feeding a market for data-vulnerability management that may grow to almost $1 billion in 2016, from $400.5 million in 2011, according to consulting firm Frost & Sullivan. That benefits companies such as Core Security Technologies and Rapid7.

By anticipating hacks, instead of just monitoring and reacting to suspicious activity, businesses are trying to avoid becoming the next Sony, where an attack compromised more than 100 million customer accounts last April in the second-largest online data breach in U.S. history. “Some of the mega-breaches are likely to become more common,” says Larry Ponemon, founder of the Ponemon Institute, a Washington-based privacy and data-protection research group. “The cybercriminal has more tools at their disposal.”

Miller’s servers at FICO include data from 90 of the 100 largest financial institutions in the U.S., as well as more than 150 health-care and science companies—data that, if lost, could cost the company its credibility. She started using a Core Security penetration testing tool in the fall and met with FICO’s chief executive officer last month to strategize further.

The kind of hacking simulation done by Boston-based Core Security used to rely on employees’ experience to find ways into a system. The security company later invented a way to automate the process with a product called Insight. As it did in the simulation at Minneapolis-based FICO, the program brings up a virtual map of the computer network, then runs multiple paths to enter what the company says are the most important servers. It then highlights a route to any weak server in red, helping the company’s security block it. “The companies tell us, ‘These machines have my customer data on them—see if you can attack any of those,’” says Jay Schiavo, who helped develop the product, set to be updated this spring. “The way we’re getting to the network is very similar to what attackers are doing out there.”

Backupify, a 30-employee startup, forked over more than $10,000 for a penetration test in January from Rapid7, Core’s closest competitor. Cambridge (Mass.)-based Backupify, which offers backup storage for businesses, says its customers were demanding the tests. “They’re asking more and more pointed questions,” says Ben Thomas, Backupify’s vice president of products and security. “The worst thing that could happen is a compromise and the negative press that could come with that.”

Companies weren’t always so eager to hack themselves, says H.D. Moore, chief architect of the Rapid7 penetration test. Clients that once considered the tests dangerous because they can trigger outages in fragile servers are starting to realize that disruptions are better caused internally than externally. Alternative prevention methods include gathering reams of data and finding hackers in the early stages of a probe. International Business Machines reviewed 13 billion data events each day in 2011 to find cybercrime trends. Juniper Networks now has a service that places fake weaknesses into a network and alerts a user to block potential hackers that trip the traps.

Figuring out what’s going on in the hacking world is the trick to preventing it, security providers say. Sometimes that means hiring people who have spent time in that world. Kyle Adams, who started infiltrating servers when he was 10, joined Juniper through the company’s acquisition of Mykonos Software, announced in February. Adams was initially motivated just to see how far inside a computer he could get and determine how clever he was.

Then he saw the hacking community change. What had seemed to him a fun game started to look more and more criminal. He met people buying and selling viruses and hacked information in online markets, spending weeks in a network to coordinate an attack. Some specialize in websites, while others master business logic or network design. They share and sell their experience and knowledge, adapting faster than the corporate security experts seeking to thwart them, Adams says.

Some companies view security as a matter of protecting themselves against attacks that are already known or have occurred to other businesses. That’s not enough, Adams says. A hacker spends an average of nine months hovering and planning before attacking, and an increasing number of them are sponsored by countries, he says. “You have a culture that is defending against an enemy they don’t understand,” Adams says in an interview. “The other side will keep getting smarter.”

The $5.5 million cost outlined by the Ponemon Institute is the average for breaches of 1,000 to 100,000 records. It includes direct costs, such as hiring an attorney, and indirect costs, like losing customers or failing to acquire new ones. It doesn’t include the value of the information that may have been stolen.

Steve Robinson, a vice president of development, strategy, and product management at IBM, says preventive tools let his customers be more strategic about which data they protect. Some are adding chief information-security officers to the executive lineup. “We’re very used to protecting money and financial capabilities, but it’s really the data that is a major risk,” Robinson says.

Miller at FICO says her chief financial officer has a risk-management practice that does internal audits and helps her decide what servers to target using Core’s technology. “You focus your risk treatments on protecting what’s valuable, instead of trying to protect everything—and ultimately nothing,” she says.

    Before it's here, it's on the Bloomberg Terminal.