Kevin Beaver is a consultant with Atlanta-based Principle Logic LLC (www.principlelogic.com). He has authored/co-authored 11 books on information security, including Hacking for Dummies, Implementation Strategies for Fulfilling and Maintaining IT Compliance, and the Security on Wheels audio books and blog (www.securityonwheels.com). Follow him on Twitter, @kevinbeaver or connect to him on LinkedIn.
You’ve no doubt heard about last year’s Target data breach that exposed millions of credit card numbers and personal records of the retailer’s customers. It’s perhaps the security incident of the decade – at least until the next big one occurs. The Target breach has not only impacted many of us personally, it has also created enormous – and much-needed – visibility for information security among business executives. I can imagine just a few days before the incident was detected, Target Chairman and CEO Gregg Steinhafel had no idea of the firestorm he was about to face. But it happened and now it’s on practically every CEO’s radar.
Here’s a high-level recap of the Target breach based on what’s currently known:
- It started with a phishing attack against Fazio Mechanical Services, Target’s refrigeration contractor – that was apparently using the free Malwarebytes Anti-Malware software that failed to protect it against the ensuing malware.
- Login credentials issued by Target to Fazio Mechanical Services were obtained by the criminal hackers which provided subsequent network access (via a Web portal) into the Target environment.
- Point-of-sale (POS) malware – presumably the BlackPOS available for purchase online – was uploaded to POS systems at Target stores and used to scrape credit card information and related information directly from the memory of the POS computers time right after a payment card is swiped.
Generally speaking, it was a textbook security breach with the small twists of compromising a business associate first and then using memory scraping malware to capture sensitive information where it only exists for a relatively short period of time.
Fazio Mechanical Services’ statement on the Target breach says “Our IT system and security measures are in full compliance with industry practices”. Good to know. Wait, what does that mean? Nothing really. In fact, we hear this in the context of PCI DSS quite a bit: everyone is “compliant” until the point of breach. Target was compliant. Fazio was compliant. Everyone’s compliant until they learn they’re not.
In other words, all’s well in IT until something bad happens. But why? This is a double-edged sword. IT and/or the security team at any given retailer is responsible for the day-to-day protection of sensitive information. They’re also responsible for properly communicating the organization’s security status to management. The executives, in turn, are responsible for translating what they hear and making informed decisions on business risk. Based on what we’re seeing with the Target breach and others, this rarely happens. If this communication/decision-making process were truly effective like so many other aspects of business (i.e. finance and legal), then better decisions would be made and security incidents like this would occur less often.
A recent survey by AccessData and the Ponemon Institute found that 36 percent of IT security pros would tell the CEO and board of directors that a cyberattack had been resolved even if they didn’t know that it had been. I understand the concept of “CYA” but talk about a conflict of interests! It’s as if everyone is doing whatever is best for them and not the business.
Knowing that mega corporations like Target can be hit this hard, it’s a great time to take a clean slate approach to information security. Understanding the Target facts, what would you do more of? Less of? Unless you want to eventually fall victim yourself, here are three critical steps you need to take starting today to not just have a “compliant” network but a resilient network that can weather such storms:
Determine who’s in charge of security and make sure they’re actually in charge.
This may be several people, including your CEO, CIO, CISO, IT director, security manager, legal counsel, compliance officer, and HR director. The concept of bystander apathy – where everyone assumes the other guy is going to do something – is rampant in business today. Many people are afraid to take responsibility for information security because their heads are on the chopping block. Look for people who are willing to step up, give them the resources they need, and let them do what they’re good at – which should be communicating what’s at stake in terms that others can understand in order to minimize information risks.
Document response procedures.
In over 12 years of performing information security assessments, I’ve seen two (yes, two) businesses that had a security incident response plan. Like life insurance, seat belts, and other “security niceties” that some feel nonessential, an incident response plan will enable you and your business to detect and respond to security breaches in much more expedient and professional fashion. Apparently, Target discovered the breach relatively quickly. How quick is your response going to be?
Decide what constitutes an “incident” (i.e. malware infection and subsequent credit card breach), then determine the people and steps that need to be taken to properly respond. An incident response plan won’t help prevent a breach but it will help you minimize the impact of a breach and that’s what matters the most.
Go beyond your security policies and implement the right tools to bring things full circle.
Most security policies are like New Year’s Resolutions: they’re worthless about 10 days after they’re written down. If you’re going to effectively minimize your information risks, you have to know what you’ve got, understand how it’s at risk, and implement reasonable technologies to ensure everything is kept in check. I suspect we’ll continue to see that Target was remiss in all three of these areas. Most businesses are.
Never ever forget my favorite information security saying: you cannot secure what you don’t acknowledge. In the context of the Target breach, if you don’t a) acknowledge how your vendors treat security and interact with your network, b) know how information flows through your network, c) account for the people and system processes that access large volumes of sensitive information, d) understand what tools are necessary for locking down sensitive information (even it’s it stored in computer’s memory for mere seconds), and e) proactively monitor your environment, a breach will eventually occur. And, like many breaches today, you may never even know about it until a third-party tells you it happened.
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 24 years of experience in the industry, Kevin specializes in performing independent IT security vulnerability assessments of networks, computers, and applications. He has authored/co-authored 11 books on information security including the best-selling Hacking For Dummies as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.