Major Network Security Breaches: One Way to Get Business Press
Many companies that I’ve worked for greatly desired business press, specifically media coverage beyond the more typical industry press (think Network World). Landing on the cover of a business publication: now that would be a major win! But if you are Target, the cover story of Bloomberg BusinessWeek might not be what you wanted.
Actually, the high profile Target breach serves as an example and reminder for all in information security of what can happen. There are a lot of things organizations can do to harden their networks against intrusions and attacks, and be ready for the day that their adversary decides to attack.
Target’s CEO mentioned compliance in a statement, specifically PCI compliance. He said, “Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach.” While the PCIDSS standard is a great compliance list to reduce risk in an organization, being compliant does not mean you are secure. I don’t think many people equate PCI compliance with an assurance that you will never suffer a breach: it’s important to realize compliance does not equal security. But PCI compliance does help by asking good questions that could help put in place a more robust security program.
We see the rapid introduction of new security technologies as defenses strive to keep up with attacker innovation. In fact, venture investment in security has been white hot lately, with investments in 2013 at near record levels ($900 million versus $663 million in 2012).
When it comes to Target, they were working with state of the art security. The Bloomberg BusinessWeek article noted Target’s usage of product from FireEye, an innovator of sandbox technology used to identify new attacks that have not been seen before. FireEye’s recent successful IPO and industry buzz backs up this use of state-of-the-art security. Target was working with such technology, but still fell victim to one of the largest data breaches ever recorded.
And then there is the attack itself. The tools used in the attack were not particularly new or innovative. The attack didn’t use the most advanced techniques that would draw a crowd at DEFCON. They were what someone at McAfee called “absolutely unsophisticated and uninteresting.” It’s kind of amazing that one of the largest data breaches ever was carried out with might be considered less that state-of-the-art attack tools.
We strive to put compliance mandates in place compliance mandates, and hurry to deploy state-of-the-art security to stay a step ahead of our adversaries and attackers. However, this can sometimes create a false or misguided sense of being secure, or an uncertainty about how well it will work. And when, despite all of this effort, the attackers’ “absolutely unsophisticated and uninteresting” attacks achieve success we’re left asking what should we do better? I’d like to suggest that organizations consider doing more real-world testing of their devices, systems, and responses to attacks.
In the case of Target, how much testing and assessment was done to make sure devices and systems put in place to help achieve PCI compliance were actually effective? When they began evaluation and deploying new state-of-the-art security, how much real world testing and assessment was performed? Current security testing is fairly comprehensive on attacks and attack techniques, and covers “unsophisticated and uninteresting” techniques as well as much more. Are you still uncertain about security testing and assessment? It might be a good time to give it a closer look.