By now, we’ve all read and digested the news about the December 2013 Target breach. In the largest breach in history at that time and the first of many sensational headlines to come, somebody stole 40 million credit card numbers from Target POS (point of sale) systems. We’ll probably never know details, but it doesn’t take a rocket scientist to connect the dots. Russian criminals stole credentials from an HVAC contractor in Pennsylvania and used those to snoop around the Target IT network. Why Target failed to isolate a vendor payment system and POS terminals from the rest of its internal network is one of many questions that may never be adequately answered in public. The criminals eventually planted a memory scraping program onto thousands of Target POS systems and waited in Russia for 40 million credit card numbers to flow in. And credit card numbers would still be flowing if the banks, liable for fraudulent charges, hadn’t caught on. Who says crime doesn’t pay?
It gets worse – here are just a few recent breach headlines:
- Jimmy John’s Pizza
- Dairy Queen
- Goodwill Industries
- Sally Beauty
- Neiman Marcus
- P.F. Chang’s
- Home Depot
And that’s just the tip of the iceberg. According to the New York Times:
The Secret Service estimated this summer that 1,000 American merchants were affected by this kind of attack, and that many of them may not even know that they were breached.
Every one of these retail breaches has a unique story. But one thing they all have in common; somebody was asleep at the switch.
In a few cases, the POS systems apparently had back doors allowing the manufacturer remote access for support functions. Think about this for a minute. If a manufacturer can remotely access a POS system at a customer site, that POS system must somehow be exposed directly to the Internet or a telephone line. Which means anyone, anywhere in the world, can also remotely access it.
Given the state of IT knowledge among small retailers, the only way that can happen is if the manufacturer or somebody who should know better helps set it up. These so-called “experts” argue that the back doors are obscure and nobody will find them. Ask the folks at Jimmy John’s and Dairy Queen how well that reasoning worked out. Security by obscurity was discredited a long time ago, and trying it now is like playing Russian Roulette.
And that triggers a question. How does anyone in their right mind expose a POS system directly to the Internet? I want to grab these people by the shoulders and shake as hard as I can and yell, “WAKE UP!!”
The Home Depot story may be the worst. Talk about the fox guarding the chicken coop! According to several articles, including this one from the New York Times, the very engineer Home Depot hired to oversee security systems at Home Depot stores was himself a criminal after sabotaging the servers at his former employer. You can’t make this stuff up. Quoting from the article:
In 2012, Home Depot hired Ricky Joe Mitchell, a security engineer, who was swiftly promoted under Jeff Mitchell, a senior director of information technology security, to a job in which he oversaw security systems at Home Depot’s stores. (The men are not related.)
But Ricky Joe Mitchell did not last long at Home Depot. Before joining the company, he was fired by EnerVest Operating, an oil and gas company, and, before he left, he disabled EnerVest’s computers for a month. He was sentenced to four years in federal prison in April.
Somebody spent roughly 6 months inside the Home Depot network and stole 56 million credit card numbers before the banks and law enforcement told Home Depot about it. And that sums up the sorry state of security today in our corporate IT departments.
I’m picking on retailers only because they’ve generated most of the recent sensational headlines. But given recent breaches at JP Morgan, the US Postal Service, the US Weather Service, and others, I struggle to find a strong enough word. FUBAR maybe? But nothing is beyond repair.
Why is security in such a lousy state? Home Depot may provide the best answer. Quoting from the same New York Times article:
Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”
Great. Just great. What do we do about it?
My answer – go to the top. It’s up to us IT folks to convince CEOs and boards of directors that IT is an asset, not an expense. All that data, and all the people and machines that process all that data, are important assets. Company leaders need to care about its confidentiality, integrity, and availability.
That probably means spending money for education and training. And equipment. And professional services for a top to bottom review. Where’s the ROI? Just ask some of the companies on the list of shame above about the consequences of ignoring security. The cost to Target for remediation, lost income, and shareholder lawsuits will be $billions. The CEO and CIO lost their jobs, and shareholders mounted a challenge to replace many board members.
Granted, IT people speak a different language than you. Guilty as charged. But so does your mechanic – does that mean you neglect your car?
One final plug. I wrote a book on this topic. It’s a fiction story ripped from real headlines, titled “Bullseye Breach.” You can find more details about it here.
“Bulls Eye Breach” is the real deal. Published with Beaver’s Pond Press, it has an interesting story with realistic characters and a great plot. Readers will stay engaged and come away more aware of security issues. Use the book as a teaching tool. Buy a copy for everyone in your company and use it as a basis for group discussions.
(First published Dec. 10, 2014 on my Infrasupport website. I backdated here to match the original posting.)