Stumbling in the Dark
Why is it that so many security problems stay hidden for so long? Even when there is big money involved nothing seems to be done any differently and it seems often security breaches are only discovered by accident.
Consider this one example, the hacking of US based discount retailer group TJX. It’s not unusual. To summarize, TJX was hacked by a group headed by the now famous hacker, Albert Gonzalez. Using simple war driving, they found an unsecured wireless router in a Miami store and used it to set themselves up inside the TJX network. Once inside at least 45.6 million customer credit card details were stolen and sold to third parties, some estimates suggest it could have been as high as 94 million. We know the direct financial impact on the company was huge. The retailer set aside $118 million dollars just to cover costs and potential liability arising from the security breach and subsequently used $40.9 million of those funds to settle a lawsuit brought by banks, who had been hit with fraudulent losses from those who used the credit cards they got from Gonzalez.
There are three standout facts about this case.
1. The breach lasted 17 months.
For seventeen months these guys walked around inside the TJX network systematically looting the credit card data of it’s customer and nobody noticed. Not IT staff, not a security manager, not a single sole. No one.
2. Insiders were involved.
At least some encrypted data was decrypted, that probably needed to have been supplied from inside. Fat lot of good a firewall is when there’s an insider.
3. Visibility on TJX’s side was almost zero.
More than 50 experts brought into TJX after the breach was discovered reached few firm conclusions. Either nothing was being logged or the hackers simply deleted the logs as they went - which would make point one even more of a standout. Nobody noticed the systematic removal of logging information.
You would hope this is a case of gross incompetence, but every time details of a major intrusion make the light of day the same patterns are repeated.
It reminds me of a story a friend of mine tells. He has an older brother who used to go out drinking when they were younger and still living at home. When he stayed out later than he was supposed to he would try to sneak into the house without turning the lights on. He would use the side window, but unfortunately for him him the window had those early venetian blinds, which if you’ve ever lived with them - are very noisy when you bash into them. To make things worse his parents collected antiques and had a lot of furniture cluttering the room. So his chances of getting in without waking the whole household were practically nil.
The whole problem of which could have been solved by one thing. Turning the light on.
If you expect to spot hacking activity in your network with the lights out you’re kidding yourself.
How much do you think TJX would have had to spend to get a proper logging solution? I’ll bet you anything it would be less than than the $40.9 million they subsequently handed over to the banks.
Comments
Post new comment