data breach skull

NED Cybersecurity Report Part 3: Once More Unto The Breach

Feb. 10, 2016
This exclusive series examines what you should know about cyber security in 2016, from the threats to defenses. This chapter focuses on breaches.

In part one of this report, Scott Harrell, Vice President of Product Management for Cisco’s Security Business Group, warned that when it comes to network breaches, “You need to assume that even if you have the best defenses in the world, sometimes people are going to succeed.”

When the security expert says no defense is impenetrable, it shouldn’t deter you from deploying the best defense you can. It should, however, make you reevaluate your network architecture.

Securing digital resources isn’t all that different from securing your company’s physical space. Your facility is probably broken up into departments, such as accounts payable or shipping and receiving. The former may be separated further into cubicles, while the latter is an austere box near the loading dock. Elsewhere are executives’ offices and custodial closets.

Everything is broken up, with walls and doors and locks keeping it all that way. It’s probably all not one big room.

A random delivery driver may be able to enter through the loading dock and enter the building, but can he make it to the president’s office and start posting on his Facebook page? Probably not, because that would be crazy.

Look at your network the same way.

“You need to control lateral movement,” says Harrell, stressing that software-defined segmentation is the best way to isolate and protect your most critical assets, such as industrial robots or production line controls.

Segmentation may not keep every jerk out of your building, but it will sequester him in the lobby, so he can’t break into research and development to take a look at your latest innovation.

If you don’t have the proper policies in place to segment your network, a minor breach can turn into a full-scale invasion.

“If I’m an adversary and I get a hold of one node, I can generally move around your network at free will,” Harrell says.

That’s exactly what happened during the infamous Target breach in 2013.

That summer the Minneapolis-based retailer began installation of a $1.6 million malware detection system from FireEye. Fast forward to the week before Christmas, and the giant retailer announced it had become one of the biggest marks in cybercrime history.

An estimated 40 million credit card numbers and 70 million other pieces of personal data, such as addresses and phone numbers, were stolen during the post-Thanksgiving shopping blitz.

Starting on Nov. 30, any time someone swiped their card at a point of sale terminal, a malware program ushered their info to a pirated Target server. These acted as holding cells for the data until the thieves could wire the data to Russia.

Before the hackers received the data, the third-party monitoring team in Bangalore detected the intrusion and notified Target’s security team. Then the system located which servers were hijacked, and FireEye sent more alerts with escalating urgency, Bloomberg Businessweek reports.

According to auditors, the automated function that would have deleted the malware was turned off. That wouldn’t have been so bad if the security team heeded the alerts. Instead, on Dec. 2, the credit card info was delivered to Russia. The F.B.I. informed Target of the breach on Dec. 15, and the public found out four days later.

It was later discovered the malware entered through a compromised thermostat from a third-party HVAC vendor that monitors the big box stores’ environments.

However the malware entered the system, it shouldn’t have had access to the entire castle, explains Tyler Cohen Wood, cyber security adviser for Inspired eLearning, a security awareness and compliance training center.

“You need to have a strong monitoring policy, making sure you don’t have unnecessary devices connected to your crown jewels,” says the former senior intelligence officer for the Defense Intelligence Agency.

“There’s no reason HVAC devices should have been a hopping point into point of sales machines.”

Target paid a huge price for its failure. The Wall Street Journal reported the retailer doled out $67 million to Visa card issuers and another $10 million to the individual victims.

“Target is one of the countless organizations that have been breached in the last two years,” Wood notes. Among them are JC Penney, Neiman Marcus, and Home Depot, the latter of which broke Target’s record of credit cards stolen by 16 million, although it took five months.

The more connected we are, the more at risk we become.

Before you think this could never happen to your company, Wood points out "a lot of companies never even know they’ve been breached.”

Verizon's 2015 Data Breach Investigations Report calculates that exposing 10 million records in a breach could cost a company 2.1 to $5.2 million.

Children’s electronics manufacturer VTech admits that last November’s breach was revealed to them by Motherboard. The man who claims responsibility alleges it was an act of hacktivism, as VTech’s websites, and thus millions of parents' and children’s personal information and photos, were vulnerable to a well-known, and therefore preventable, hacker trick known as a SQL injection. He was merely trying to shed light on those weaknesses.

If your company gets hacked, your attackers probably won’t have such altruistic motives.

Verizon's 2015 Data Breach Investigations Report calculates that exposing10 million records in a breach could cost a company $2.1 million to $5.2 million.

Unless you work for a giant company that can handle losses in the hundreds of millions, along with a pummeled reputation, a breach could end your company, putting you, your co-workers, and your respective families at risk.

The cybercrimes spoken about so far have been financial in nature. The criminals themselves are the bank robbers and pick-pockets of the virtual world.

If those were the only threats out there, President Obama’s administration would not have pledged $19 billion in cybersecurity for the fiscal year 2017 budget, a spending increase of 35% from 2016. This includes cybersecurity training for 1.4 million small businesses.

There are worse crimes out there than identity theft. The Target breach showed how the Internet of Things could be turned against a company to affect tens of millions of people. That’s one retailer over one weekend.

The IoT links everything from home automation to power plant operation, creating an attack surface that surrounds us in nearly every part of our lives. What type of damage can a truly malicious cyberterrorist, or enemy nation-state, cause?

In part 4, we’ll explore the multitude of ways the Internet of Things will totally lead to Armageddon and why you should start packing your bug-out bag right now.  For people not into overreacting, we’ll also cover how to responsibly improve your cyber security measures so we can leverage the IoT to improve the planet.

Keep reading our special series on cyber security with Part 4: How I Learned to Stop Worrying and Love IoT