Written By Chuck Leaver Ziften CEO
Whatever you do don’t ignore cyber security criminals. Even the most paranoid “typical” person would not stress over a source of data breaches being stolen qualifications from its heating, ventilation and a/c (HEATING AND COOLING) specialist. Yet that’s exactly what took place at Target in November 2013. Hackers got into Target’s network utilizing credentials provided to the specialist, probably so they could track the heating, ventilation and air conditioning system. (For a good analysis, see Krebs on Security). And after that hackers were able to leverage the breach to inject malware into point of sale (POS) systems, and then offload payment card information.
A number of ridiculous errors were made here. Why was the HEATING AND COOLING specialist provided access to the enterprise network? Why wasn’t the HEATING AND COOLING system on a different, totally isolated network? Why wasn’t the POS system on a separate network? Et cetera, et cetera.
The point here is that in a very complex network, there are uncounted prospective vulnerabilities that could be exploited through recklessness, unpatched software, default passwords, social engineering, spear phishing, or insider actions. You get the point.
Whose task is it to discover and repair those vulnerabilities? The security team. The CISO’s team. Security specialists aren’t “normal” people. They are hired to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to prepare for the worst and prepare appropriately.
I can’t talk to the Target HEATING AND COOLING breach specifically, but there is one frustrating reason that breaches like this happen: A lack of budgetary top priority for cybersecurity. I’m not sure how frequently companies fail to fund security just due to the fact that they’re inexpensive and would rather do a share buy-back. Or possibly the CISO is too shy to request for what’s required, or has actually been informed that he gets a 5% boost, irrespective of the requirement. Maybe the CEO is worried that disclosures of big allotments for security will startle investors. Maybe the CEO is merely naïve enough to think that the enterprise will not be targeted by cyber criminals. The problem: Every company is targeted by hackers.
There are big competitions over spending plans. The IT department wishes to fund upgrades and enhancements, and attack the stockpile of demand for brand-new and improved applications. On the other side, you have line-of-business leaders who see IT projects as directly assisting the bottom line. They are optimists, and have great deals of CEO attention.
By contrast, the security department frequently needs to defend crumbs. They are viewed as a cost center. Security reduces company risk in a way that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who appreciate compliance and reputation. These green-eyeshade people think of the worst case situations. That doesn’t make good friends, and budget dollars are assigned reluctantly at a lot of companies (up until the business gets burned).
Call it naivety, call it established hostility, however it’s a genuine obstacle. You cannot have IT provided fantastic tools to move the business forward, while security is starved and making do with second-best.
Worse, you do not want to wind up in scenarios where the rightfully paranoid security groups are dealing with tools that do not fit together well with their IT counterpart’s tools.
If IT and security tools don’t mesh well, IT may not be able to rapidly act to react to risky situations that the security teams are keeping an eye on or are worried about – things like reports from risk intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that suggest risky or suspicious activity.
One idea: Find tools for both departments that are developed with both IT and security in mind, right from the beginning, rather than IT tools that are patched to supply some very little security ability. One budget product (take it out of IT, they have more cash), however 2 workflows, one designed for the IT expert, one for the CISO group. Everyone wins – and next time somebody wants to offer the HVAC specialist access to the network, maybe security will discover what IT is doing, and head that disaster off at the pass.