Written By Chuck Leaver Ziften CEO
Whatever you do not ignore cybersecurity hackers. Even the most paranoid “typical” person would not stress over a source of data breaches being stolen qualifications from its heating, ventilation and a/c (HEATING AND COOLING) contractor. Yet that’s exactly what occurred at Target in November 2013. Hackers got into Target’s network utilizing credentials offered to the contractor, most likely so they could track the heating, ventilation and air conditioning system. (For a good analysis, see Krebs on Security). And then hackers were able to take advantage of the breach to inject malware into point-of-sale (POS) systems, then offload payment card details.
A variety of ridiculous mistakes were made here. Why was the HVAC contractor provided access to the enterprise network? Why wasn’t the A/C system on a separate, completely separated network? Why wasn’t the POS system on a different network? And so on.
The point here is that in a really complicated network, there are uncounted possible vulnerabilities that could be exploited through recklessness, unpatched software, default passwords, social engineering, spear phishing, or insider actions. You get the point.
Whose job is it to discover and repair those vulnerabilities? The security team. The CISO’s office. Security professionals aren’t “regular” individuals. They are hired to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to prepare for the worst and prepare appropriately.
I cannot speak with the Target A/C breach particularly, however there is one frustrating reason that breaches like this happen: A lack of monetary priority for cybersecurity. I’m not sure how often companies cannot finance security merely because they’re cheap and would rather do a share buy back. Or possibly the CISO is too shy to request for what’s required, or has actually been told that she gets a 5% increase, no matter the requirement. Maybe the CEO is worried that disclosures of large allowances for security will startle shareholders. Perhaps the CEO is merely naïve enough to think that the enterprise won’t be targeted by hackers. The problem: Every enterprise is targeted by hackers.
There are big competitions over budget plans. The IT department wants to finance upgrades and enhancements, and attack the backlog of demand for brand-new and better applications. On the other side, you have line-of-business managers who see IT tasks as directly helping the bottom line. They are optimists, and have great deals of CEO attention.
By contrast, the security department frequently has to fight for crumbs. They are viewed as an expense center. Security lowers company threat in a manner that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who appreciate compliance and reputation. These green-eyeshade people think of the worst case scenarios. That does not make good friends, and budget plan dollars are allocated grudgingly at a lot of organizations (until the company gets burned).
Call it naivety, call it entrenched hostility, however it’s a real difficulty. You cannot have IT provided great tools to drive the enterprise forward, while security is starved and making do with second-best.
Worse, you don’t want to end up in situations where the rightfully paranoid security groups are dealing with tools that do not mesh well with their IT counterpart’s tools.
If IT and security tools don’t mesh well, IT might not be able to rapidly act to respond to risky circumstances that the security groups are keeping track of or are worried about – things like reports from danger intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user behaviors that indicate risky or suspicious activity.
One idea: Discover tools for both departments that are developed with both IT and security in mind, right from the beginning, instead of IT tools that are patched to offer some minimal security ability. One spending plan product (take it out of IT, they have more money), however two workflows, one created for the IT specialist, one for the CISO group. Everyone wins – and next time someone wants to provide the A/C professional access to the network, maybe security will discover what IT is doing, and head that disaster off at the pass.