Written By Charles Leaver Ziften CEO
Whatever you do don’t ignore cyber security hackers. Even the most paranoid “typical” individual wouldn’t worry about a source of data breaches being taken credentials from its heating, ventilation and air conditioning (A/C) specialist. Yet that’s what took place at Target in November 2013. Hackers got into Target’s network using qualifications provided to the professional, most likely so they might monitor the heating, ventilation and air conditioning system. (For a great analysis, see Krebs on Security). And after that hackers were able to utilize the breach to inject malware into point-of-sale (POS) systems, and after that offload payment card details.
A number of ludicrous mistakes were made here. Why was the HVAC specialist given access to the business network? Why wasn’t the HVAC system on a different, entirely isolated network? Why wasn’t the POS system on a different network? And so on.
The point here is that in a very complex network, there are uncounted prospective vulnerabilities that could be exploited through negligence, unpatched software, default passwords, social engineering, spear phishing, or insider actions. You understand.
Whose task is it to discover and fix those vulnerabilities? The security team. The CISO’s team. Security professionals aren’t “typical” individuals. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to prepare for the worst and prepare accordingly.
I can’t speak to the Target HVAC breach specifically, however there is one overwhelming reason why breaches like this happen: A lack of budgetary concern for cybersecurity. I’m not sure how typically companies cannot fund security simply since they’re inexpensive and would rather do a share buy-back. Or possibly the CISO is too timid to ask for what’s required, or has actually been told that she gets a 5% boost, irrespective of the need. Possibly the CEO is worried that disclosures of big allocations for security will alarm investors. Possibly the CEO is simply naïve enough to believe that the business will not be targeted by hackers. Bad news: Every business is targeted by cyber criminals.
There are huge competitions over budget plans. The IT department wants to fund upgrades and improvements, and attack the backlog of demand for brand-new and better applications. On the other side, you have line-of-business managers who see IT jobs as directly helping the bottom line. They are optimists, and have lots of CEO attention.
By contrast, the security department too often needs to defend crumbs. They are viewed as an expense center. Security reduces organization threat in such a way that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who appreciate compliance and reputation. These green-eyeshade individuals think of the worst case scenarios. That doesn’t make good friends, and budget plan dollars are assigned grudgingly at a lot of companies (up until the company gets burned).
Call it naivety, call it established hostility, however it’s a real challenge. You can’t have IT provided great tools to move the business forward, while security is starved and making do with second best.
Worse, you don’t want to end up in scenarios where the rightfully paranoid security teams are working with tools that do not mesh well with their IT counterpart’s tools.
If IT and security tools do not fit together well, IT may not have the ability to quickly act to react to dangerous scenarios that the security groups are keeping track of or are concerned about – things like reports from danger intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user behaviors that indicate dangerous or suspicious activity.
One idea: Discover tools for both departments that are designed with both IT and security in mind, right from the beginning, rather than IT tools that are patched to provide some very little security ability. One budget plan item (take it out of IT, they have more cash), however 2 workflows, one created for the IT professional, one for the CISO group. Everybody wins – and next time somebody wants to give the A/C contractor access to the network, maybe security will observe exactly what IT is doing, and head that disaster off at the pass.