Written By Charles Leaver Ziften CEO
Whatever you do not ignore cybersecurity criminals. Even the most paranoid “regular” person wouldn’t fret about a source of data breaches being taken credentials from its heating, ventilation and a/c (HVAC) contractor. Yet that’s what happened at Target in November 2013. Hackers broke into Target’s network using qualifications given to the contractor, most likely so they could track the heating, ventilation and air conditioning system. (For a great analysis, see Krebs on Security). And after that hackers had the ability to take advantage of the breach to spread malware into point-of-sale (POS) systems, then offload payment card details.
A variety of ludicrous errors were made here. Why was the HVAC professional provided access to the enterprise network? Why wasn’t the HVAC system on a separate, totally isolated network? Why wasn’t the POS system on a separate network? And so on.
The point here is that in a really complicated network, there are uncounted potential vulnerabilities that could be made use of through negligence, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You understand.
Whose job is it to find and fix those vulnerabilities? The security group. The CISO’s team. Security specialists aren’t “typical” people. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to anticipate the worst and prepare accordingly.
I cannot speak to the Target A/C breach specifically, however there is one frustrating reason why breaches like this happen: A lack of monetary priority for cyber security. I’m not exactly sure how often businesses fail to finance security just due to the fact that they’re inexpensive and would rather do a share buy back. Or possibly the CISO is too shy to request what’s required, or has actually been told that she gets a 5% increase, no matter the requirement. Maybe the CEO is worried that disclosures of big allowances for security will startle investors. Maybe the CEO is merely naïve enough to believe that the business will not be targeted by hackers. The problem: Every company is targeted by cyber criminals.
There are big competitions over spending plans. The IT department wants to finance upgrades and improvements, and attack the backlog of demand for new and improved applications. On the other side, you have operational managers who see IT jobs as directly assisting the bottom line. They are optimists, and have lots of CEO attention.
By contrast, the security department frequently has to fight for crumbs. They are viewed as an expense center. Security decreases company threat in a manner that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who care about compliance and track records. These green-eyeshade individuals consider the worst case situations. That doesn’t make friends, and budget dollars are designated reluctantly at a lot of companies (till the company gets burned).
Call it naivety, call it established hostility, but it’s a genuine challenge. You cannot have IT provided fantastic tools to drive the enterprise forward, while security is starved and using second best.
Worse, you don’t want to end up in situations where the rightfully paranoid security groups are working with tools that don’t fit together well with their IT equivalent’s tools.
If IT and security tools do not mesh well, IT might not be able to rapidly act to react to dangerous circumstances that the security teams are keeping an eye on or are worried about – things like reports from threat intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that suggest risky or suspicious activity.
One idea: Discover tools for both departments that are developed with both IT and security in mind, right from the start, instead of IT tools that are patched to provide some minimal security capability. One budget plan item (take it out of IT, they have more money), but 2 workflows, one created for the IT professional, one for the CISO team. Everybody wins – and next time somebody wants to offer the HVAC specialist access to the network, maybe security will observe exactly what IT is doing, and head that disaster off at the pass.