Written By Charles Leaver Ziften CEO
Whatever you do don’t undervalue cybersecurity hackers. Even the most paranoid “regular” person wouldn’t worry about a source of data breaches being taken qualifications from its heating, ventilation and a/c (A/C) specialist. Yet that’s exactly what took place at Target in November 2013. Hackers got into Target’s network utilizing credentials offered to the professional, most likely so they might monitor the heating, ventilation and air conditioning system. (For a great analysis, see Krebs on Security). And then hackers had the ability to leverage the breach to spread malware into point of sale (POS) systems, then unload payment card details.
A number of ludicrous errors were made here. Why was the A/C contractor given access to the business network? Why wasn’t the HVAC system on a different, completely separated network? Why wasn’t the POS system on a different network? And so on.
The point here is that in a really complicated network, there are uncounted potential vulnerabilities that could be exploited through recklessness, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You get the point.
Whose job is it to discover and fix those vulnerabilities? The security group. The CISO’s office. Security specialists aren’t “normal” people. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was exploited, this was a CISO failure to prepare for the worst and prepare accordingly.
I cannot talk to the Target HEATING AND COOLING breach particularly, but there is one frustrating reason that breaches like this occur: An absence of financial priority for cybersecurity. I’m not sure how frequently businesses fail to fund security merely since they’re inexpensive and would rather do a share buy-back. Or maybe the CISO is too timid to request for what’s needed, or has been told that he gets a 5% increase, no matter the requirement. Possibly the CEO is worried that disclosures of big allowances for security will scare shareholders. Maybe the CEO is merely naïve enough to believe that the business won’t be targeted by hackers. The problem: Every enterprise is targeted by hackers.
There are substantial competitions over budget plans. The IT department wishes to finance upgrades and improvements, and attack the stockpile of demand for new and enhanced applications. On the other side, you have operational leaders who see IT jobs as directly assisting the bottom line. They are optimists, and have great deals of CEO attention.
By contrast, the security department frequently needs to fight for crumbs. They are viewed as a cost center. Security reduces business danger in a manner that matters to the CFO, the CRO (chief risk officer, if there is one), the basic counsel, and other pessimists who care about compliance and track records. These green-eyeshade people think of the worst case situations. That does not make friends, and budget plan dollars are allocated grudgingly at too many companies (till the company gets burned).
Call it naivety, call it entrenched hostility, but it’s a real difficulty. You cannot have IT given fantastic tools to move the enterprise forward, while security is starved and using second-best.
Worse, you do not wish to end up in situations where the rightfully paranoid security teams are working with tools that do not mesh well with their IT counterpart’s tools.
If IT and security tools don’t fit together well, IT may not be able to quickly act to respond to risky situations that the security groups are keeping track of or are worried about – things like reports from hazard intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that indicate dangerous or suspicious activity.
One recommendation: Find tools for both departments that are created with both IT and security in mind, right from the beginning, rather than IT tools that are patched to offer some very little security ability. One budget plan item (take it out of IT, they have more money), however two workflows, one created for the IT professional, one for the CISO group. Everybody wins – and next time somebody wants to provide the A/C professional access to the network, maybe security will notice what IT is doing, and head that disaster off at the pass.