Editor's note: This post was updated after publication to remove references to discarded reports related to the Target breach.
A multimillion-dollar security infrastructure, built and maintained by one of the world’s largest retailers and designed to shuttle sensitive information on millions of consumers between financial institutions of every size, was brought to its knees recently.
The Target breach continues to generate mountains of coverage, and, in a strange way, it also points the way to problems in the near future.
What happened?
Nearly a month after the hack we’re still learning exactly what happened, but the sheer scope of the attack is stunning. Some 40 million credit cards and 70 million personal records have been compromised, with debit and credit cards from a wide range of financial services providers. Early indications that point-of-sale systems at retail outlets were infected with malware are apparently proving correct. This allowed the perpetrators to extract secure data from each card in that critical instant between entry and encryption. The force behind the breach is equally massive, most likely a global, sophisticated network of cybercriminals systematically targeting the retail industry. Moving forward, regardless of the facts of the case, the fallout from this debacle will be felt for a long, long time.
The malware, officially called BlackPOS (and also known as ‘reedum’ or ‘Kaptox’) has been covered by Brian Krebs in good detail on his blog, KrebsonSecurity.
What does this tell us about future scenarios?
The uncomfortable truth is that in our industry, there’s already a rich history of huge networks being hacked or even brought down altogether, not only by sophisticated criminal gangs but also lone operators using low-tech tools. Remember the case of the disgruntled former employee who, from a laptop at a fast-food restaurant, used his administrative access to bring down all his former company’s servers?
And the potential exists for things to get much, much worse. That’s because the migration we’re now seeing to virtualized infrastructures and the cloud introduces a host of vulnerabilities. Sure, the benefits are undeniable. There’s unprecedented scalability, unbelievable flexibility and significantly lower costs. The entire approach calls for a level of streamlining that boosts use of existing assets, eases access to information and enhances productivity. At the same time, however, the new paradigm virtually mandates a new kind of power for systems administrators and other IT personnel. They can penetrate everything from the core operating system and specific applications to all the data that resides there.
Perhaps worst of all, the cloud model is essentially built on a greater concentration of assets, and therefore greater risk. Even a minor breach can escalate almost instantly, long before the damage can be contained through traditional procedures, such as those followed in physical data centers.
There is no panacea to cure all ills, no bulletproof system to guarantee data protection. Yet in its own way, each debacle offers lessons that help avoid future calamities.
For example, the National Security Agency—now dominating the headlines for proposed changes to its spying protocols—announced a simple change that could drastically alter its data loss record. It’s the two-man rule, which dictates that at least two authorized individuals must approve every action for it to take place. This measure alone might have blocked the Edward Snowden leak. A rogue operative, he used his access privileges to undertake, single-handedly, the largest security breach in the government’s history.
There are other precautionary measures available too: role-based monitoring, levels of privileged and need-to-know access, administrator authentication, administrative controls for compliance and forensic analysis, etc. Each strategy and tool offers another layer of protection that makes sense today, rather than the old world of physical security.
Somewhere out there is a kid could be working on a simple laptop to create yet another tool that can breach the most impenetrable infrastructure. That’s an unfortunate by-product of innovation. And there are hordes of invisible, anonymous criminals ferreting out those tools to use for their own nefarious purposes. It’s our job to take a strategic approach that offers better security without hindering productivity. And that’s the only way to benefit from the cloud while keeping the office safe.