Written By Charles Leaver Ziften CEO
Whatever you do don’t ignore cybersecurity criminals. Even the most paranoid “normal” person would not fret about a source of data breaches being taken qualifications from its heating, ventilation and a/c (A/C) specialist. Yet that’s what occurred at Target in November 2013. Hackers got into Target’s network using credentials given to the professional, most likely so they might track the heating, ventilation and a/c system. (For an excellent analysis, see Krebs on Security). And after that hackers had the ability to utilize the breach to spread malware into point of sale (POS) systems, then offload payment card information.
A number of ludicrous errors were made here. Why was the HEATING AND COOLING specialist given access to the business network? Why wasn’t the A/C system on a separate, completely separated network? Why wasn’t the POS system on a different network? And so on.
The point here is that in an extremely intricate network, there are uncounted potential vulnerabilities that could be exploited through negligence, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You get the point.
Whose job is it to find and repair those vulnerabilities? The security team. The CISO’s office. Security experts aren’t “typical” individuals. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was exploited, this was a CISO failure to expect the worst and prepare appropriately.
I cannot speak to the Target HEATING AND COOLING breach specifically, however there is one overwhelming reason breaches like this occur: A lack of budgetary top priority for cybersecurity. I’m not sure how typically businesses cannot fund security merely since they’re inexpensive and would rather do a share buy back. Or maybe the CISO is too shy to ask for what’s needed, or has actually been told that he gets a 5% increase, irrespective of the need. Perhaps the CEO is worried that disclosures of large allotments for security will spook investors. Perhaps the CEO is simply naïve enough to believe that the business will not be targeted by hackers. The problem: Every company is targeted by cyber criminals.
There are huge competitions over budget plans. The IT department wants to fund upgrades and enhancements, and attack the backlog of demand for brand-new and enhanced applications. On the flip side, you have line-of-business managers who see IT projects as directly assisting the bottom line. They are optimists, and have lots of CEO attention.
By contrast, the security department frequently has to defend crumbs. They are viewed as a cost center. Security decreases enterprise risk in such a way that matters to the CFO, the CRO (chief risk officer, if there is one), the basic counsel, and other pessimists who care about compliance and track records. These green-eyeshade people consider the worst case circumstances. That does not make friends, and spending plan dollars are allocated grudgingly at a lot of organizations (till the business gets burned).
Call it naivety, call it established hostility, however it’s a genuine obstacle. You cannot have IT offered great tools to move the enterprise forward, while security is starved and making do with second-best.
Worse, you don’t want to wind up in situations where the rightfully paranoid security groups are dealing with tools that don’t fit together well with their IT equivalent’s tools.
If IT and security tools do not mesh well, IT might not have the ability to quickly act to react to risky circumstances that the security groups are monitoring or are concerned about – things like reports from risk intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user behaviors that indicate risky or suspicious activity.
One idea: Discover tools for both departments that are developed with both IT and security in mind, right from the beginning, instead of IT tools that are patched to offer some very little security ability. One spending plan product (take it out of IT, they have more money), however two workflows, one developed for the IT expert, one for the CISO team. Everyone wins – and next time somebody wishes to give the HEATING AND COOLING contractor access to the network, possibly security will see exactly what IT is doing, and head that catastrophe off at the pass.