Written By Chuck Leaver Ziften CEO
Whatever you do don’t ignore cybersecurity criminals. Even the most paranoid “typical” person would not worry about a source of data breaches being taken qualifications from its heating, ventilation and air conditioning (HEATING AND COOLING) specialist. Yet that’s what happened at Target in November 2013. Hackers broke into Target’s network utilizing qualifications offered to the contractor, presumably so they might track the heating, ventilation and air conditioning system. (For an excellent analysis, see Krebs on Security). And then hackers were able to take advantage of the breach to inject malware into point-of-sale (POS) systems, then unload payment card details.
A variety of ludicrous mistakes were made here. Why was the HVAC contractor given access to the enterprise network? Why wasn’t the HVAC system on a different, totally separated network? Why wasn’t the POS system on a different network? Et cetera, et cetera.
The point here is that in an extremely intricate network, there are uncounted potential vulnerabilities that could be made use of through recklessness, unpatched software, default passwords, social engineering, spear phishing, or insider actions. You understand.
Whose task is it to discover and fix those vulnerabilities? The security team. The CISO’s team. Security specialists aren’t “typical” individuals. They are hired to be paranoid. Make no mistake, no matter the specific technical vulnerability that was made use of, this was a CISO failure to expect the worst and prepare appropriately.
I cannot speak with the Target A/C breach specifically, however there is one frustrating reason that breaches like this occur: An absence of financial top priority for cybersecurity. I’m uncertain how typically companies fail to fund security merely because they’re inexpensive and would rather do a share buy-back. Or perhaps the CISO is too shy to ask for exactly what’s needed, or has actually been told that she gets a 5% increase, irrespective of the need. Maybe the CEO is worried that disclosures of big allowances for security will scare investors. Possibly the CEO is just naïve enough to believe that the enterprise will not be targeted by cyber criminals. Bad news: Every enterprise is targeted by hackers.
There are big competitions over budget plans. The IT department wishes to finance upgrades and improvements, and attack the stockpile of demand for new and better applications. On the flip side, you have operational leaders who see IT tasks as directly assisting the bottom line. They are optimists, and have great deals of CEO attention.
By contrast, the security department frequently has to defend crumbs. They are seen as an expense center. Security minimizes enterprise danger in a manner that matters to the CFO, the CRO (chief risk officer, if there is one), the basic counsel, and other pessimists who appreciate compliance and reputation. These green-eyeshade individuals think of the worst case circumstances. That doesn’t make good friends, and budget plan dollars are designated grudgingly at a lot of companies (until the company gets burned).
Call it naivety, call it established hostility, but it’s a genuine challenge. You can’t have IT provided great tools to move the enterprise forward, while security is starved and making do with second best.
Worse, you do not wish to end up in situations where the rightfully paranoid security teams are working with tools that don’t fit together well with their IT equivalent’s tools.
If IT and security tools do not mesh well, IT may not have the ability to rapidly act to respond to risky scenarios that the security groups are keeping track of or are worried about – things like reports from danger intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user behaviors that suggest dangerous or suspicious activity.
One recommendation: Find tools for both departments that are designed with both IT and security in mind, right from the beginning, instead of IT tools that are patched to provide some very little security ability. One spending plan item (take it out of IT, they have more finances), but 2 workflows, one created for the IT professional, one for the CISO team. Everybody wins – and next time somebody wishes to give the HEATING AND COOLING specialist access to the network, perhaps security will notice exactly what IT is doing, and head that disaster off at the pass.