Thursday, August 16, 2007

Breach Pain

Several stories involving companies victimized by intruders came to light at the same time. It's important to remember not to blame the victim, like the fool editor at Slashdot implied by writing Contractor Folds After Causing Breaches. The company in question, Verus Inc., didn't "cause breaches" -- it suffered them. Some bad guy stealing data caused the breaches. Read Medical IT Contractor Folds After Breaches at Dark Reading for the details.

New details on TJX came to light this week in stories like TJ Maxx Breach Costs Soar by Factor of 10 (Company had to absorb $118M of losses in Q2 alone) and The TJX Effect. The second article says this:

Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. "The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals," says the source. In a March filing with the Securities and Exchange Commission,TJX acknowledged finding "suspicious software" on its computer systems.

The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX's networks, according to the source. The firewalls on TJX's main network weren't set to defend against malicious traffic coming from the kiosks, the source says. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. The kiosks "shouldn't have been on the corporate LAN, and the USB ports should have been disabled," the source says.


You can expect me to advocate detection and rapid response, and I'm curious what this will produce: DARPA seeks innovations in network monitoring. Why isn't it "innovations in stopping attacks?" Because that doesn't work.

7 comments:

Keydet89 said...

You can expect me to advocate detection and rapid response...

Sure, without a doubt. However, many of the organizations that contact third party incident responders are simply unprepared to do either. Detection comes from some outside source, and any "response" that takes place ends up destroying valuable data (ie, evidence).

B.K. DeLong said...

You say:

The company in question, Verus Inc., didn't "cause breaches" -- it suffered them. Some bad guy stealing data caused the breaches.

I think it would be one thing had the thief done some fairly fancy footwork to break into the Verus network. However, according to the article, they "forgot" to turn a firewall back on.

Sure the analogy could be made of a door being left unlocked but I'm quite sure the companies that trusted Verus to manage their information services also had some sort of reasonable expectation that security was in place. Forgetting to turn a firewall back on? Pretty big faux pas.

John Ward said...

Sounds like design flaws. Kiosks connected to the corporate network should be treated as outward facing web servers, since they are publicly accessible. Saying Kiosks whose sole purpose it to accept employment applications shouldn't send that data to HR pretty much defeats the purpose of the kiosks to begin with. More or less a few design flaws come to light... why run full operating systems for a kiosk with that functionality when a Thin Client would be just as effective. Running a full OS such as Windows or Linux with a full blown USB Stack that includes unrestricted access to USB Mass Storage devices is just asking for trouble. Hell, even off the shelf products like Device Lock can be configured to prevent access to devices on a role basis. Of course, this is all said in hindsight, and we all know the old saying about hindsight. While I agree that monitoring would have definitly minimized loss, this was a serious oversight on the part of the designers.

Chris said...

IIRC, they set aside 118M for losses. That doesn't mean the $ have actually been (or will ever be) spent.

All these numbers, BTW, are after taxes. In pre-tax terms, they are much larger.

Allen Baranov, CISSP said...

Remember:

Strictly speaking it wasn't TJX's data that was stolen. It was their customer's.

They were just keeping it and they were negligent in doing so.

Its not nice to attack a victim but then again, the shop is not going to suffer because of the breach. Their customers are. And since the world is watching what happens to TJX they must be made to help those whose data they lost so it doesn't happen again. (Wishful thinking, I know. But at least there must be incentives for large companies to protect data which which they have been entrusted.)

Chris Ramos said...

As technology improves, so will mechanisms by which hackers are able to compromise sensitive data.

There is no way to completely prevent the these incidences and so regardless of what new strategies are implemented, data breaches will continue to create tremendous costs for organizations who host sensitive information on their database.

It seems there needs to be a greater effort by organizations to implement more efficient response systems that allow the consumer to become aware of the incident sooner than later. This would at least limit those liabilities and aid in consumer retention.

Rob Lewis said...

As long as security remains in a reactive stance and does nothing to correct the inherent design flaws of systems, the industry had better hope that they can detect attacks quickly enough to prevent disaster.

Since detection is getting harder and harder, (according the the DARPA piece), the case for deny-by default environments inside the network grows stronger.