Breach Pain
Several stories involving companies victimized by intruders came to light at the same time. It's important to remember not to blame the victim, like the fool editor at Slashdot implied by writing Contractor Folds After Causing Breaches. The company in question, Verus Inc., didn't "cause breaches" -- it suffered them. Some bad guy stealing data caused the breaches. Read Medical IT Contractor Folds After Breaches at Dark Reading for the details.
New details on TJX came to light this week in stories like TJ Maxx Breach Costs Soar by Factor of 10 (Company had to absorb $118M of losses in Q2 alone) and The TJX Effect. The second article says this:
Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. "The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals," says the source. In a March filing with the Securities and Exchange Commission,TJX acknowledged finding "suspicious software" on its computer systems.
The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX's networks, according to the source. The firewalls on TJX's main network weren't set to defend against malicious traffic coming from the kiosks, the source says. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. The kiosks "shouldn't have been on the corporate LAN, and the USB ports should have been disabled," the source says.
You can expect me to advocate detection and rapid response, and I'm curious what this will produce: DARPA seeks innovations in network monitoring. Why isn't it "innovations in stopping attacks?" Because that doesn't work.
New details on TJX came to light this week in stories like TJ Maxx Breach Costs Soar by Factor of 10 (Company had to absorb $118M of losses in Q2 alone) and The TJX Effect. The second article says this:
Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. "The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals," says the source. In a March filing with the Securities and Exchange Commission,TJX acknowledged finding "suspicious software" on its computer systems.
The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX's networks, according to the source. The firewalls on TJX's main network weren't set to defend against malicious traffic coming from the kiosks, the source says. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. The kiosks "shouldn't have been on the corporate LAN, and the USB ports should have been disabled," the source says.
You can expect me to advocate detection and rapid response, and I'm curious what this will produce: DARPA seeks innovations in network monitoring. Why isn't it "innovations in stopping attacks?" Because that doesn't work.
Comments
Sure, without a doubt. However, many of the organizations that contact third party incident responders are simply unprepared to do either. Detection comes from some outside source, and any "response" that takes place ends up destroying valuable data (ie, evidence).
The company in question, Verus Inc., didn't "cause breaches" -- it suffered them. Some bad guy stealing data caused the breaches.
I think it would be one thing had the thief done some fairly fancy footwork to break into the Verus network. However, according to the article, they "forgot" to turn a firewall back on.
Sure the analogy could be made of a door being left unlocked but I'm quite sure the companies that trusted Verus to manage their information services also had some sort of reasonable expectation that security was in place. Forgetting to turn a firewall back on? Pretty big faux pas.
All these numbers, BTW, are after taxes. In pre-tax terms, they are much larger.
Strictly speaking it wasn't TJX's data that was stolen. It was their customer's.
They were just keeping it and they were negligent in doing so.
Its not nice to attack a victim but then again, the shop is not going to suffer because of the breach. Their customers are. And since the world is watching what happens to TJX they must be made to help those whose data they lost so it doesn't happen again. (Wishful thinking, I know. But at least there must be incentives for large companies to protect data which which they have been entrusted.)
There is no way to completely prevent the these incidences and so regardless of what new strategies are implemented, data breaches will continue to create tremendous costs for organizations who host sensitive information on their database.
It seems there needs to be a greater effort by organizations to implement more efficient response systems that allow the consumer to become aware of the incident sooner than later. This would at least limit those liabilities and aid in consumer retention.
Since detection is getting harder and harder, (according the the DARPA piece), the case for deny-by default environments inside the network grows stronger.