The Art of Data Security: How Sun Tzu Masterminded the Home Depot Data Breach

The Art of Data SecuritySun Tzu taught that, when it comes to the art of data security, you must be wary of your business associates and other third parties.

Why?

Have you heard that Home Depot had a data breach? That hackers were able to exfiltrate 56 million payment cards and 53 million customer email addresses from its systems? Did you hear what may be the biggest news of all, the news that was announced earlier today (11/6/14)?

Do you know what that news has in common with the other “big breach event” from roughly a year ago?

Have you heard of the national retailer that what was hit with a perfectly timed cyber attack on Black Friday ’13 that resulted in credit card data from roughly 110 million customers being taken? That company has now spent over $61,000,000 as a result of the data breach and will spend much more. It is facing new lawsuits weekly, its net earnings are down, earnings per share are down, and its sales are down. The company is Target. Target, however, was not attacked directly.

Do you know how both Home Depot’s and Target’s computer system were attacked?

In both cases, cyber criminals obtained access credentials from third-party vendors to the “big boys” which credentials were used to get inside of their network environment, past the firewalls and much of the security perimeter. Once on the inside, they then used custom-built malware to execute the heist of the valuable data they were seeking all along.

Home Depot also said today that the criminals used a third-party vendor’s user name and password to reach the perimeter of its network, then gained additional rights to navigate the company’s systems. (Bloomberg)

What did Sun Tzu teach us about this technique?

In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.

You can be sure of succeeding in your attacks if you attack places which are not defended.

The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; and his forces being thus distributed in many directions, the numbers we shall have to face at any given point will be proportionately few.

Most businesses focus their energy on securing their own networks but focus very little on examining the networks of their business associates and other third parties that they allow to access their networks.

Around 500 B.C. Sun Tzu taught that if an enemy — a cyber criminal — wants to attack your company’s computer network, they would be wise to do so by attacking indirectly, such as through your company’s business associates and other third-parties who have access to your network. Cyber criminals may be a lot of things, but they are not dumb … the successful ones, anyway.

Target learned.

Home Depot learned.

Will your company?

Stay wary friends.

 

Fifth Amendment Permits Police To Force Users to Unlock iPhones With Fingerprints, But Not Passcodes

digital fingerprintsThe Fifth Amendment does not prohibit the police from forcing users to provide a fingerprint to unlock a mobile device but it does prohibit them from forcing users to provide a passcode.

This was the ruling of a District Court in Virginia.

The court’s rationale is that the Fifth Amendment does not protect against providing physical or tangible information to further an investigation, such as DNA evidence or a physical key, but it does protect a defendant from having to provide information that must be communicated because by communicating that information, the defendant would be testifying against himself.

Read more: Court Rules Police Can Force Users to Unlock iPhones With Fingerprints, But Not Passcodes – Mac Rumors.

Excellent info from Travelers: Company Data Security Policy & Standards

Computer-ThiefTravelers just published a list of 9 things companies should consider for data security policies and standards. It is excellent. You can see it by following the link below.

But first, check out my CyberGard–Cyber Risk Protection Program that can help with implementing these 9 steps!

via Company Data Security Policy & Standards | Travelers Insurance.

Podcast: #DtR Episode on Lines in the Sand on “Security Research”

You really need to hear this podcast where we draw lines in the sand staking out what is – and what is not — security research

The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.

Also joining us for this episode were Chris John Riley (@ChrisJohnRiley) and Kevin Johnson (@SecureIdeasllc).

You can click here to see a list of the topics we covered in this episode or just jump straight into the podcast.

Let us know what you think by tagging your comments with #DtR on Twitter!

Yes, I will mention this post in tomorrow’s seminar on data breach! “Who’s Gonna Get It?”

This is one of my favorite and my most popular posts ever — and you better believe I will find a way to mention it to this group of CEOs to help them understand why it is important to take seriously the data security threat!

Data Breach – Who’s Gonna Get It? | business cyber risk | law blog.

 

“Defense wins championships” when preparing for the inevitable data breach

“The best strategy to manage the inevitable data breach of your enterprise is to be prepared.” -Adam Greenberg, SC Magazine

Exactly–you must prepare on 2 fronts: Defense & Response

In a recent article in SC Magazine, Adam Greenberg marches along faithfully with many of us in trying to get you, the business leader, to appreciate the severe risk that data breaches pose to your business. He starts by repeating the old data breach proverb, “It is not a matter of if, but when,” which readers of this site have heard many times before.

It is now a given that every enterprise either already has been, or will be, the victim of a data breach. It’s just life in the digital age, get used to it.

More importantly, prepare for it. A data breach can be either (1) a catastrophic event that threatens the very existence of your enterprise, or (2) just another adversity that your enterprise faces, manages, and learns from along its journey to success.

The choice is yours and is determined by whether you stick your head in the sand and ignore the risk or prepare for it. The first step you must take is to decide that you will not ignore this threat and that you will prepare for it. This is the most difficult step for many business leaders but, once we get past it, we start making progress.

Preparing for a data breach requires preparing a defensive strategy and a responsive strategy.

Preparing to Defend

-Defense Wins Championships-“Offense sells tickets; Defense wins championships” -Coach Paul “Bear” Bryant Jr.

When we talk about preparing for a data breach, some people jump the gun and start thinking about how they will respond. This loses sight of the primary objective–your duty–PROTECTING THE DATA which, necessarily, requires defending your system.

The top priority for your enterprise is to take steps to assess and strengthen its cyber security posture. Then, the deficiencies that are identified must be corrected (there are always deficiencies). And don’t forget to document the steps that are taken (here is why).

Preparing to Respond

After you have prepared your defensive strategy, the next step is to prepare for responding to the inevitable data breach. Every enterprise needs a data breach response strategy that is documented in a written breach response plan (here is why).

The breach response plan needs to be comprehensive, readily accessible in an emergency, and everyone needs to be trained on their roles in the plan. You can read more about breach response plans here.

Fortunately, this process is not as intimidating as it may sound. The most difficult part is that you must decide that you will make sure your enterprise is prepared for this risk. After you make that decision, a qualified adviser who has helped other enterprises prepare for these situations can guide you through the process.

Learn more about the author’s unique CyberGard–Cyber Risk Protection Program.

 

Source of original article: Plan ahead: Prepare for the inevitable data breach – SC Magazine.