The Art of Data Security: How Sun Tzu Masterminded the Home Depot Data Breach

The Art of Data SecuritySun Tzu taught that, when it comes to the art of data security, you must be wary of your business associates and other third parties.

Why?

Have you heard that Home Depot had a data breach? That hackers were able to exfiltrate 56 million payment cards and 53 million customer email addresses from its systems? Did you hear what may be the biggest news of all, the news that was announced earlier today (11/6/14)?

Do you know what that news has in common with the other “big breach event” from roughly a year ago?

Have you heard of the national retailer that what was hit with a perfectly timed cyber attack on Black Friday ’13 that resulted in credit card data from roughly 110 million customers being taken? That company has now spent over $61,000,000 as a result of the data breach and will spend much more. It is facing new lawsuits weekly, its net earnings are down, earnings per share are down, and its sales are down. The company is Target. Target, however, was not attacked directly.

Do you know how both Home Depot’s and Target’s computer system were attacked?

In both cases, cyber criminals obtained access credentials from third-party vendors to the “big boys” which credentials were used to get inside of their network environment, past the firewalls and much of the security perimeter. Once on the inside, they then used custom-built malware to execute the heist of the valuable data they were seeking all along.

Home Depot also said today that the criminals used a third-party vendor’s user name and password to reach the perimeter of its network, then gained additional rights to navigate the company’s systems. (Bloomberg)

What did Sun Tzu teach us about this technique?

In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.

You can be sure of succeeding in your attacks if you attack places which are not defended.

The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; and his forces being thus distributed in many directions, the numbers we shall have to face at any given point will be proportionately few.

Most businesses focus their energy on securing their own networks but focus very little on examining the networks of their business associates and other third parties that they allow to access their networks.

Around 500 B.C. Sun Tzu taught that if an enemy — a cyber criminal — wants to attack your company’s computer network, they would be wise to do so by attacking indirectly, such as through your company’s business associates and other third-parties who have access to your network. Cyber criminals may be a lot of things, but they are not dumb … the successful ones, anyway.

Target learned.

Home Depot learned.

Will your company?

Stay wary friends.

 

Podcast: #DtR Episode on Lines in the Sand on “Security Research”

You really need to hear this podcast where we draw lines in the sand staking out what is – and what is not — security research

The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.

Also joining us for this episode were Chris John Riley (@ChrisJohnRiley) and Kevin Johnson (@SecureIdeasllc).

You can click here to see a list of the topics we covered in this episode or just jump straight into the podcast.

Let us know what you think by tagging your comments with #DtR on Twitter!

Yes, I will mention this post in tomorrow’s seminar on data breach! “Who’s Gonna Get It?”

This is one of my favorite and my most popular posts ever — and you better believe I will find a way to mention it to this group of CEOs to help them understand why it is important to take seriously the data security threat!

Data Breach – Who’s Gonna Get It? | business cyber risk | law blog.

 

Publix hasn’t had a data breach but is already seeking PR help in case it does — good or bad?

Chaos? Plan Ahead!This is interesting. Publix grocery store chain has made the news because of data breach — not because they have had a data breach (though they probably have and just don’t know it) — but because it has been learned that it is sending out proposals for PR help in the event it does have a data breach. The reaction to this is mixed. Some people think it is good but many are taking a cynical view of this move.

What do I think?

Well, thank you for asking!

I like it. First, one of the most important messages I try to preach these days is the need for companies to take the threat of data breach seriously, to prepare ahead of time, and have a plan in place so that all they have to do is execute that plan in the event a breach occurs. Look, I blogged about this just this past week and a whole bunch of times before.

Does the fact that the attention to Publix’s preparation is being focused on the fact that it is seeking PR help in any way diminish this?

That depends.

One of the key components to any breach response and breach response plan is to involve PR to help the company properly “message” their response to its customers to help minimize the overall disruption to the business. If the business crumbles, nothing else matters — the PR side is a key component to this is crucial.

So, if Publix is screening and assembling its PR team in an overall effort to prepare for a breach, that tells me that it is taking data breach seriously [give it a check] and that it is putting resources behind that concern [give it another check], and putting a plan in place to be prepared to respond to the inevitable data breach [give it another check]. This is good — this is what we are encouraging.

What this also tells me, and that I hope is the case, is that if Publix is devoting energy and resources to this kind of preparation, there is at least a decent chance that it is putting energy and resources into actually hardening its data security systems and improving its overall cyber security as a company. If this is true, then this is great — this is exactly what we are trying to encourage!

Now, if my assumptions are wrong and all that Publix cares about is the PR message and nothing else, well, then that is a much different story. If it is, then I really have to question the wisdom of its leadership because what this shows is that Publix is aware of the threat, recognizes the harm it can cause, is devoting energy and resources to it but in a self-centered and careless way, and is making a conscious decision to not correct it — and when that happens, if it has a breach, it just may be the one to get it!

Check out the article for yourself, here’s a brief quote:

Publix operates 1,082 locations in six states across the South and Southeast, and ranks as one of the 10 largest supermarkets by volume. The company’s request for proposals says it “would like to understand how a PR company could provide assistance preparing for, and during a data breach, e.g. advice and assistance with messages.”That could include a “proactive review” of Publix customer relations and “rapid response scheduling in the event of a confirmed breach. Publix prides ourselves in the relationships we build with our customers and associates and as such will require a company with outstanding communications skills and experience.”

via ‘Proactive’ Publix seeks PR help in event of data breach | TBO.com, The Tampa Tribune and The Tampa Times.

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

FBI Director Talks Cyber Espionage: Chinese Like “Drunk Burglar”

FBI

“[T]here are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese” -FBI Director

The pervasive threat that cyber espionage poses to American business is not a new topic on this blog — we have been talking about it for a few years. But you do not have to take my word for it; there is a “higher authority” on the subject. No, not that high! But the Director of the FBI is pretty high.

Here is the transcript of what FBI Director James Comey had to say about the Chinese cyber espionage efforts. If you follow the link at the bottom, you can watch the video of his interview:

“What countries are attacking the United States as we sit here in cyberspace?”

“Well, I don’t want to give you a complete list. But the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry,” said FBI director Comey.

“What are they trying to get?”

“Information that’s useful to them so they don’t have to invent. They can copy or steal to learn about how a company might approach negotiations with a Chinese company, all manner of things,” said Comey.

“How many hits from China do we take in a day?”

“Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese,” said Comey.

“The Chinese are that good?”

“Actually,” the FBI director replied, “not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.”

via FBI Director: Chinese Like ‘Drunk Burglar’ | The Weekly Standard.

 

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!