Sun Tzu taught that, when it comes to the art of cybersecurity, you must be wary of your business associates and other third parties.
Have you heard that Home Depot had a data breach? That hackers were able to exfiltrate 56 million payment cards and 53 million customer email addresses from its systems? Did you hear what may be the biggest news of all, the news that was announced earlier today (11/6/14)?
Do you know what that news has in common with the other “big breach event” from roughly a year ago?
Have you heard of the national retailer that what was hit with a perfectly timed cyber attack on Black Friday ’13 that resulted in credit card data from roughly 110 million customers being taken? That company has now spent over $61,000,000 as a result of the data breach and will spend much more. It is facing new lawsuits weekly, its net earnings are down, earnings per share are down, and its sales are down. The company is Target. Target, however, was not attacked directly.
Do you know how both Home Depot’s and Target’s computer system were attacked?
In both cases, cyber criminals obtained access credentials from third-party vendors to the “big boys” which credentials were used to get inside of their network environment, past the firewalls and much of the security perimeter. Once on the inside, they then used custom-built malware to execute the heist of the valuable data they were seeking all along.
Home Depot also said today that the criminals used a third-party vendor’s user name and password to reach the perimeter of its network, then gained additional rights to navigate the company’s systems. (Bloomberg)
What did Sun Tzu teach us about this technique?
In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.
You can be sure of succeeding in your attacks if you attack places which are not defended.
The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; and his forces being thus distributed in many directions, the numbers we shall have to face at any given point will be proportionately few.
Most businesses focus their energy on securing their own networks but focus very little on examining the networks of their business associates and other third parties that they allow to access their networks.
Around 500 B.C. Sun Tzu taught that if an enemy — a cyber criminal — wants to attack your company’s computer network, they would be wise to do so by attacking indirectly, such as through your company’s business associates and other third-parties who have access to your network. Cyber criminals may be a lot of things, but they are not dumb … the successful ones, anyway.
Home Depot learned.
Will your company?
Stay wary friends.