What Will It Take for Some to Pay More Attention to Cybersecurity?

We have  had some challenging situations in Cybersecurity in the last 2 years (2014-15), But since we are so focused on the here and now, if it is not happening to you does it really affect you?

Let’s review a few of the most egregious offenders and the problems they had:

 

Target¹ – malware on Point Of Sale systems that collected credit card information and sent back to the criminals.  there was a system in place and it did alert on the malware, but no one had the time to review and fix the problem.

Michaels² – Failure of procedure as the credit card hackers just called several stores and announced they are going to come in and replace the credit card machines. Social Engineering at it’s finest, criminals succeed when placing their own hardware for access will be a successful attack 100% of time.  This is an obvious failure of management and basic PHYSICAL security of the credit card machines.  Installing skimmers under the averting eyes of employees is breathtaking after the fact.

 

Sony³ – The total destruction of a network rates pretty high in my book of a Cyber security failure.

What did all 3 Cyber breaches have in common?

The common theme in all 3 is apparent apathy of corporate decisions at the highest levels.

 

The reason for the apathy is in the diagram I have discussed before:

risk-security-see-saw

At Target _some_ decisions were good – like the malware detection technology. But the most important decision was to have enough resources and test yourself to see if the methods of defense are working.  that decision was not made. In fact resources were so scarce that when the malware alarm came in the Cyber workers did not check into it, thinking that it was not high enough priority.

The workers were unaware of the constant danger they were in. And the malware stripping credit card #s would have been apparent with a good testing program. At least test the alert system worked even if the employee management and resources did not.

At Michael’s the focus is on sales so much that some simple managerial controls are not in place.  The retail workers are focused on sales, not on Security even a little bit. In my analysis this is a failure of management.  Obviously if you take debit and credit cards at the cash register one has to have a modicum of security. These are basic issues and not difficult.  I can state this because no training was given to the users of the machines with regard to social engineering(the proof is in the actions).

 

In the last 5 years social engineering scams have multiplied, and this attack angle must be included in your training for employees.

Management has to drive this training!

 

Sony did not have cybersecurity on the mind.

sony-hacked

So once the attacker started hacking their way in they were able to steal all the data before destroying all data.  How do I know Sony did not have Cybersecurity in mind?

 

Sony kept their passwords for many accounts (including Twitter accounts  like @SonyPictures) in an Excel file “unencrypted”.  This evidence became obvious once the full datasets were revealed for all to see.  (as you can see the locations of files in picture above)

Which means that Cybersecurity within Sony was an afterthought, as they broke every Cybersecurity rule in the book.  It is no wonder that the hack occurred and got as bad as it got.

The Sony destruction of data (after stealing hundreds of GB of data) and posting the data online was unprecedented.

I hope that these examples of gross negligence will spur you into making the necessary adjustments. we need a new method of thinking of Cybersecurity with new projects and old.

Risk-Security-TheRightWay

It should not be a Win-Lose decision.

Cybersecurity should not be the only item to worry about -and thus making rewards lower as risks are avoided.

Cybersecurity should be thought of part of the regular business project lifecycle. Creating new software products? Creating new websites?  Consider setting up security testing while the product is being developed, as it is much easier to make it secure while building the product.

Compliance should be a part of the thought process of building new products.

If you are now going to sell online, you can’t build into the shopping cart security after the fact. It has to be designed while building the online store. Credit card compliance (PCI) requires regular testing.

You might as well get used to regular testing as you build the online store, as fixing any potential problems would be cheaper from the beginning.

It is really common sense.

But let’s get back to the headline topic “What Will It Take For Some to Pay more Attention to Cybersecurity?”

In my estimation everyone thinks about security a very small amount of time, especially when some news story shakes this security thought in you.  What if this very small amount of security thought actually had a method to being understood or drove you to some action?

The problem with security is it is never solved and when misunderstood teh uninformed can just ignore it – because it has not affected me yet right?

One has to pay attention to it at least a little bit. We cannot resolve security once and for all, BUT it _can_ be reduced down to a manageable level.

Let me ask you something… and hopefully you will answer this for yourself.  Do you leave a key outside of your house? Do you live in a safe neighborhood?

If you leave a key outside of your house (just in case) do you place a n arrow for others to find it?

ALL of us must understand that If you are connected to the Internet, then you are on a bad neighborhood that’s number 1 realization.

Number 2 realization:  Criminal Hackers look at your computer programs as arrows to follow and to solve the riddle of taking control of your computers.

 

If you are connected to the Internet and do not shut down the basic attacks from criminal hackers you will get hacked – it is only a matter of time. And the hacker will take every computer you have on the Internet and attack others or just destroy your files (ransoming them).

Number 3 realization:  Everyone in the world is a potential attacker and a potential defender.  If you have no defense …  nothing good comes out of no defense. Sure the first few hackers will take your key and arrows and place them elsewhere for a prank. But what about the criminal that copied your key and left it as it is? Now the criminal can case your house and come in whenever you are gone.

IF everyone starts to think like a criminal for a minute then we will get somewhere.

Contact me to discuss this to help you decide, to help make decision makers see the light or other cybersecurity items.

 

 

  1. http://oversitesentry.com/why-is-security-difficult-target-breach-analysis-2-yrs-later/
  2. http://krebsonsecurity.com/2011/05/point-of-sale-skimmers-robbed-at-the-register/
  3. http://oversitesentry.com/still-discussing-sony-but-why/

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.