What made the Target breach resonate so loudly among consumers and security professionals? It was certainly a big breach, but big breaches are not really anything new these days. Perhaps it was the brand-name element that brought it home – although we’ve seen plenty of brand names in trouble with data security – or maybe it was the nature of the breach itself, attacking the point-of-sale systems where the customer themselves actually interacts, making this seem all the more personal. Whatever the reason, the Target breach felt like watershed, as though finally a breach had occurred that would shake up the status quo.
It wasn’t and it didn’t.
While the technical details of the Target breach are interesting, it’s easy to get hung up on discussions around chip-and-pin, malware and network segmentation, and in the process lose sight of the broader trends that underlie this and other breaches.
First – the bad guys get in. Always. It doesn’t matter if it’s social engineering, phishing, or strolling in via your AC management system. Sooner or later they find the weak spot and they exploit it – despite all of your best plans to keep them out. So it’s high time to start dealing with that basic truth. Good security process and the right tools can slow them down, and maybe stop them for a while, but in the end, there’s always some system that’s not patched, some user that’s gullible or over-worked at the wrong time, or some contractor you didn’t watch closely enough. Target learned this the hard way. Who would have guessed that an HVAC system could be a point of weakness?
Second – once they are in, you better figure out how to spot them. This is possibly the most baffling to people outside the industry. Surely, with all that money spent on security, the minute the attackers are in all kinds of alarms start going off, right? Well, kind of. In the case of the Target breach, like so many others, there *was* plenty of security technology in place, and yes, the alarms were apparently going off, but the problem was spotting which alarms they needed to respond to because they actually mean something. Most security teams are overworked and spend their lives swamped by too much to do, with too many competing priorities, and as a result, spotting when the bad guys inevitably breach the defenses and start pillaging data is far from easy.
The trick is to slow them down, and to make it easy to spot when something suspicious is happening on the inside. If you can spot when someone, or something, starts to behave differently, then you have a much better chance of identifying when that someone is an attacker. This second lesson is a perennial problem and continues to lie at the root of many breaches. Even the most secure organizations in the world suffer from this problem, as people like Bradley Manning and Edward Snowden will attest. When someone, or something, goes bad – it changes, it behaves differently, and that change may be the first and only opportunity you’ll get to stop them in their tracks. So be ready to spot it.
The final lesson is one that I hope we don’t have to learn – nature has a way of balancing things out. Get sick, and you build immunity to that disease. Get injured, and scar tissue covers the wound. But in the case of a data breach, there is no such inherent balance, no earned immunity, no resistance. Hackers can and will continue to attack because there is money to be made and little risk. One estimate put the value of the haul from Target alone at over $50 million. That’s a good incentive for the bad guys to keep on trying.
The only thing that we can do is collectively pick apart the mistakes, and try to not repeat them. The baseball player Vern Law was credited with saying that experience is a harsh teacher, because “first she gives the test, then she gives the lesson.” We need to learn the very important lesson that anyone can be breached, at any time, because we have collectively already failed the test.