The daily drumbeat of data breaches imply security is the new black. The data breach at Target that exposed over 40 million consumer credit cards, debit cards and PINs. Then came the JP Morgan breach. Followed by the Home Depot breach. The list goes on. What’s clear is that enterprises must make a much more concerted effort to improve security.
How do organizations improve security? Let’s dig into the anatomy of these breaches. A common thread appears to be malware infection of a laptop or mobile device. A device gets infected outside the secure perimeter, and the malware lies low until the user re-enters the secure perimeter. For example, many enterprises provide fortified laptops and mobile devices to their employees.
When an employee takes the laptop on the go, the device is used in a variety of environments and could get infected or phished. When the employee returns to the office, the malware spreads rapidly to other devices. Once the malware installs itself, it may record every keystroke entered by the user, extract various login credentials and export them to command and control centers offshore.
In the Target breach, it now appears that the login credentials of its HVAC contractor was the initial vulnerability that was exploited. Most likely, a keystroke logger malware infected the contractor’s laptop and was able to obtain the credentials. Since Target had installed sophisticated intrusion detection/protection security systems on its networks, the infection likely occurred outside of the Target network. Once the login credentials were extracted, it was easy for the malware to spread inside the secure perimeter and export large quantities of sensitive data at will. Specifically, the malware infected POS terminals, reading credit card and payment card information directly from the main memory of the terminal. There were plenty of alarm bells from the intrusion detection system, but Target chose to ignore them.
The Home Depot breach shared many of the characteristics of the Target breach. Malware infected POS terminals to read payment information from main memory. The bad actor then aggregated the information and exfiltrated it without detection. Moreover, the malware attached itself to the anti-virus software installed on the POS terminal to evade detection. And in both cases, the POS terminals ran older versions of Microsoft Windows, making it particularly easy for malware to enter via infected laptops running the same operating system.
In short, hackers are exploiting laptops and mobile devices as key conduits for their malware. Legacy security architectures at financial institutions divide the world into “trusted devices” and “untrusted devices.” Trusted devices are given largely unfettered access to the network and are the easiest point of entry for malware. At almost every bank, a laptop issued by the bank with lots of security software installed is considered a “trusted device.” That laptop may leave the secure perimeter, roam the globe and return to the secure perimeter and still be treated as a “trusted device.” The trusted versus untrusted device approach was fine when viruses were easy to detect. But hackers have evolved – anti-virus software now detects less than 5 percent of all malware.
Organizations that deal with sensitive data must evolve their security architectures. Every user device must be viewed as untrusted and the focus must shift from securing devices and networks to securing the data. If all data access is subject to contextual-access control and anomaly detection, it becomes difficult for malware infections on laptops and mobile devices to download and export large quantities of data. For example, if a laptop suddenly starts downloading large quantities of sensitive data, it is most likely infected by malware that is replaying stolen login credentials to gain access to that data.