On the face of it, the two biggest data breaches in recent times involving Target and the National Security Administration (NSA) have absolutely nothing in common.
The attack on Target clearly had a profit motive—the perpetrators were after confidential information, and that’s exactly what they got. The company first admitted that financial information on 40 million consumers had been compromised. Then we were told that several kinds of personal information, such as home addresses and phone numbers, on 70 million customers had also been exposed. The fallout from this debacle will last a long time and spread far and wide, affecting not only the retailer and its customers but also the many financial services companies and other third parties involved.
Meanwhile, as far as we know, the NSA breach was focused entirely on security information. For obvious reasons the government agency at the center of the scandal has been loath to reveal just what kind of information was extracted, but we do know from published reports that they include operational details on global surveillance programs, extensive wiretapping initiatives (including of elected leaders in countries that are ostensibly close allies of the U.S.) and data mining operations of companies in the private sector. Here, too, the fallout is wide, deep and long-lasting.
However, when we take a look within the infrastructure, we see the alarming trait they have in common. Both attacks built on insider access, and they perfectly represent the nature of threats confronting information infrastructures worldwide.
First, the NSA hack was clearly an inside job. The perpetrator was Edward Snowden, and he was very much ‘inside’ without even being an NSA employee. He was, in fact, a relatively low-level technical assistant with top-tier consulting firm Booz Allen Hamilton, which has many contracts with government agencies. Snowden was assigned to the NSA account as an infrastructure analyst, and he had been on the job for a few months when the breach became public.
Yet even from his relatively distant perch, he had virtually unlimited access to classified information. In his own words, he could extract information on the full rosters of NSA employees and programs, including undercover assets around the world. In that sense, what’s shocking is not just how big the damage is, but that it could have been far worse. Had he been so inclined, he could have sold the information for millions to interested parties in other countries, rather than leaking it to the media.
In the money-driven Target case, meanwhile, much of the attention has been focused not on a low-level employee but a low-tech piece of equipment—the card-swiping device attached to point-of-sale (POS) outlets in stores everywhere. Memory-scraping software embedded in the POS devices helped capture the information before it got encrypted.
But ultimately, it’s still about insider access. It appears that the hack began with the theft of a vendor’s credentials, which in turn enabled the perpetrators to gain access to the control point that distributes software to the retailer’s POS devices.
This is a perfect illustration of how some of the greatest risk lies in relatively insecure third-party privileges—even when, as was apparently the case here, the credential holders themselves had no criminal intent. Even more worrisome is the fact that this kind of access can be exploited over time without the company having any awareness of the problem.
It’s probably safe to assume that both the NSA and Target, as relatively well-funded leaders in their fields and guardians of confidential information, have devoted considerable resources to information security. And yet, with all those measures in place, it’s been reported that software used in both cases was cheap and widely available. The real problem, of course, is insider access.
It’s not as if everyone with these privileges is going to misuse the power. However, the few that do (and there have been several before) expose the vulnerability. And executives charged with managing information security and risk need to know that better options are available to prevent rogue operatives, from multi-tenant policy enforcement to role-based monitoring solutions.
We have enough threats coming at us from the outside. We need to do a better job of containing those that lie within.