Were the Home Depot and Target breaches the work of the same attackers? Only a few people seem to be in a position to know, and so far, they arent telling. However, we can still learn a lot from the similarity of the incidents.
The two companies are clearly relatedretailers doing very large numbers of relatively small credit card transactions. They arent banksthe classic Willie Sutton remark about robbing them because thats where the money is doesnt apply.
Classic criminology can be helpful here. Similar to any detective, its worth thinking about motive, means, and opportunity. Motive hasnt changed much its easy to see why some people would steal money, so long as its easy enough. Most of the time its no longer about getting out of the building with heavy bags slung over the shoulder marked SWAG.
What about means? Those do change new attack tools are continuously being developed, and are increasingly automated. This means that when an attack works once, its likely to work again, and automation allows attackers to sit back and have computers hunt down any other victims who are vulnerable in the same way. These days, trawling with a dragnet seems to be the preferred means of fishing for many attackersit's easy to catch a lot of fish this way, and it removes the trouble and expense of identifying targets in advance. Just automatically twist doorknobs, all across the Internet, and come back later to see which doors popped open, and whats behind them.
But the really big issue is opportunity. Here, Im afraid the data speaks for itself the rate of new breach reports has greatly increased in the last few years. It may not be that breaches have become more common it may simply be that people are willing or required to admit it now. But its certainly clear that attackers are able to land all kinds of shiny fish, without much difficulty, whether they are trawling with a planet-sized dragnet, or individually spearing a specific, tasty-looking big fish. Why is this?
When it comes to the third leg of the stoolopportunitywe've made it all too easy for attackers. I want to be clear: Im not blaming over-worked and under-staffed security teams for this. The problem is deeper, and is a more ingrained to the way we do business today.
We build extremely complex infrastructure, and we change it around very quickly, in the quite legitimate name of business agility. After all, our organizations exist to do business, not to operate with absolute assurance. Unfortunately, one of those laws of organizational physics is similar to cosmic physics: entropy happens. As we pile up complexity and make changes at speed, information is inevitably lost records of which assets are for which business purpose. But this simple organizational point means that defenders are at a gross disadvantage compared to attackerschaos plays to the advantage of the guy who only needs to find one way in, while the complexity makes the defensive job extremely hard.
Ironically, one of the better ways for IT operations to keep upand I mean the application folks, not security is to copy trusted designs that show proven ability to keep cash registers ringing. The problem is this leads directly to IT monoculturethe same tools and infrastructure used over and over. So we create a pretty compelling environment for would-be bad guyswe operate infrastructure we cant see or understand, and better yet, we copy it company to company. How do they respond? They copy the attacks, company to company.
How can security teams keep up under this pressure? Its tough. We cant control the motive or the means for attackerswe'll always be tempting targets if were making money, and the means are outside our control. We have to focus on opportunity, but as noted, that comes from the double whammy of IT mono-culture, plus inability to keep up with mapping and understanding our defenses as things change.
Taking the first of those, its not likely to fly with the CIO and CEO if we say our organization must use different tools from other companiesthey understand the business imperative to ensure availability and uptime. So if we want to break down at least one of the triad of motive, means, or opportunity, we really only have one choice: operate our security defenses better than the next guy, by automating our discovery, mapping, and analytics capabilities. And if that sounds like the old adage that you dont have to outrun the bear, you just need to outrun your camping buddy, well, thats only funny because its true!
Mike Lloyd is Chief Technology Officer of RedSeal Networks.
