Saturday, March 15, 2014

Red Sky Weekly: Rising from the ashes

I just read the Business Week piece on Target. The thing that strikes me is this... most companies still don't understand (information) security. I realize that's a pretty broad statement. Let me explain.

On the physical side of security, my bet is, Target has eyes on every customer that walks through the door. Even if not watching live, every customer and every action is probably recorded. There are probably algorithms that set off alarms when predetermined events take place. My bet is also, should one of those alarms go off, some discrete investigator would hit the floor, following the suspected thief, and probably stop them. If something more serious happened --bombing, armed robbery, kidnapping --the alarms go off and so do the gloves --predetermined, preplanned, rehearsed escalations.

My point is this. Many, many companies have yet to realize that the risk models of physical security apply as well to information security. Target's organic physical security team is probably staffed on pre-determined models of various threats to big box retail. But on the information security side was apparently not; even though the probability of being accessed on any given day is nearing (if not hit) a 100% probability of successful compromise. The only question is, how bad is the breach? What were the attacker's motives? Was the hacker a kid stealing a pack of gum by the checkout counter? Or was the hacker set on stealing millions of credit card numbers, pulling off one of the largest heists in the news today on one of the most market-critical days of the year?

I haven't been to Target since before Black Friday. I buy my Fruit of the Looms elsewhere. I'm betting I'm not the only one. Why?

It's confidence.

When RSA was broken into, my (then) boss and I had many discussions on how it might play out. He thought customers would run screaming from RSA. My position was that RSA would probably have a temporary setback, but find a way to recover. Although I have no empirical evidence, my guess is, and seemingly others in my circles believe, RSA today is probably more secure today than it was three years ago. And with all other factors being equal (price, competitors, market choices, substitutes for RSA tokens, etc.), the idea is that the business that is RSA is probably stronger today than others in its class is because they've lived (and survived) their oh sh*t moment. 

Survival becomes a real competitive differentiator, and Target today has exactly this same opportunity. 

BT BT

We're hosting our next threat day this week. There's a lot going on this week, so we're expecting a smaller crowd than usual, but that's fine. We're hosting the National Security Fellows from the Kennedy School on the 18th with our threat day on Wednesday. We will, as always, run a conference bridge and record the sessions. It's going to be small, but this should be a good one. 

In Red Sky Alliance this week we posted products on the Nuclear exploit kit, a new phishing campaign and at a member request, one of our interns first fusion report: First sighted in early June 2013, H-Worm is an obfuscated VBScript employed in both mass malware and targeted attacks on the energy, government, telecommunications, and manufacturing industries. The source code is widely available on Arabic hacking forums. The report describes the attack details and provides information on the H-Worm malware family. 

In Wapack Labs, we've had some pretty amazing results with Allagash. Allagash gives us the ability query via web interface, or to load samples taken from requester networks -netflow data, various logs, registry key exports, system inventories, etc. and diagnose happenings in a network -very quickly. Our largest sample to date was nearly 4Tb and took us a little longer, but we're beefing up hardware as we speak, to be able to handle these larger diagnostic requests. Interested in Allagash? Sign on to our Constant Contact list. We'll keep you informed. Interested in a diagnostic run? Drop us a note. 

It's been a long two weeks on the road, so I'm going to keep this short. 

For those of you traveling to Boston this week, we look forward to seeing you!

Until next week,
Have a great weekend!
Jeff






1 comment:

Unknown said...

I think you would be surprised at the level of physical security in Target stores.

I worked for CVS. The only time there was regularly someone in the store specifically for security was at Christmas time. While the store detective was in the store, it was not a matter of whether he caught someone but how many he caught each and every day.

There were TV cameras. Sometimes the store manager monitored people inside the store and the cameras recorded thefts of cash at unattended sales counters. It helps a little, not a lot, unless you have someone watching all the time, like security employees at casinos.

When that store detective was not in the store–eleven months of the year–it was a rare day that an employee spotted theft. Employees are busy. They are stocking, registering sales, setting up displays, cleaning, and helping customers find what they came for. "Shrinkage" of inventory is a cost of doing business.

I had a different take on Target. Target seemed to be trying very hard to do the right thing. They laid out $1.6 million for FireEye. They had 300 people working in network security. They had an off-hours team in Bangalore minding the shop while everyone stateside was asleep. They had a security operations center (SOC). My impression is that all of that is beyond the norm in the retail sector–-beyond the norm in a lot of business sectors, not just retail.

I did note criticisms of Target.

The attackers penetrated the network of a heating, ventilation, and air conditioning (HVAC) company who apparently had a contract to service Target stores and had some kind of access rights to Target's network–-access to an extranet in Target's network, I suppose.

One criticism was that it should have been difficult to escalate privileges of a contractor to privileges in the sensitive point-of-sale (POS) system at Target.

Another criticism came from Jim Walter, director of threat intelligence operations at McAfee. He said the malware was "unsophisticated and uninteresting." He said Target should have caught on easily.

There were alarms from both FireEye and the plain old anti-virus system. Bangalore picked up on the alarms from FireEye and notified Target's SOC in Minneapolis but apparently people in the SOC decided that there was nothing to worry about.

Bloomberg's Businessweek headline about Neiman Marcus made Neiman Marcus look like fools. "Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data."

Behind the headline, though, is the report that those alerts amounted to just one percent of all the alerts security analysts had to sort through at Neiman Marcus.

It's my belief that inside the SOC at Target analysts were facing this same signal-to-noise ratio.

While I believe the low signal-to-noise ratio is a big problem I believe there's also plenty of opportunity to improve the organization, procedures, and guidelines in Target's SOC and I would be taking a hard look at how attackers penetrated so deeply into Target's network that they reached Target's sensitive POS system. Of course, Target already has a forensics team and those very things are sure to be at the top of the agenda of Target's new CIO.

Aside from the specific case of Target though the awful record of the retail sector shows you have a point. Businesswek reported a finding from Verizon Enterprise Solutions that through their own monitoring retailers only discover five percent of breaches.