We can all breathe a sigh of relief, especially any retailer that was holding off on investments in IT security. Their gamble has paid off. The US Secret Service has indicted the 11 individuals responsible for all of this century's hacks of retailers such as TJX companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, forever 21 and DFW Inc. (well, maybe not all but that is a partial list).
Seriously though, you have to admit that is surprising that so many of these attacks were carried out by one group of linked individuals. The original thinking of many, including myself, was that the retailers were lax, there was an open market for credit cards, and hackers were having a heyday. Now it turns out that a small band of cyber thieves allegedly following the lead of a Secret Service informant (I know it is bizarre, I can't make this stuff up) just repeated their early success with one retailer to attack any other vulnerable retailer.
Lessons learned?
This last point is important. Ultimately, the only way to impact the rise of cybercrime is to catch the criminals and punish them. Just don't let this astounding coup on the part of the Secret Service be an excuse for more delays in securing your network.
About Stiennon
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Websites were not compromised
It may be a bit ironic, but the customers that shopped on the e-commerce sites were not at risk or compromised. Due to superior controls on the various e-commerce sites and the limited number of entry points into the network via the internet, it appears that no e-commerce customer accounts were compromised.
It's unfortunate that this true fact has been overshadowed by the sensational headlines. The internet security teams on many of these companies are separate from the retail divisions and thus should be commended for their diligent efforts to protect customers.
It's unfortunate that many of the controls used to protect e-commerce have not translated over to retail sales (i.e. IDS, Application Testing, encryption design & technology, Multi-Tiered Architecture, Annual Penetration Test, Vulnerability Scans at layer 3, 4 and 7; sound information security policies, and qualified security personnel with the relevant experience and certifications.
Please save me the sales calls, trying to sell me technology that will not patch management ignorance. Many of the security professionals do the best they can, even though they are often put in reporting lines that do not give them the proper level of political power or required exposure. It might even be said that some security professionals, wrote internal memos to management warning of the EXACT breach that occurred and management sat on that information saying it wasn't cost effective to address.
I've already said enough, hopefully the truth will come out one day... Don't blame the information security professionals, blame management, and don't believe all the press releases you read - read between the lines. Websites are attacked thousands of times a week and are able to handle the bombardment. The retail stores were the weak links, and now attention needs to be focused in the weakest link.
If there is one good outcome of this, it will bring the proper attention to the role of the "qualified" information security profession and that paranoia is sometimes real.
Best of luck to all.
A good reply but..
Nice reply and correct - if there was no security personnel involved to build the retail store systems, etc.
Now, security is not just technology, a security person who can not get over the management problems is not really a professional. A security person takes it to whatever level or even outside to get things secured. I know, a big pain and you may even get fired telling the truth. This doesn't mean blindly executing security, business is a lot of risk management, so if the corporation is willing to take the risks, live with it (or leave) and document all and everything, saves a lot of grief later.
In my mind IT could/should be a huge part of a corporate security but IT also have to learn to navigate the business empire, otherwise these things just keep happening.
Excellent points
Thanks for the great response. I agreee, the executive management, especially at TJX, bear the brunt of the responsibility here. In my travels I continue to pick up tidbits on the inside story there. I will also continue to blog about what I find.
-Stiennon
Post new comment