Charles Leaver – Now Is The Time For Security Paranoia As HVAC Breach Shows

Written By Charles Leaver Ziften CEO

 

Whatever you do not ignore cyber security criminals. Even the most paranoid “regular” individual would not worry about a source of data breaches being stolen qualifications from its heating, ventilation and air conditioning (A/C) professional. Yet that’s what occurred at Target in November 2013. Hackers got into Target’s network utilizing qualifications provided to the contractor, probably so they could monitor the heating, ventilation and air conditioning system. (For a great analysis, see Krebs on Security). And after that hackers had the ability to leverage the breach to inject malware into point of sale (POS) systems, and then offload payment card details.

A number of ludicrous errors were made here. Why was the A/C contractor provided access to the business network? Why wasn’t the A/C system on a separate, entirely isolated network? Why wasn’t the POS system on a separate network? And so on.

The point here is that in a really intricate network, there are uncounted potential vulnerabilities that could be made use of through carelessness, unpatched software, default passwords, social engineering, spear phishing, or insider actions. You understand.

Whose job is it to discover and fix those vulnerabilities? The security team. The CISO’s office. Security experts aren’t “typical” individuals. They are hired to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to prepare for the worst and prepare accordingly.

I can’t talk to the Target HEATING AND COOLING breach particularly, however there is one overwhelming reason that breaches like this happen: A lack of financial priority for cybersecurity. I’m not exactly sure how frequently businesses fail to fund security merely since they’re cheap and would rather do a share buy-back. Or possibly the CISO is too timid to request what’s needed, or has been told that she gets a 5% boost, no matter the need. Perhaps the CEO is worried that disclosures of large allowances for security will alarm shareholders. Perhaps the CEO is simply naïve enough to believe that the enterprise won’t be targeted by hackers. The problem: Every organization is targeted by hackers.

There are big competitions over budget plans. The IT department wishes to fund upgrades and improvements, and attack the stockpile of demand for brand-new and enhanced applications. On the flip side, you have line-of-business leaders who see IT projects as directly helping the bottom line. They are optimists, and have lots of CEO attention.

By contrast, the security department too often needs to defend crumbs. They are seen as a cost center. Security lowers organization risk in a manner that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who care about compliance and track records. These green-eyeshade people consider the worst case circumstances. That doesn’t make pals, and budget plan dollars are designated reluctantly at a lot of companies (until the company gets burned).

Call it naivety, call it established hostility, however it’s a genuine difficulty. You cannot have IT given excellent tools to drive the business forward, while security is starved and using second best.

Worse, you don’t wish to wind up in circumstances where the rightfully paranoid security groups are dealing with tools that don’t fit together well with their IT equivalent’s tools.

If IT and security tools do not fit together well, IT may not be able to quickly act to react to dangerous situations that the security teams are keeping an eye on or are concerned about – things like reports from risk intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that indicate dangerous or suspicious activity.

One idea: Find tools for both departments that are created with both IT and security in mind, right from the beginning, rather than IT tools that are patched to offer some very little security capability. One spending plan item (take it out of IT, they have more money), however 2 workflows, one designed for the IT expert, one for the CISO group. Everybody wins – and next time someone wishes to offer the HEATING AND COOLING specialist access to the network, possibly security will observe what IT is doing, and head that disaster off at the pass.