When it comes to cloud computing, data security is the biggest fear factor. Several recent hacks against retail...
stores and banks only add fuel to the fire. The details of the massive hacks at Target and Home Depot appear eerily similar, which begs the question: Is IT really serious about data security? It's important to review the history of these attacks to avoid making the same mistakes. It's a sobering lesson on what can go wrong if the cloud security team isn't operating effectively.
The Target hack that compromised millions of customers' credit card information was the result of access to its network via an HVAC contractor monitoring store climate systems. Once the Target system was breached, the hackers uploaded a grabber program to mirror all payment data to an unused Target server. Hackers accessed the payment stream -- plump with holiday shoppers' information -- for two months. Target faces losses of approximately $400 million -- plus a great deal of customer trust. It cost both the CIO and CEO their jobs.
An intrusion detection package also used by the CIA, FireEye, detected the intrusion within a couple of days. The warning went to the company's security operations center (SOC) located in Bangladesh, but it was ignored. To make matters worse, the SOC ignored a second warning from the antivirus suite days later. The tragedy is that Target put the right cloud encryption tools in place, but failed with training and diligence in their SOC -- a lesson for all cloud admins.
Home Depot's problem is similar to Target's. It may even be the same black hat team, and senior-level heads will likely roll there, too. This type of vulnerability is pervasive in the retail space; studies suggest as many as 30% of enterprises are vulnerable to attacks, but that number increases to 97% in retail.
How can cloud admins prevent these attacks?
The key issue is to prevent third parties from getting access to a network shared with the payment system. Cloud admins should set up a virtual LAN or a completely separate network to protect payments from other operations. In the Target case, setting up a separate network would have kept the hackers out, given that the particular third party only needed to see the HVAC nodes.
Encrypt payment data at its source. Sending credit card data en plein is an open invitation to theft, especially by logging attacks. It is critical to add encryption at networks' entry and exit points. This wouldn't have prevented the Target attack, which occurred in the card reader's code, but, card reader encryption can be done in software.
The card reader vendors need to build in strong firewalls, especially against illegal code changes. This is becoming a real problem as both cheap readers and the Internet of Things begin to deploy. Some type of validation key for downloads to these remote devices is required, and this has to be unique to each system -- no more using "password" as a password. Code should also be encrypted in transit, raising the barrier to the cloud hackers trying insertion.
Security is often low on the totem pole because it's an expense, not a revenue generator, but the potential impact on a company's bottom line is the largest of any department. The SOC should be next to the CIO's office, and he or she should be a regular visitor to keep him on his toes. In the case of Target, there could have been too many false positives coming out of FireEye, and the remoteness of the operation meant there was not a strong sense of urgency.
The problem with stored cloud data
The issue of stored data needs attention. In the cloud, a hack attack that entered the main network could easily access, extract or alter key data in the system. In a sense, Target was lucky that the hackers wanted to do this unseen. If they had wanted to crash Target, they could have erased files and generally messed things up.
Stored cloud data encryption is the issue, and here ownership of encryption keys is a critical problem. Loose handling of the keys won't fly, nor will placing trust in the hands of the cloud service provider storing data. Cloud data is exposed anytime the key control goes outside the company.
Many of the preventive actions lie in the hands of the cloud admin team. Fixes need not be expensive -- setting passwords is not costly, and setting up a more complex network would likely have left $399 million of that $400 loss on the bottom line. This is a chance for the admins to really make a difference. As Andy Grove once said, "Only the paranoid survive!"
Cloud not all responsible for iCloud hack
Stopping DDoS and DoS attacks against your cloud
Home Depot security breach nightmare continues