In this article by Phil Lieberman, CEO of Lieberman Software Corporation, common security mistakes and recent attacks on retailers are discussed.
Key points include:
We do regular CIO/CISO briefings all over the world and one of the common refrains from C-level execs working at retailers is that they have little interest or motivation for fixing the problems that nailed Target. Part of the lack of motivation is due to the naivety and gross incompetence of their auditors, followed by a lack of financial resources being provided by the CEO and CFO.
Along the lines of gross negligence and amazing ignorance regarding IT security, I found this quote from the former CEO of Costco stating that they don’t have any significant security issues because they only accept AMEX cards.
Given that many of the credit card hacks were accomplished by installing memory scrappers in the point of sale terminals to capture the credit card details, and given that AMEX has just as many problems with credit card theft as its competitors, this statement from the former Costco CEO is irresponsible.
Common Credentials and the Recent Attacks of Retailers
Over the last few years I and other staff members of our company have been presenting a presentation deck called "The Common Credentials Dilemma".
The slide deck outlines a series of scenarios we keep seeing in the field where companies set all of their machines/devices to the same password and also create password spreadsheets that are available on public shares. The deck also goes into a series of other scenarios such as not changing privileged account passwords after employees leave.
In the deck we also explore some of the scenarios that can occur when malware infects a company machine. Once malware is in place within a company machine, the attacker can install a key logger to record accounts and passwords typed, install one or more network scanners to look for additional resources (i.e. password spreadsheets, certificates, private keys), and run programs like Metasploit to find weaknesses in systems so that they can be taken over remotely.
Another weakness covered in our deck is the common use of factory default passwords in production. In the Target breach, one of the transcripts of the hackers show they exposed common point of sale passwords used such as "micros", "pos", "123456" and others.
The other scenario also described in the deck is the Rainbow Table Attack whereby the attacker exfiltrates the password hashes on the local machine and then attempts to find a match between clear text and the hashes generated.
Lessons Learned From the Target Attack
We do regular CIO/CISO briefings all over the world and one of the common refrains from C-level execs working at retailers is that they have little interest or motivation for fixing the problems that nailed Target. Part of the lack of motivation is due to the naivety and gross incompetence of their auditors, followed by a lack of financial resources being provided by the CEO and CFO.
The other element of the Target breach that was interesting was that not all stores were breached. A subset of stores that were on different networks and had different credentials for access were apparently untouched.
In the report of remediation after the attack, try to guess what was the first thing done by the "security experts"? Yes, that is correct; change the passwords of their systems.
Preaching the Gospel
We have been preaching the use of fully automated password randomization of all end points for years and have developed technology to accomplish this at massive scale with little need for human labor. Had Target deployed our solutions, they would not have had this massive breach. Further, they could have deployed our solution to all stores in less than one day.
How Clueless are CEOs at Major Corporations?
Along the lines of gross negligence and amazing ignorance regarding IT security, I found this quote from the former CEO of Costco stating that they don’t have any significant security issues because they only accept AMEX cards.
Given that many of the credit card hacks were accomplished by installing memory scrappers in the point of sale terminals to capture the credit card details, and given that AMEX has just as many problems with credit card theft as its competitors, this statement from the former Costco CEO is irresponsible.
Shout Out to Our Competitor
One of the common questions potential customers ask us is how we are different from our competitors. We answer simply: our solution can be deployed and remediate most of your environment in less than one day, even if it is gigantic. How is this possible? We are the only vendor that provides end-to-end automation as well as continuous discovery and remediation.
Target decided to purchase our competitor’s offering. Our competitor took great delight in putting the Target logo on their presentation slides. We are not aware of what happened after the purchase, but it would appear that our competitor’s solution did not randomize the point of sale system credentials, nor did it manage the credentials of their servers since these too were compromised. Or so we surmise…
It will be interesting to see whether or not the forensic investigation will highlight why technology deployed to protect against such a breach failed to do its job. Maybe our competitor owes it to the industry to publicize why their system failed to protect privileged access to help avoid similar accidents in the future.
Maybe Target can explain why having purchased technology to protect against this very thing, it didn't do its job. Just one more piece of shelfware? Maybe it wasn't the technology that failed but the company that failed to properly implement the technology - like an airline that doesn't carry out the manufacturers recommendations. In any case, it is necessary to get to the bottom of this to protect our critical infrastructure and economy.
Theories of why our Competitor’s Solution Failed to Protect Target
In any cyber-warfare scenario, the goal is to capture as much of the infrastructure as possible as quickly as possible. The strategy is known as "land and expand". It is generally pretty easy to get a foothold in an environment using malware and from there, look for and exploit weaknesses in security.
Our technology is designed to operate like the attackers, doing continuous discovery of weaknesses. In the case of our product, we add the automatic remediation step to close the net immediately. We also make sure that each system has unique credentials so that at most, an attacker only can compromise a single machine via malware.
Our competitor’s design requires humans to do interactive discovery, change imports, mapping and remediation as well as custom development. If organizations don’t have the budget to hire an army of workers to keep their solution fed and happy, the work does not get done. Our best guess (and it is a guess), is that our competitor’s solution was never fully deployed for a variety of reasons that are shared between the vendor and the client.
Our Mission
Our mission has been to take humans out of the security process and use automation to keep systems secure. Via automation, there is no reason to delay the deployment since human resources are not needed for remediation.
Although many analysts and customers would have you believe that privileged identity management is now a generic offering suitable for the lowest price decision, we strongly disagree. There are many generic secret vaulting solutions on the market that depend on humans to keep the vaults loaded and require armies of developers to write connectors for your environment. We believe these solutions are practically useless against real attackers and only serve to deceive auditors that you are "doing something". Without our full automation technology (which is not generic) you are easy pickings for criminals and nation states.
Ask Target how their analyst and auditor selected generic solution worked out for them. Then ask our customers who are secure and can prove total control. We charge more for our solutions because they provide real security and are designed to protect governments and the largest companies in the world.
I can only guess that our competitor is erasing Target from their reference account slides.