The daily drumbeat of data breaches implies security is the new black. The data breach at Target exposed over 40M consumer credit cards, debit cards and PINs. Then the JP Morgan breach happened. And then the Home Depot breach. The list goes on. What’s clear is that enterprises must make a much more concerted effort to improve security.
How do organizations improve security? Let’s dig into the anatomy of these breaches. A common thread appears to be the infection of a laptop or mobile device. A device gets infected outside the secure perimeter, and the malware lies low until the user re-enters the secure perimeter. For example, many enterprises provide fortified laptops and mobile devices to their employees. When an employee takes the laptop on the go, the device is used in a variety of environments and could get infected or phished. When the employee returns to the office, the malware spreads rapidly to other devices. Once the malware installs itself, it may record every keystroke entered by the user, extract various login credentials, and export them to command and control centers offshore.
Featured Download: Social media access at work. Do your employees know the rules?
In the Target breach, it now appears that the login credentials of its HVAC contractor was the initial vulnerability that was exploited. Most likely, a keystroke logger malware infected the contractor’s laptop and was able to obtain the credentials. Since Target had installed sophisticated intrusion detection/protection security systems on its networks, the infection likely occurred outside of the Target network. Once the login credentials were extracted, it was easy for the malware to spread inside the secure perimeter and export large quantities of sensitive data at will. Specifically, the malware infected PoS terminals, reading credit card and payment card information directly from the main memory of the terminal. There were plenty of alarm bells from the intrusion detection system, but Target chose to ignore them.
The Home Depot breach shared many of the characteristics of the Target breach. Malware infected PoS terminals to read payment information from the main memory. The bad actor then aggregated the information and exfiltrated it without detection. Moreover, the malware attached itself to the anti-virus software installed on the PoS terminals in order to evade detection. And in both cases, the PoS terminals ran older versions of Microsoft Windows, making it particularly easy for malware to enter via infected laptops running the same operating system.
In short, hackers are exploiting laptops and mobile devices as key conduits for their malware. Legacy security architectures at financial institutions divide the world into “trusted devices” and “untrusted devices.” “Trusted devices” are given largely unfettered access to the network and are the easiest point of entry for malware. At almost every bank, a laptop issued by the bank with lots of security software installed is considered a “trusted device.” That laptop may leave the secure perimeter, roam the globe and return to the secure perimeter and still be treated as a “trusted device.” The trusted vs untrusted device approach was fine when viruses were easy to detect. But hackers have evolved – anti-virus software now detects less than 5% of all malware.
Organizations that deal with sensitive data must evolve their security architectures. Every user device must be viewed as untrusted and the focus must shift from securing devices and networks to securing the data. If all data access is subject to contextual-access control and anomaly detection, it becomes difficult for malware infections on laptops and mobile devices to download and export large quantities of data. For example, if a laptop suddenly starts downloading large quantities of sensitive data, it is most likely infected by malware that is replaying stolen login credentials to gain access to the data.
By Nat Kausik, CEO, Bitglass
Bio: Nat Kausik is CEO of Bitglass, a data security company that protects corporate data outside the firewall. He is responsible for the company’s strategy and operations. Nat has nearly 30 years experience leading companies, serving as an advisor, entrepreneur, technologist and educator.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.