Let’s say for a moment that I was a hacker and I wanted to gain access to information about a large corporation’s customer base. The path that lies in front of me is relatively clear, I want to find the easiest way to gain access to the information without arousing suspicion and try to penetrate the security around it in a manner that doesn’t implicate me if the breach should be identified. Simple enough, isn’t it?
Now that I’ve plotted my “how” I want to get the information and defined my “what” I want to get, I now turn my attention to “where” do I want to go after the information. This is where the rubber meets the road when it comes to hacking as hackers will always trend towards the most vulnerable vectors. On one hand, I can choose to attack the corporation head-on, but this path is extraordinarily risky. Truth be told, all of the larger organizations have teams of security professionals trained to shut down attack vectors before they can be exploited. On top of that, many of those organizations also deploy counter-cyberattack methodologies to go after people who attempt to exploit them even if they were not successful in breaching the perimeter security. Why? To send a message. Simply put, “if you attack us, we’re coming after you.”
So you see, the approach above is risky, and the risk versus reward just doesn’t add up. Let’s talk about a different and safer approach. If all I want is information about the consumers inclusive of their email addresses and perhaps some marketing data about them, there is an easier approach. Almost all of the larger organizations take their marketing information and share it with third-party organizations who provide activities such as lead nurturing or email marketing to their data base. In most cases they have an exact copy of the information that I care about. Enough information for me to identify the customers that they have, and further information which would allow me to impersonate the corporation in a giant phishing attack which would give me access in the least to the end customers passwords or perhaps if I pushed the boundaries, even more than that.
What’s interesting is this approach is now becoming common-place. After the Epsilon breach on March 30, 2011, I received about four emails from people apologizing, but acknowledging that I my information had been distributed. From Best Buy, TiVo, and Brookstone, I received their corporate apologies and a reminder that they would never send me an email asking for credit card information or username and passwords. An obvious attempt to thwart a potential phishing attack which probably looms in the months to come.
On to the concern…
Each of the emails I received from the corporations above specifically called out a breach in their marketing providers’ security. It was predictable that they would pin the blame on someone else, but also regrettable. For me, being in the business of securing devices and traffic, you have to understand that blaming Epsilon or organizations like that can only go so far. Who chose to use them? Who didn’t audit their security measures? Who thought it was OK to send them their customer information? The list of questions goes on and on, but seriously, to blame them exclusively for the breach is in poor form.
To give a corollary to this argument, back in April, we saw the largest wide-spread cloud outage with Amazon’s EC2 fabric failure. The unthinkable happened, and by the way, it will likely happen again at some point in the future. Most organizations did the same thing that we saw from marketing hacks, “it’s THEIR fault” rang out across the Internet. Then, while searching the blogs, I saw the most honest post come from Heroku (acquired by Salesforce.com) where in their blog, Heroku went on to state that “Heroku takes 100% of the responsibility for the downtime affecting our customers last week.” They even took the time to capitalize the entire sentence and bold it in white. Hooray Heroku, let’s all follow in your example. We all need to take responsibility. We all need to own up for our service and data delivery regardless of our choices of platform.
So to that, I turn towards the corporations of the world that send their data off-premise. It’s still your data and it’s still my personal data you are protecting. I hold you at fault if it gets compromised. It’s time for you to own the responsibility of the security of the information and it’s time for you to turn towards your team of experts and enable them in the IT management process of that information. If you enable them, it’ll make sure you avoid being on the news some night.
Getting it right
What should organizations do that need to outsource that capability? First off, take the time to know who you are using and involve your IT department. I can tell you after consulting on many of these breaches after the incident happened, it was a game of “not-it” played out in the corporate world. The IT department says the marketing department didn’t involve them in the choice of the vendor, and the marketing department saying the IT department didn’t want to be involved in the choice. Okay, whatever the scenario is, getting the right people involved is key.
Secondly, organizations should engage their security professionals (or consult with some) to do an analysis of their partner. In many cases, marketing organizations in particular do rapid customizations to their assets which leaves their pages more vulnerable to attacks. Security professionals can use off-the-shelf tools to attempt vulnerability scans against a network and web-pages (if applicable) to test for vectors that can be exploited. As a resource, I’d suggest an organization pay close and careful attention to the OWASP (Open Web Application Security Project) which categorizes and discusses many types of threats. Organizations should pay careful and close attention to their top 10 threat lists.
All joking aside, the scenario I painted today is real and a big threat to organizational data world-wide. Unfortunately, I can attest to the fact that some of the biggest exploits that went public were only the tip of the iceberg for what lies ahead. More have been breached than made the news, and I’m sure that more will unfortunately garner just as much, if not more, media attention in the future.
– Rob Juncker