A Bad Security Attitude
The recent NYTimes.com article detailing anonymous former Home Depot security employees’ accounts of the company’s bad attitude toward security comes as no surprise. They ended the article with the most important point - when former employees sought new software and training, managers responded by saying, “We sell hammers.”
That implies what is usually the case, no matter the industry - if you’re not related to the information technology industry, you may think you’re exempt from caring about, or investing in, the latest security technology to protect your company.
But nearly every single industry, including healthcare, retail, manufacturing, education, etc., has an IT environment and company network of some type. Being a brick and mortar store that sells physical tools is no excuse to handle customer data with carelessness.
Accounts of their poor attitude and security hygiene include:
- They were running an outdated version of Symantec’s antivirus software from 2007
- No network monitoring to track which servers were speaking to registers
- No company-wide/regular vulnerability scans
- Their security engineer that oversaw all security operations was fired and then sentenced to prison for disabling computers at his former workplace
Home Depot was also slow to adopt certain security practices, like the latest encryption methods, that of which wasn’t rolled out completely until last week after starting in April, after hackers had already been exfiltrating data for months.
Symantec’s statement, “Antivirus is dead” in May of this year even denotes how outdated their own software is, and its own inability to defend against attackers. Brian Dye, the company’s senior infosec VP, estimated that antivirus now catches just 45 percent of cyberattacks, as he dictated to the Wall Street Journal. And as the WSJ reported in the second quarter of 2014, Symantec’s revenue had fallen in the past few quarters, down at least 5 percent from the previous year.
It’s clear that if outdated security software is not just ineffective at preventing major data breaches (an estimated 56 million stolen customer records), but also tanking in profits, then the industry needs to do something different.
Taking a layered security approach but avoiding the “Expense in Depth” phenomenon is advised. Forrester warns against adding on too many ineffective security solutions, as they become unmanageable and often go unpatched and ignored, which renders them useless.
One approach may be hardening authentication defenses with the use of two-factor authentication, which can stop a remote attacker armed only with primary credentials (username and password). In the case of the Target breach late last year, two-factor authentication may have stopped attackers that used stolen credentials of a contractor to breach Target’s networks and steal 40 million credit/debit cards over the course of three weeks.
But correcting a bad attitude toward security requires everyone to be on board, management included. And that’s the first place to start, before any technology is adopted.