If I asked you how you would break into a bank vault, you might say that you would tunnel in underground from the sandwich shop next door. The sandwich shop has a lot less (if any) security, and a lot less risk of being caught. This technique also has the benefit of not setting off alarms, leaving criminals time to break into the safe deposit boxes in addition to stealing the gold bars and cash stacked haphazardly all over the vault. It's a technique we've all seen in myriad movies and cartoons, and it makes a lot of sense.
Today's cyber criminals watch the same movies and cartoons and many of today's most prominent data breaches use strikingly similar techniques. Examples?
- JP Morgan - This bank spends BIG on security - $250M annually. So how did hackers break into such a fortress? Turns out, JP Morgan had an employee 5k/10k run, and had outsourced the logistics to a third party event company. When employees went to sign up for the race, some percentage of them used their JP Morgan user names and passwords. At that point, all it took to get into the JP Morgan network was to hack the race coordinator, steal the passwords, and walk in through the front door, so to speak. Makes sense - why go up against a $250M security budget when you can go up against a $250 security budget?
- Target - In this case, as was widely reported, hackers got access to Target via malware on a computer that belong to a third party contractor hired to maintain Target's HVAC systems. That contractor's machines had access to the Target network and provided the foothold needed to do even more damage.
The lesson? You can spend whatever you want on security, but you don't directly control how your business partners spend. It's never been a more important time to start controlling access to only those networks and applications that are necessary to get the job done. Technologies like access control and data leakage prevention can help ensure that even when someone does get in, their access to sensitive corporate data is limited.
As many are now starting to understand, breaches are no longer a matter of if, but when. The best that enterprises can do is detect them early to limit the damage, and respond quickly and appropriately.