It’s now almost a year since Target admitted the loss of customer data following an extremely sophisticated hack.
Involving one of Target’s suppliers, a number of point of sale devices and a large number of customer records, the breach was one of the largest in recent history. Target bounced back and dealt with the damage astonishingly quickly but still incurred high damages.
Furthermore, although spending on security has risen by 7.9 per cent in recent years, security vulnerability exploits made by advanced persistent threats (APTs) are still worrying IT managers across the country – so what can be learnt from the Target problems, one year on?
Advanced threats like this often use multiple channels to find and exploit vulnerabilities in organisational cyber-infrastructure, blending physical, digital and social components to find and exploit gaps. This makes it essential for enterprises to mimic this and audit IT security infrastructure from both a technological and human perspective.
IT security managers are usually familiar with core security functions including firewalls, encryption and user authentication. Some organisations have already begun to automate key functions including patch management – although more still have yet to take this critical first step into automation. This in itself is worrying – many breaches happen when patches and vulnerability fixes are already available; to rely on manual patching is essentially playing Russian roulette with organisational security.
Furthermore, in today’s APT world, automating as much of this work as possible is not only recommended but necessary. However, if IT staff can move away from ‘keeping the lights on’ and monitor dashboards summarising security activity, they will be in a far better position to spot anomalous patterns of activity rather than being stuck in day-to-day work.
In addition, the sheer number of devices operating outside of the traditional IT infrastructure make managing and monitoring devices very difficult. In fact, Cisco statistics predict that by 2020 each user will have 6.58 devices.
Whether this includes retailers with employees working from tablets in store, or a media outlet with journalists regularly running and downloading from Dropbox, the number of non-traditional and potentially unsecured devices on networks is growing, creating new points of vulnerability.
Trying to cope with all of these devices on the network can be a headache, but by switching to a user- rather than device-centric model can help the IT department to do this effectively. Furthermore, by divorcing security from the user – for example, by keeping enterprise application data stored in the cloud, away from consumer-owned devices, and encrypted in transit – organisations can often avoid vulnerabilities entirely.
Finally, the Target breach raises an important point around supplier relations and security. Organisations must work together to ensure that they not only share common commercial goals, but also common security processes and standards. Bodies such as the PCI DSS (Payment Card Industry Data Security Standard) have led the way in offering a solid baseline for security, but this breach showed that there is often a need for a comprehensive security audit, not just within the four walls of the organisation, but across the supplier ecosystem.
Many organisations have already started to shift IT security strategies to increase the degree of automation across the IT estate and re-examine how they secure mobile and flexible workers. However, it is only by meshing these approaches, and audit not only the organisation’s own security perimeter, but also defining security process for close partners, that IT staff can match their approaches to those taken by hackers.
This will both increase the chances of spotting areas which APTs may exploit early – or indeed, securing them before they are exploited. Gaining complete visibility over the IT ecosystem is a lofty goal, but the Target breach demonstrated that protecting against hackers and ultimately safeguarding company reputation in the age of APTs requires a very comprehensive, fresh approach to security.
Peter Durrant is enterprise sales director for the UK at LANDESK