Lately, it seems not a day goes by without news of a security breach dominating the headlines. The Target breach last fall set off waves of copycat attacks that still, nearly a year later, are successfully infiltrating the networks of prominent retailers. Recently, we’ve seen the likes of P.F. Chang, Dairy Queen, and Minneapolis-based SUPERVALU join the ranks of hacked retailers.
I sat down with Rob Juncker to chat about these hacks and the unique challenges that companies in certain business like retailer and health care face in securing their environments. In addition to being the Vice President of R&D here at Shavlik, Rob also dabbles in white hat hacking.
Anne: Rob, the Target breach really got our attention as both consumers and as an industry. Now, nearly a year later, what do we know about the Target breach? How did it happen?
Rob: We know an external hacker managed to take control and infiltrate Target’s system by way of a very unsecure node that was allowed to operate on their network. This was a complicated attack because they infiltrated a node, jumped onto Target’s network, and then had ample time to search the network, to find vulnerabilities, and to infect machines.
They infected the machines by injecting BlackPOS. It located point of sale (POS) devices, looked for specific processes on those machines, stared into their memory, and tried to match data formatted in the same manner that credit card tracks are formatted. After it found credit card data, BlackPOS sent it out of Target’s network to a location where the hackers could grab it.
Anne: One thing that really stands out there is that they attacked a more or less forgotten node and not the data center. As an IT community, we invest so much of our energy into securing the data center, but from this example we see that isn’t enough.
Rob: Most people focus on securing the most important assets within their network. The entire Target hack happened on the least valuable parts of the network – a computer designed for remote diagnostics as well as POS’s which are typically the cheapest nodes and the cheapest OS’s. These hackers could have never gained access to Target’s core databases, but they didn’t have to. They simply attacked the nodes where the data is collected.
Anne: Do retailers face unique challenges in securing their IT infrastructure?
Rob: Retailers have incredibly complex environments – all of these terminals out on a WAN in all of these stores. Nobody in IT is hands-on because every store can’t have its own IT department, and the devices are running various OS’s that have various third-party applications resident on them. This makes for a perfect storm for retailers to be exploited. Health care providers have similar complexity when you think about all of the nodes spread out throughout a hospital or a clinic.
Anne: Here at Shavlik we are quick to share the figure that 75% of vulnerabilities exploited in the wild already have software updates (patches) available to fix them. How important is patch management in preventing these types of breaches?
Rob: If you aren’t properly patched, someone can use off-the-shelf scripts to get access to that network. The Target hack was a professional hack. They knew what they were doing. That was the first, but all of these others are simple variants of the same approach. This has gone from being the work of an experienced hacker to that of a script kiddie. It is now readily repeatable, and we have a population of hackers attacking every site they can find.
Patch management is an important piece of having a full security profile for your entire network. Exploiting a known vulnerability is step one of the process. If you can reduce the ease of doing that, hackers are likely to move on to someone else.
Anne: Most IT departments are disciplined about patching their data center servers with tools like Shavlik Protect and patching endpoint OS’s with tools like Microsoft System Center Configuration Manager (SCCM). Let’s assume the OS is up-to-date. Is that good enough?
Rob: No. Because they have POS’s running a Windows OS, it is guaranteed there are third-party applications running on those devices. It could be an embedded internet browser or an embedded PDF generator. Worse, it could be Java which is the most exploited third-party application.
The existence of third-party app’s isn’t a “maybe;” it is a “for sure.” CIO’s around the world should ask themselves, “It’s great the we patch Windows, but do we patch everything else?” If the answer is “no,” are you willing to bet your job on that decision?
Anne: Of course CIO’s don’t want to risk their jobs over something as simple as third-party app patching, but given the complexity of their networks, are IT departments for retailers faced with a lose/lose decision between knowingly remaining unsecure versus spending all of their time on patching?
Rob: For those companies who have SCCM, Shavlik Patch for Microsoft System Center makes the decision easy. With Shavlik Patch retailers can patch third-party applications from within SCCM in the same manner in which they patch the OS. They can also completely automate the process which means they can get into a “set and forget” mode for applying third-party updates. Third-party patching doesn’t have to be a difficult or arduous process. If it feels that way, Shavlik can help you out.
Patch management is critical, but it is just one piece of the security puzzle. In the next post in this series, Rob will dig deeper into the technical details of the Target hack, discuss how you can determine if BlackPOS already exists in your environment, and explain how you can cut off its communication lines if/when it finds its way into your network.
Also, if you’d like to join a discussion on this topic, Shavlik will be hosting a webinar on September 30.
Security Breaches Everywhere – Help your company stay out of the headlines
Tuesday, September 30, 2014 10:00 am CDT