Tech Insight: 'Tis The Season To Be HackedHoliday and 'busy' seasons bring lax employee security practices and increased chances attacks will go unnoticed
It's that time of year again. Friends and family searching for the perfect gift for their loved ones. Maybe even your awesome boss buying you multitool collar stays or a USB-controlled missile launcher. The problem is that as many of us rush out to make purchases online or at a local retailer, (or cybercriminals, if you prefer) are prepared to take advantage of the increase in business and decrease is eyes keeping watch.
The Dec. 19 press release from retail giant Target is a perfect example. According to the press release, a breach of payment card information occurred between Nov. 27 and Dec. 15, just in time for a sharp peak in sales. Target's statement says that the breach has affected approximately 40 million credit and debit card accounts -- not the kind of stocking stuffer you want to receive around Christmas.
The Target breach highlights several problems that organizations face during particularly busy seasons and holidays. The first is that employees are more likely to circumvent security controls when they are extremely busy and feeling rushed. We've all seen this in retail stores, and it happened to me last weekend buying Christmas tree stands.
The scenario plays out like this: An item you're purchasing does not ring up with the discount as marked on the product display. The clerk calls a manager to get a price override, but the manager is too busy to come to the register and punch in his password. The manager gives his password to the clerk, and you get to continue on your merry way. More than likely, there is a policy about the manager giving out his password, but it is overlooked because everyone is busy. The clerk doesn't mind because he doesn't have angry customers waiting in line, and if he's dishonest, the password may be handy for giving himself or friends extra discounts.
Similar circumstances happen all the time with managers and their subordinatesm no matter what business they're in. If it's a busy season, such as holiday sales, tax season, or opening weekend ticket sales, employees will quickly circumvent security controls (if they can) in order to forgo the inconvenience and get on with their work.
Another problem that occurs around busy seasons is a huge uptick in purchases that result in a corresponding increase in logs and network traffic. Defenders tasked with monitoring and responding to incidents can be overwhelmed by the increase because now there are likely more logs -- magnitudes more -- they have to review. If the team responsible for this is understaffed as are many security teams, then there are going to be incidents that get overlooked.
The fact that issues are overlooked is not necessarily the analyst's fault. He may simply be overwhelmed because there is a twentyfold increase in events to review, so he misses something because he's not trained or experienced to handle the situation. Or there may be technical issues that present themselves during the excessive load on network monitoring sensors, centralized logging system, and the SIEM responsible for correlating all the events. If not sized properly, any of those systems could fail to identify and alert the analysts of an event that needs further investigation.
A similar issue arises from not having enough eyes watching the logs because of holiday breaks. This is particularly relevant as we enter the Christmas season, but true for many different cultures that may take up to an entire month off a religious holiday or cultural celebration. Just as we see employees more likely to circumvent security controls, there are also plenty of cases where the defenders are less diligent due to time off or office celebrations.
For example, I've consulted with several groups that do not staff their offices during Christmas, but have their security team take turns reviewing logs during the holiday break. There is little chance that the analysis taking place is as focused as if the team member were sitting in their office during the middle of June.
Many of the issues above are problems centering around proper staffing, while some can be attributed to technical issues and human nature. It's critical that management and security teams know when these busy times are going to occur and plan accordingly with both technological and staff capacity. Attackers are more likely to focus on a business like Target when they know there's an higher likelihood of the attack going unnoticed while there's also an increase in information, such as credit card numbers, they can steal. As such, please plan accordingly ... and have a Merry Christmas.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.