Attacks/Breaches
12/20/2013
11:21 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Tech Insight: 'Tis The Season To Be Hacked

Holiday and 'busy' seasons bring lax employee security practices and increased chances attacks will go unnoticed

It's that time of year again. Friends and family searching for the perfect gift for their loved ones. Maybe even your awesome boss buying you multitool collar stays or a USB-controlled missile launcher. The problem is that as many of us rush out to make purchases online or at a local retailer, (or cybercriminals, if you prefer) are prepared to take advantage of the increase in business and decrease is eyes keeping watch.

The Dec. 19 press release from retail giant Target is a perfect example. According to the press release, a breach of payment card information occurred between Nov. 27 and Dec. 15, just in time for a sharp peak in sales. Target's statement says that the breach has affected approximately 40 million credit and debit card accounts -- not the kind of stocking stuffer you want to receive around Christmas.

The Target breach highlights several problems that organizations face during particularly busy seasons and holidays. The first is that employees are more likely to circumvent security controls when they are extremely busy and feeling rushed. We've all seen this in retail stores, and it happened to me last weekend buying Christmas tree stands.

The scenario plays out like this: An item you're purchasing does not ring up with the discount as marked on the product display. The clerk calls a manager to get a price override, but the manager is too busy to come to the register and punch in his password. The manager gives his password to the clerk, and you get to continue on your merry way. More than likely, there is a policy about the manager giving out his password, but it is overlooked because everyone is busy. The clerk doesn't mind because he doesn't have angry customers waiting in line, and if he's dishonest, the password may be handy for giving himself or friends extra discounts.

Similar circumstances happen all the time with managers and their subordinatesm no matter what business they're in. If it's a busy season, such as holiday sales, tax season, or opening weekend ticket sales, employees will quickly circumvent security controls (if they can) in order to forgo the inconvenience and get on with their work.

Another problem that occurs around busy seasons is a huge uptick in purchases that result in a corresponding increase in logs and network traffic. Defenders tasked with monitoring and responding to incidents can be overwhelmed by the increase because now there are likely more logs -- magnitudes more -- they have to review. If the team responsible for this is understaffed as are many security teams, then there are going to be incidents that get overlooked.

The fact that issues are overlooked is not necessarily the analyst's fault. He may simply be overwhelmed because there is a twentyfold increase in events to review, so he misses something because he's not trained or experienced to handle the situation. Or there may be technical issues that present themselves during the excessive load on network monitoring sensors, centralized logging system, and the SIEM responsible for correlating all the events. If not sized properly, any of those systems could fail to identify and alert the analysts of an event that needs further investigation.

A similar issue arises from not having enough eyes watching the logs because of holiday breaks. This is particularly relevant as we enter the Christmas season, but true for many different cultures that may take up to an entire month off a religious holiday or cultural celebration. Just as we see employees more likely to circumvent security controls, there are also plenty of cases where the defenders are less diligent due to time off or office celebrations.

For example, I've consulted with several groups that do not staff their offices during Christmas, but have their security team take turns reviewing logs during the holiday break. There is little chance that the analysis taking place is as focused as if the team member were sitting in their office during the middle of June.

Many of the issues above are problems centering around proper staffing, while some can be attributed to technical issues and human nature. It's critical that management and security teams know when these busy times are going to occur and plan accordingly with both technological and staff capacity. Attackers are more likely to focus on a business like Target when they know there's an higher likelihood of the attack going unnoticed while there's also an increase in information, such as credit card numbers, they can steal. As such, please plan accordingly ... and have a Merry Christmas.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comments
Newest First  |  Oldest First  |  Threaded View
LuciusD110
50%
50%
LuciusD110,
User Rank: Apprentice
1/2/2014 | 3:45:56 PM
re: Tech Insight: 'Tis The Season To Be Hacked
Security is supposed to be transparent to the user. If a work stoppage occurs due to an access problem then your security department has failed. If your security solution is manual intervention by non-security personnel then you should be fired.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web