Attacks/Breaches
12/20/2013
11:21 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Tech Insight: 'Tis The Season To Be Hacked

Holiday and 'busy' seasons bring lax employee security practices and increased chances attacks will go unnoticed

It's that time of year again. Friends and family searching for the perfect gift for their loved ones. Maybe even your awesome boss buying you multitool collar stays or a USB-controlled missile launcher. The problem is that as many of us rush out to make purchases online or at a local retailer, (or cybercriminals, if you prefer) are prepared to take advantage of the increase in business and decrease is eyes keeping watch.

The Dec. 19 press release from retail giant Target is a perfect example. According to the press release, a breach of payment card information occurred between Nov. 27 and Dec. 15, just in time for a sharp peak in sales. Target's statement says that the breach has affected approximately 40 million credit and debit card accounts -- not the kind of stocking stuffer you want to receive around Christmas.

The Target breach highlights several problems that organizations face during particularly busy seasons and holidays. The first is that employees are more likely to circumvent security controls when they are extremely busy and feeling rushed. We've all seen this in retail stores, and it happened to me last weekend buying Christmas tree stands.

The scenario plays out like this: An item you're purchasing does not ring up with the discount as marked on the product display. The clerk calls a manager to get a price override, but the manager is too busy to come to the register and punch in his password. The manager gives his password to the clerk, and you get to continue on your merry way. More than likely, there is a policy about the manager giving out his password, but it is overlooked because everyone is busy. The clerk doesn't mind because he doesn't have angry customers waiting in line, and if he's dishonest, the password may be handy for giving himself or friends extra discounts.

Similar circumstances happen all the time with managers and their subordinatesm no matter what business they're in. If it's a busy season, such as holiday sales, tax season, or opening weekend ticket sales, employees will quickly circumvent security controls (if they can) in order to forgo the inconvenience and get on with their work.

Another problem that occurs around busy seasons is a huge uptick in purchases that result in a corresponding increase in logs and network traffic. Defenders tasked with monitoring and responding to incidents can be overwhelmed by the increase because now there are likely more logs -- magnitudes more -- they have to review. If the team responsible for this is understaffed as are many security teams, then there are going to be incidents that get overlooked.

The fact that issues are overlooked is not necessarily the analyst's fault. He may simply be overwhelmed because there is a twentyfold increase in events to review, so he misses something because he's not trained or experienced to handle the situation. Or there may be technical issues that present themselves during the excessive load on network monitoring sensors, centralized logging system, and the SIEM responsible for correlating all the events. If not sized properly, any of those systems could fail to identify and alert the analysts of an event that needs further investigation.

A similar issue arises from not having enough eyes watching the logs because of holiday breaks. This is particularly relevant as we enter the Christmas season, but true for many different cultures that may take up to an entire month off a religious holiday or cultural celebration. Just as we see employees more likely to circumvent security controls, there are also plenty of cases where the defenders are less diligent due to time off or office celebrations.

For example, I've consulted with several groups that do not staff their offices during Christmas, but have their security team take turns reviewing logs during the holiday break. There is little chance that the analysis taking place is as focused as if the team member were sitting in their office during the middle of June.

Many of the issues above are problems centering around proper staffing, while some can be attributed to technical issues and human nature. It's critical that management and security teams know when these busy times are going to occur and plan accordingly with both technological and staff capacity. Attackers are more likely to focus on a business like Target when they know there's an higher likelihood of the attack going unnoticed while there's also an increase in information, such as credit card numbers, they can steal. As such, please plan accordingly ... and have a Merry Christmas.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comments
Newest First  |  Oldest First  |  Threaded View
LuciusD110
50%
50%
LuciusD110,
User Rank: Apprentice
1/2/2014 | 3:45:56 PM
re: Tech Insight: 'Tis The Season To Be Hacked
Security is supposed to be transparent to the user. If a work stoppage occurs due to an access problem then your security department has failed. If your security solution is manual intervention by non-security personnel then you should be fired.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web