The Emperor’s New CIO

By Patrick McCulley |

Introduction

This week’s topic expounds on the ideas and philosophy of last week’s column, and is the second in this series of articles about information security which are directed primarily at non-technical personnel. It is the author’s intent to communicate sound security concepts backed by real world examples of their successes and failures, educating and enabling others.

Shortcuts Lead to Pitfalls

Target initially claimed its recent data breach was so sophisticated, that warning signs were missed and the intrusion could not have been reasonably prevented. Unfortunately for Target’s leadership, this does not appear to be the case. As reported by security researcher Brian Krebs, the malware in question appears to be a variant of the ZeuS banking trojan – a password-stealing bot called Citadel.

Krebs goes on to point out some seemingly obvious corners that were cut in other areas. Fazio Mechanical was said to have used the freeware version of an anti-malware package called Malwarebytes which lacks a real-time protection component. This means the protection software only detects malicious programs when explicitly told to search for them by the user; it cannot detect threats on its own, autonomously.

Had the software in question been one of the many retail anti-virus or anti-malware packages designed for enterprise environments, it is less likely that the malicious software might have gone unnoticed for so long – it’s entirely likely that the malicious software would have been neutralized immediately and the break-in prevented.

Bloomberg Businessweek conducted its own investigation of the breach, concluding that Citadel appears to have been detected by the FireEye anti-malware systems which Target purchased in 2013 for $1.6 million (€1.15m). Bloomberg’s report states that Target did nothing, even though FireEye’s alarms were tripped.

Cutting lots of corners in your Information Technology infrastructure might seem like a good way to increase your profit margin, but when those cuts are aggregated, they can result in catastrophic gaps in an otherwise sound security strategy.

Defense In Depth

When designing an effective security strategy, all layers of your organisation’s Information Technology infrastructure must be considered. From point-of-sale systems to company laptops, each area presents another potential group of vulnerabilities for attackers to exploit. The very systems and applications which add productivity and profitability to your workflow present threats to its uninterrupted operation.

Defense in Depth is a computer security strategy that involves implementing a defensive measure at each layer of your Information Technology infrastructure, whenever practical. 

Think about the layers of a corporation’s information technology infrastructure like a medieval castle. The castle has a moat, a drawbridge, an outer wall, an inner wall and an inner keep. Each layer of the castle has its own defenses, such as walls, archers, or infantry on the ground.

As the ruler of your castle, you could decide that the only necessary defensive measures were the moat and drawbridge, and laying off your archers and foot soldiers would significantly cut your operating costs. That works out in your favour until an invading army simply wades through the moat and attacks the castle proper, since you relieved yourself of other defensive measures months prior.

Defensive capabilities for Information Technology work the same way: Individually, they can only do so much, but together they form a comprehensive strategy capable of dealing with even the most tenacious of attackers. The more hurdles for attackers to jump over, the more likely they are to stumble and fall. Many of these defensive measures are already built in to the hardware and software that your organisation has purchased; they simply need to be configured properly.

Fortune Favors the Prepared Mind

“Have you observed to whom accidents happen? In the field of observation, chance favors the prepared mind.” – Louis Pasteur

Last week’s abrupt resignation of Target CIO Beth Jacob was not particularly surprising, given the severity of the data breach, however the details of Jacob’s relevant background and experience are alarming. Virtually every article published fails to mention that Target’s recently resigned CIO had no background in Information Technology.  According to interviews, Jacob’s first experience with Information Technology came when she was appointed CIO of Target in 2008. For a corporation to appoint a CIO with no IT background is equivalent to appointing a CFO with no financial background. Equally worrisome is the news that Target is just now creating a position for CISO – Chief Information Security Officer. Prior to the data breach at Target, this position did not exist, despite the fact that in May 2013, Target was number 36 on Fortune’s 500.  A corporation so large, publicly held, and with such massive infrastructure, did not take Information Security seriously enough to create a position for it, and was perfectly happy appointing a former sales associate to the position of Chief Information Officer.

Before the digital age, the most technology or security a CIO needed to worry about was the drawer and lock of a filing cabinet. Computerisation and the adoption of the Internet as a core feature of the modern business model has changed everything: an organisation will be only as productive as its information technology foundation allows.

The Buck Stops With You

The importance of properly vetting the qualifications of personnel for your entire Information Technology infrastructure cannot be overstated. Skilled individuals are worth paying top dollar for, and incompetent individuals run the risk of destroying your organisation from within. When you appoint leadership unqualified for their position, they will not know when their subordinates are giving inappropriate or misleading answers. If the buck stops with your CIO, that person must display competent working knowledge of IT infrastructure best practices, as well as how those best practices can positively or negatively affect the long-term health of your organisation. Caution, skepticism, due diligence and thorough respect for industry recognised best practices will go a long way towards protecting an organisation from serious security incidents. 

If you sit on a board of directors and hear someone say, “I have an idea! Let’s promote our best salesperson to Chief Information Officer!” stop for a moment to ask: “What could possibly go wrong?”

Author’s note: This column quotes investigative information from Krebs on Security, used with permission.