Now that some of the dust has settled from the news that millions of credit card numbers were stolen from Target and Neiman Marcus, there are a few lessons that you can apply to your own organization. These lessons will help you protect your network from attack -- even if you aren’t a major retail chain.
- Small companies are targets too. You don’t have to be a major retailing chain to be victim of a cyber theft. Criminals go after assets like customer credit card information, patient records and especially bank accounts. Anything you have that can be sold for cash is fair game. You may be a small business with just a few dozen employees, but on payday, your bank account is a tempting target.
- You won’t find intruders if you aren’t looking. Remember the goal of these criminals is to remain undetected. There are probably other victims of these attacks besides Target and Neiman Marcus, they just don’t know it yet. Most victims don’t discover thefts until someone else, usually law enforcement, tells them. Even Target didn’t find the attack themselves: the credit card processing companies and banks did.
- Relying on antivirus software to protect you is a fatal mistake. Cyber criminals test their malware with all the major antivirus brands. They tune their malware until it is undetectable by antivirus. So when you download their malware, your antivirus software will tell you everything is OK. It isn’t.
- Regulatory compliance does not equal security. Target and Neiman Marcus were both PCI compliant. It didn’t help. Compliance has its place, of course, but merely following the rules is clearly not sufficient. Someone waggishly observed, “We’re not good at defending against cyber-thieves, but we’re very good at defending against auditors.” Target and Neiman Marcus may escape some liability because they were PCI compliant, but you can be sure this incident is costing them lots of time and money.
Buying security products is no substitute for monitoring your network. Many companies think if they buy enough security products, they will be protected from attack. I’m sure Target spent lots of money on security products. The only way to reliably detect and stop intruders is to monitor your network, so you can spot unwanted activity.
- These attacks were preventable. Some people will throw up their hands and say, “If a big company like Target can’t stop attacks, what chance do I have? The thieves that stole the credit card information were not evil-geniuses or arch villains. They used common techniques and the malware they used has been around for at least five years. A little common sense and a well-thought out plan will prevent attacks like this.
- You can find these kinds of attacks and stop them -- if you know what to look for. This wasn’t a “smash and grab” theft. The thieves were disciplined and methodical. They knew what they wanted and planned their attack. The good news: they left lots of clues to what they were doing. You can detect and stop them in their tracks.
- Expect more attacks like these. The software and techniques the thieves used are being carefully studied and copied by lots of other criminals. Other thieves want to make money too, so they will try these same attacks on other companies .
Want to know more? Download my 10-minute network assessment to see how well you are protecting your company’s assets. It’s free, and it will show you if you’re prepared for future attacks.
Have more questions? Call me at 301-943-0173, and let’s make your organization more secure.
About me: Ronald Trunk, CCIE, CISSP, CPHIMS helps organizations protect their electronic assets from theft or unauthorized disclosure. Ronald Trunk designs, builds and deploys reliable, flexible, cost-effective networks. His goal is to improve security while allowing organizations to deploy new technologies that increase profits and allow them to better serve their customers.
Using his years of experience and expert internetworking knowledge, Ronald Trunk applies his network architectural experience to a wide variety of complex large-scale networks. His expertise including wireless, remote access, data center virtualization and converged voice and video networks.
Ronald Trunk’s nationwide clients include healthcare providers, civilian and defense government agencies and high-tech manufacturers.