Tuesday, September 30, 2008

Getting Hacked: Arrogance or Ignorance?

Hi readers, I read a fair amount of blogs and occasionally find something I just feel compelled to pass along. This time though, I came across an article that was too interesting not to share, but unfortunately highlighted (and I think this was unintentionally) something that we [all of us] have badly overlooked.

First, the article. "News of Frauds" is a blog maintained by Piyush Sood. Yesterday he cross-posted an article from PCmag.com written originally by Corinne Iozzio on the most "mysterious" cyber-crimes of all time. While I may not agree with Corinne's assessment with the importance/mysteriousness of these crimes - I think she pointed out a little gem.

If you scroll down to the "Supermarket Security Breech" you'll notice an interesting quote.

"Chain reps and security experts are still unclear as to how the criminals gained access to the system; the 2005 T.J.Maxx breach took advantage of a vulnerability in the chain's wireless credit transfer system, but Hannaford and Sweetbay do not use wireless transfers of any sort."

This quote fascinated me instantly. Of course they may not have known about any wireless - that's kind of the point isn't it? How many companies are willing to say, on the record, "no we do not have wireless" only to get hacked through some open access point hidden under someone's desk or in a conference room to 'share network access'. It's a sad commentary, I think.

Saying "we have no wireless" and actually having a policy that prohibits people from hooking up access points randomly are two entirely different things. Oddly enough, most companies simply say "we don't allow wireless" and then wonder how it is they could have possibly gotten hacked when their network is so air-tight.

I can't stress this enough. If you don't want something on your network - make a policy against it and be ready to enforce that policy. Otherwise... expect to be hacked. Or at least be ready to have to explain why you're not ready.


Anonymous said...

This is a good post and a drum that Airtight has been beating fokr a long time. Even if you do not have wireless deployed, you still have a wireless security problem. The only way to protect yourself is to have an automated system that can defned your network all the time and detect, classify, prevent and locate unauthorized access points. According to the most recent stories about TJ Maxx was that the thieves sat on the Forever 21 netowrk for four years without discovery.

Rafal Los said...

@anonymous: I have no issue with vendors posting comments that they can solve problem X... but please identify yourself (I'm guessing you work for Airtight Networks? - http://www.airtightnetworks.com/) Anyway - you have to understand that products are not 100% of the solution. Policy is the foundation and tools (such as yours) simply assist in automated enforcement/monitoring and general automation of something a human being can do.

It drives me absolutely up a wall when vendors come in and talk like their product du-jour will solve whatever issue plagues a business. I'm not specifically calling anyone out (except the sales guy that showed up at GE Power a few years ago from TNT... what a chump). Policy, policy, awareness and process is what will drive change and security - tools simply help you get there faster. Anyway that's my $0.01999999. [/rant]