Why Do Retailers Keep Getting Breached?

Every week it seems a new breach is announced with a big load of credit cards or healthcare data popping up on the various criminal exchanges.  This erodes confidence in retailers and healthcare providers everywhere, as well as the integrity of the PCI DSS.  Consumers and organizations are frustrated and want answers.

Why do retailers keep getting breached? Anitian sees five related problems of retail as well as the healthcare industry that continue to feed the negative news cycle.

Reason 1 – Poor Operational Security

All things being equal, nearly all of the recent breaches are the result of attackers exploiting well-known vulnerabilities.  There are ample security controls, such as intrusion prevention systems (IPS) or web application firewalls (WAF), that can automatically detect, block, and report attacks against these well-known vulnerabilities.

However, the reason these attacks are successful is because many of these organizations fail to fully operationalize their security controls.  Target, for example, invested heavily in FireEye, a sophisticated and very capable malware detection tool.  Unfortunately, Target employees did not respond to the alerts FireEye reported nor did they have any automatic protections in place.  As such, Target’s investment in FireEye was essentially a waste of money.  The technology was never operationalized in a manner that actually protected the business.

This is an extremely prevalent problem, especially in complex environments.  The reasons for this are varied, but the most common excuses we encounter include:

• Fear that the security controls will block legitimate traffic
• Lack of understanding of how to implement the controls to provide automatic protections
• Petty turf battles which inhibit security teams from properly deploying protection systems (see Reason 5, below for more on this issue)
• Vendors who misrepresent the ease of implementing the technology
• Unwillingness of IT security people to “get their hands dirty” with the operational details of security controls

In almost every single breach reported, had defensive technologies been operationalized correctly, the organization could have quickly responded to the attack and likely blocked it from proliferating.

How a security controls are implemented, managed, and monitored is profoundly more important than the actual technologies in use.  Organizations that are cannot fully operationalize security controls are destined to get hacked.  This is why security leadership must make security operations a top priority. Operational security is more important than forensics or compliance, since it is the one thing that can really stop a breach before it ever happens.

Reason 2 – Attackers have a Natural Advantage

While good security operations can stop many attacks, there is a limit to their abilities.  This is partially because attackers have a natural advantage over defenders.  This is an inherent weakness with defense.  Defense must address all the possible attack vectors, whereas the attacker can focus on successfully executing one, or a small subset of attacks.

This single-mindedness gives attackers the upper hand regardless of the defenses in play.  Moreover, modern criminal attackers have a huge toolkit of malware and attacks to use.  Many of these tools are as sophisticated as they are easy to use.

However, this single-mindedness can also work in the defense’s favor.  Most attackers are not going to go to extreme measures to get into a network.  Once they encounter resistance, they are likely to give up quickly and move on to the next target (or Home Depot).  This is why having automated defenses that can instantaneously block common attacks are so important.  Or in other words, your defenses do not need to be impenetrable, they just need to be good enough to discourage an attacker to move on to the next house on the block.  All too often security teams become distracted with reacting to sensational or obscure hacking tactics, rather than focusing on sound operational practices to manage more mundane vulnerabilities.

Furthermore, while some attackers use zero-day and other extreme measures, those are the exception more than the rule.  Such extreme measures are often prohibitively expensive for an average credit card thief.  It is highly unlikely that the average hacker would invest months of effort to develop a sophisticated zero-day attack to bypass automated security protections just to get a few payment cards.  There are so many retailers with weak protections that attackers do not need to use zero-day attacks.

Reason 3 – Retail is Under Extreme Price Pressure

It is no mystery that the retail markets in North America are extremely competitive. Retailers operate on razor-thin margins. Consumers are fickle and will migrate to whatever retailer offers them the best prices. Online retailers are also putting additional pressure on traditional brick and mortar stores.

Retail executives are under extreme pressure to cut costs, reduce overhead, and keep prices low. Reducing overhead means less money for things like IT security.

Compounding this problem is the rising cost of IT security.  Security technologies are expensive as are competent security people. There are a lot of open positions and a limited number of skilled people.

This is a classic “squeeze from the top and bottom” problem that affects commodity businesses. The cost of doing business is increasing, while the profit from each transaction is decreasing. The only way to combat this problem is to scale up the volume and scale down expenses. There is a limit to how much a retail business can scale up. However, there are always ways to scale down expenses. Cutting IT security is one of those ways. This issue precipitates the next reason why retailers are getting hacked.

Reason 4 – Checkbox Compliance Audits are the Norm

This blog has written about this issue before: The Failure of the PCI-DSS. The state of IT security auditing among retailers is pretty bad, particularly PCI compliance assessments. With increasing pressure to cut costs, retailers are rapidly seeking out security auditors who provide Checkbox Audits at cut-rate pricing.

Checkbox Audits are paperwork (or “portal work”) exercises. Security people fill out on-line forms and a remote, uninvolved “auditor” greenlights compliance with minimal review of security controls.

Some of the recent breaches have begun to shed light on this problem. Target’s PCI assessor had a class-action lawsuit levied against them for their audit practices.

Our own experience as a PCI assessor provides ample evidence of this problem.  A while back, we had an engagement with a rather large retailer. After conducting a diligent technical assessment of the organization, we determined they were significantly non-compliant with PCI DSS. The organization lacked numerous basic controls and practices. When leadership learned of our assessment they chose to dismiss us and engage another QSA firm who willingly certified their compliance a few days later.

Checkbox audits are so prevalent and so egregious, they promote their phony audits with euphemism like “compliance as a service” and “on-demand compliance.”

Checkbox audits are more than cheating, they are dangerous. They convince people they are secure when they are not. Moreover, they reinforce the notion that lying, cheating, and cutting corners is an acceptable way to do business. When employees observe their management cutting corners and lying about compliance, they naturally stop caring about the business and its protection. This ultimately breeds lazy, incompetent, disengaged employees, which leads to the last reason in this article.

Reason 5 – Incompetent Leadership & the Excuse Cycle

Why solve a problem when an excuse gets rid of it? The Excuse Cycle is a pervasive problem at all levels of organizations. We see this cycle a lot among inexperienced or insecure IT people. This Excuse Cycle has many variations, but it follows this general pattern:

1. Executive leadership has a task for IT (or security), such as protect the business from a breach.
2. The IT people lack the experience, confidence, wherewithal and/or expertise to accomplish the task. This creates discomfort.  It exposes their inexperience and challenges them.
3. Rather than accept the challenge, the IT people make excuses for why the improvements cannot be done or will cost extraordinary amount of money. Excuses are easier to create than solutions.
4. Executive leadership becomes frustrated with the IT people and their excuses.
5. External vendors may pick up on this an over-promote technologies to solve the problem.
6. The technologies add complexity to the problem, rather than simplifying it.
7. While these groups are distracted fighting, complaining, pointing-fingers, and throwing petty tantrums, criminal organizations load up the environment with malware and exfiltrate sensitive data.
8. The IT security team does not detect this, because they are too busy making excuses and protecting their turf.
9. The breach causes a panic, which leads to panic buying, more excuse making, and return to item #1.

 

IT people (including IT security people) are their own worst enemies.  I have sat in meetings with security practitioners who devoted immense effort to discredit improvements and make excuses for a lack of security controls.  Had these people put even a fraction of their excuse-making effort into actually protecting systems, they would have stopped the attacks.

Bad leadership and excuse cycles are catastrophic vulnerabilities for IT departments.  When IT staff is allowed to wallow in excuses, finger pointing, and blame they not only become ineffective as IT people, they actually diminish security of the entire organization.  If there is any one vulnerability that attackers can exploit with extreme ease, it is the laziness of internal IT staff and the poor leadership that allows that laziness to exist.

The solution to this problem is better leadership.  Organizations must establish clear and firm performance expectations.  IT departments need to be held to results, not effort metrics.  People who make excuses need to be terminated, quickly.  IT leaders need to take ownership for the security of their team and get in the game.  This blog has written on this topic as well in our recent article Qualities of Successful IT Security Leaders.

What is the Answer?

There are no easy answers for complex problems. The factors that are creating this environment are very intricate and not likely to resolve themselves soon.  Probably the best thing that could happen is if the card brands empowered the PCI Standards Council to crack down on checkbox auditors.  At the very least, there should be mandatory quality assurance reviews of any QSA firm (and auditors) whose client has had a breach.

The government has tried to intervene in this issue, but Washington is so profoundly dysfunctional these days. They cannot handle an issue of this magnitude and complexity.  Congress will hold hearings and invite long-winded, self-absorbed hucksters to Capitol Hill who will froth over criminals, hackers, and such.  The whole thing will be a massive waste of time leading to no substantive improvements.

If we sound cynical about this issue, it is because we are.  With 20 years of experience working in information security, this problem has only gotten worse.  The industry seems intractably resistant to taking the difficult steps to improve.

However, we believe the answer lies in leadership.  If the security industry starts building better security leaders, then we can stop the breaches.  Good leaders, who understand the realities of breaches, can build responsive, engaged, and accountable security teams.  Moreover, great security leaders would never tolerate a checkbox audit from some hard-selling huckster.

If we want to stop these breaches, we need to stop obsessing over hackers, stop blathering with vendors about their latest gadgets, stop the posturing, posing, and spinning, and start looking at the people who lead IT security teams.  These leaders either need to step up their game, and build high-performance security teams, or they need to step out of the way and let a new generation of leaders take control and take a stand against the attacks.