Brian Krebs announced this week that Goodwill Industries’ third-party payment vendor, C&K Systems, Inc., has been blamed for credit card and debit card breaches at more than 330 Goodwill Industries locations nationwide. According to Krebs, C&K commented on the breach by saying “the intrusion lasted more than 18 months and also impacted at least two other organizations.” However, those two organizations have not yet been publicly identified.
Are You Surprised?
You may find this surprising… 18 months is a year and a half of attackers wandering around, looting sensitive data while remaining undetected. This is significantly worse than Mandiant’s 2014 M-Trends threat report, which reported an average of 229 days before companies discovered they’d been breached for about 8 months.
But personally 18 months does not surprise me. I’m not a pessimist but industry breach investigation data continues to prove that cyberattackers are winning. Our critical infrastructure is at risk on so many levels and only people close to the industry really understand the scope and complexity of these threats. Unfortunately, the public haven’t even begun to grasp the severity of this situation.
The Problem Is Much Worse Than It Seems
This quote from Krebs’ post is one with which I wholeheartedly agree:
“In an era when third-party vendors such as C&K Systems can go 18 months without detecting a break-in, it’s reasonable to assume that the problem is much worse than it seems.”
Although press coverage has been mostly about retail breaches and theft of credit and debit cardholder information, that’s just the one industry sector.
I heard a prominent politician speak at a security conference very recently, saying that every US government agency has been breached by malicious outsiders. This is in addition to the huge impact and ongoing threat of insider breaches.
What About Critical Infrastructure?
I’ve read the tip-of-the-iceberg detail in what’s available from Congressional Committee Reports, NERC Compliance Audit Reports, the Department of Homeland Security (DHS) US Cyber Emergency Response Team (US-CERT) and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Alerts, and other online sources, as well as some top security threat research.
They all indicate the grim likelihood that the most basic and foundational security practices and controls are simply not in place; this is especially true for the energy and utility sector. Many of our 16 critical infrastructure sectors could already be suffering from serious infiltration by cyber attackers and we just don’t know it yet.
At Least Let’s Fix The Basics
If we’re concerned about credit card data, fraud and identity theft today (and of course we are), imagine how concerned we may be tomorrow when (not if) serious disruptions to critical infrastructures are caused by attackers. Of course, critical infrastructure breaches could be enacted by a completely different group of threat actors, but many of the infiltration methods may be the same.
The good news is that proper use of the most basic and foundational security controls can dramatically reduce the likelihood and severity of these attacks, and certainly will slow down attacker progress.
Getting It Done
Regardless of what standard, compliance requirement, or security benchmark you look at – security fundamentals are identified by all as crucial for basic internet security. We just continue to fail at the basics – in every industry sector. As a starting point, it doesn’t take fancy, high-end complex and emerging security technology to slow down cyber attacks. However it does take discipline and focus on the foundational controls… and then getting it done.
For those interested in retail breaches, download a free sample chapter of “Hacking Point-of-Sale” by Slava Gomzin to learn about point-of-sale payment architectures and vulnerabilities.