What Experian and T-Mobile Didn’t Learn from the Home Depot Breach

I read with great irritation last weekend of the Experian / T-Mobile hack.

I just bought a new iPhone from T-Mobile and as part of the lease process, they ran a credit check with Experian.

t mobile logo             Experian logo

Immediate thoughts were of unauthorized credit card transactions, canceled cards. Identity theft. Inconvenience and the sense of violation from a “trusted” 3rd party, Experian.

Relief when I checked my email receipt from T-Mobile, dated September 18th, as the compromised data window ended on September 16th.  But it could have been a couple of days earlier as I’d been thinking about switching from Android for a while.

I’m aware of vulnerability in most companies as a result of my current work in security software. I track #databreach on Twitter and today, yet another brand-name company announced a breach and data loss.

I try to imagine what it would be like to be a board member, CXO or senior security executive in a public company and wake up in the morning to a voicemail from a 3rd party, informing me of a breach.

There is nowhere to hide once a breach occurs. Compliance with regulatory authorities provides no insurance from #databreach.

Lessons from Home Depot

The Home Depot data breach, outlined in this Krebs on security article is insightful and instructive for senior executives.

Home depot storeA quick refresher: In 2014, retail hardware giant Home Depot exposed 56 million customer debit and credit cards in a highly-publicized breach. The source of the Home Depot breach was malware, delivered via a partners PC — after landing a phish. They then used a Trojan to steal the VPN password. On the inside, hackers had easy to access internal systems, exploiting a weakness in MS Windows that was discovered after the hack.

Hackers gained unauthenticated access and eventually, full access to the Home Depot network. They were undetected for months inside Home Depot; watching, learning and waiting for the opportunity to exfiltrate data.

I have empathy for security professionals working in large and small companies. Cybercrime is big business — the perpetrators organized, determined, professional and patient.

From a security practitioner perspective, managing security is complex.  The security vendor landscape is fragmented and noisy. Hundreds of vendors pitch solutions for their piece of the puzzle. Meanwhile, every company is at risk from insider threats, even though they may be in compliance. Security consulting firm, Mandiant, noted that 100% of recent data breaches investigated involved stolen credentials.

But it doesn’t have to be this way.

Business owners and executives can reduce risk of data loss from internal breach by protecting user identity.

12 Simple Rules to Protect Identity and Reduce Risk of #databreach

  1. Adopt continuous compliance policy.
  2. Enforce security best practices.
  3. Segment networks and restrict access to sensitive information on a need-to-know basis.
  4. Restrict privilege — executives and administrators only get credentials for the systems they maintain.
  5. Enforce a single source of identity — everyone logs-in as themselves and are unable to change identity.
  6. Enforce strong password policies.
  7. Install single sign-on systems and process to prevent stale, unused and reused password vulnerabilities.
  8. Adopt multi-factor authentication, with a user’s mobile phone as the second factor.
  9. Protect data on mobile devices using MDM policies that enable remote lock and wipe.
  10. Secure remote access for 3rd parties and business partners without using a VPN.
  11. Record, watch, audit and alert on privileged user sessions.
  12. Prevent shared account administrator access to Root and corporate systems, except in break-glass situations.

Determined professional hackers are innovative, sophisticated and patient. Former hacker, turned celebrity consultant, Frank Abagnale notes,

”There’s no master hacker…each [breach] happened because someone at that company did something they weren’t supposed to do.”

“Many banking corporations employ thousands of people, and that means at some point, someone may inadvertently open the door. So all the hackers do is sit and wait for it to open.”

Upgrading identity and access management to handle all user types and access points will reduce risks caused by less than stellar administrators and careless end-users in suppliers, partners and customers.

To learn more on Identity and Access Management, read the analyst report by Enterprise Strategy Group: Large Organizations Need a Unified Approach to IAM.