I repeat my comment from the last article on this subject:
And this is why we will always have this sort of problem. Companies, generally just don't want to spend money for security proactively.
Home Depot is facing claims it ignored security warnings from staff, who say prior to its loss of 56 million credit cards, it failed to update anti virus since 2007, did not consistently monitor its network for signs of attack, and failed to properly audit its eventually-hacked payment terminals. The fixer-upper retail giant …
It's an interesting twist that the security bods have taken a pre-emptive strike and laid blame on the management for preventing them doing their jobs.
It's not going to be so easy for them to close rank now the mess has been put all on them.
Yeah, it is going to be easy for them to close ranks because that's absolutely true. It goes all the way up to the VP level. Sr. Director of IT Security Jeff Mitchell (no relation to the felon), the defacto CISO of the company, is the one who told us that "we sell hammers." The security staff had been on him and everybody we could get our hands on almost every day to fix their shit. Obviously nobody listened.
No. That's just how the blame game works.
An interesting twist would have been those same "security bods" going to media outlets, twitter, etc to tell the world how HomeDepot was a ticking time bomb and was not interested in fixing it.
I would like to see any legal action resulting in the removal of the executives who made the decisions rather than just a fine which will likely result in front line staff (who weren't at fault for the breach) being fired to 'make economies'.
"We don't understand or care about all that 'security' jibber-jabber, so how important can it be?"
Well, in 2012 Home Depot's CIO, one Matt Carey, was paid around $3.5m, comfortably making the top ten of highest paid CIOs according to WSJ. I would suggest that the company and its owners were paying for a premium IT service, and if anybody is to blame for this it is is not reluctant chief execs or sales directors, it is the Home Deport CIO and his team.
It is the CIO's job to articulate the costs and risks and technical threats that face the firm, to place that in clear, easy to understand language for non-IT literate managers, to be situationally aware and to prioritise threats, and to shepherd the board to make the right decisions. That's what the "C" means on his job title, and that's why he's paid millions. Too bad the boy wasn't up to it. It is possible to blame the board's audit, nominations and leadership development comittees, for Carey's appointment, continued employment, and the failures of audit that are implicit. These committees are entirely composed of Home Depot's non-executives (who on their performance here might be judged to be the same ineffectual "gentlemen's club" rent-a-non-exec types found the world over).
I believe Carey is still in post, and he's been CIO since 2008, so the buck stops with him and his team. In my humble opinion he and selected senior managers should be fired immediately with prejudice and without compensation, and the non-execs should be cleared out like the contents of the Augean stables.
It would be a salutory lesson if the card issuers withdrew the capability for Home Depot to use their cards. Until there is really hard action like this then the 'we sell hammers' brigade will continue letting their customers down. Yes the CIO is responsible but the CEO needs to know that what the CIO is doing or not doing is potentially a company killer, that way they won't sit with glazed over eyes waiting for coffee during a briefing from the CIO.
I once didn't protect gamer accounts ("only..."). I also have a bunch of accounts that got hacked and places where I couldn't game again using the same e-mail address. No, I don't break the cardinal rule; I use singular passwords. Sure, that means one letter or less--or else one per site, and complicated.
There's a whole lot of things we're not being told. Did the CIO know? Or didn't the warnings get that high? Were the warnings in ExecSpeak instead of TechSpeak? Is there a paper trail? Otherwise some middle IT manager is about to have a world of corporate hurt rain down on him.
And yeah... profits are the bottom line and holding costs down. If the execs can deny it, like I said, some middle-level guy is about to get hammered.
The Catch-22 to all this is that there is a built in scapegoat. Ricky Joe, convicted felon, working in security.
"Did the CIO know? Or didn't the warnings get that high?"
Doesn't matter. It is the CIO's job to know, to make sure he's got people with their ears to the ground, and who in turn listen to their juniors. So if he did know he's at fault for not fixing it, if he didn't know then he's at fault for both not knowing and not fixing it. If his staff did it wantonly, then he's on the hook for hiring them and not supervising them.... there is no way out.
In corporate gibberish, the CIO is both "responsible" and "accountable", which means there's no place to hide.
you can bet your bottom dollar that if there was the possibility of being dragged through court and being jailed for these things, they'd pretty quickly set up a system of working practices that protected them like Supermarkets do with age checks on sales of drinks and cigarettes...
Documentary evidence of procedures and evidence of those procedures being followed so that they can hang someone out to dry for not following them...
What is this "accountability" that you refer to ?
I understand "responsible", it means a CxO gets a big paycheck. But "accountable" ? Nobody has ever held a CxO accountable for anything since before Y2K.
As for the "there is no way out", that is plain wishful thinking. Of course there is a way out : it's called a Golden Parachute.
I will now hang back up my cynical hat and retire for the evening with a glass of single malt.
"Nobody has ever held a CxO accountable for anything since before Y2K."
Tell that to Beth Jacobs, who left Target in disgrace after their data breach. And a rather dated, but still interesting link:
With "no way out" I simply meant "no way of avoiding the blame". But I take your point that once you get to the boardroom, rewards for success are accompanied by rewards for mediocrity and for failure.
And of course, if that's a single malt you're poised to enjoy, it's just as well to hang up your cynical hat since this will avoid coming to the conclusion that you're drinking a mere ingredient of what might otherwise have been an enjoyable blend.
Or maybe Ricky Joe just told some cell-mates just how easy it would be.... to avoid being passed around.
Regardless, the C-people running the hammer store should really be tarred and feathered, assuming half of these stories are true. I have a sinking feeling that the stories are true.
"Did the CIO know?"
It's the CIO's job to know about things like this. Specifically he should know who his company has contracts with, what they cost, etc. If he didn't then he is too dumb to continue in a job at that level. If he did, but did nothing about it, then he is too dumb to continue in a job at that level....
Point is: Incompetence indicated either way so his head should roll.
I propose a business which has a breach resulting in the theft of one million cards or more receive a ban on acceptance of cards, credit or debit, for 30 days. Lesser numbers of cards would result in a lesser ban. This would guarantee the security of card processing by making a breach to horrible to even contemplate for a business vs the current standard of issue an apology, blame hackers and pay extra money to the advertisers.
"I propose a business which has a breach resulting in the theft of one million cards or more receive a ban on acceptance of cards, credit or debit, for 30 days. Lesser numbers of cards would result in a lesser ban. T"
Personally I like this. Butlikely to make businesses even less likely report a breach.
"make the penalty so bad that firms are FORCED to have good security or go out of business"
Nope. That means that the firm takes the hit not the management. If the firm goes down, well qualified experienced managers will quickly find another job even if they were at fault. It's easy when a firm collapses to ensure any personal blame is hidden.
But who does take the hit if the firm goes down: ordinary employees, suppliers and unsecured creditors, and the owners, who are mostly secondary market passive stock investors like pension funds, insurers and the like. Is that a good outcome?
A partial solution is to make directors and officers personally liable for data security, including a change to the law to make them liable for breaches, and to impose a duty of responsibility to know what the security status of the firm is (ie close off the "we didn't know" excuse). A bit of jail time would be far more of a deterrent than a corporate penalty, particularly after a few golf club friends have been hauled off to the big house.
This might be a somewhat unpopular opinion but at the end of it all, it's a business decision. I agree with Mark 85 - there is going to be a political fight over who to blame and if there isn't a solid paper trail showing the security department made all the right noises (and it sounds like they did) the blame can be laid on some security staff (right or wrong).
It's time security folks joined the rest of the IT world in a thorough understanding that they need to justify what they do. Simply telling businesses "you need to spend this money to get this new thing" will never elicit the desired response from a security perspective. I remember mainframe and VMS operators about 15 years ago tellling businesses they "needed another million" and being surprised to be asked why. Ho hum, the wheel turns.
It's time security folks joined the rest of the IT world in a thorough understanding that they need to justify what they do.
I'm not sure which world you live in, but what I have seen is not so much in the explanation or understanding of the requests, but in management's caring. It is easy to explain something in terms of "If you do this, you will add this amount to the bottom line." It is fairly easy to explain things in terms of "If you do this, we can cut costs in these areas." What is harder to get someone to sign off on is, "If we spend this money, the odds are good we will avoid losing more later." This last is what security budgets seem to translate to in Managerspeak. Add some regulatory teeth to the equation and you might have something along the lines of "Invest this amount now or you will end up paying this much larger amount later" which would result in better implementation of security standards.
Yes, additional laws or other regulation is one option that can be used to get businesses to meet a higher level of security. But the drawbacks are it's a pretty blunt instrument (you have to find a law that can be applied to all companies) and there needs to be a check for compliance. That last point on checks on compliance is a very significant one - it looks like PCI DSS rules were not complied with in this case and it seems over a number of years. But this was not detected, so we can deduce that no-one checked properly or perhaps at all. That's a pretty damning inditement of the credit industry, and illustrates that laws and regulations are not going to help if there is no effective enforcement.
Businesses understand risk - they take risks all the time. The risk to the corporate reputation seems to have been realised in this case and there was an attempt to take action, which was too late. To me that looks like the risk became very obvious to the leadership, but at too late a stage. Making the business risks clear to management early on is the right way to go and if the business decision is to do nothing then it's a business risk the management have decided to take.
Is it the CIO's fault? Well, yes, but not for the reason suggested.
I have to disagree with Ledswinger's assertion that it is automatically the CIO's failure to articulate costs and so on that led to this problem. Some people, you can articulate the need for something to be done as eloquently, definitively, and assertively as you want, they just will not listen. Maybe he didn't make his case, maybe the executives just didn't listen.
On the other hand, why should tills have internet access? The couple setups I've dug into, against any sanity and good judgement the registers are running Windows (this is enough by itself to make me only pay cash!), but anything on the "cash register" network segment can ONLY contact a single computer, not to the public internet -- if a till were hypothetically hacked it could never phone home. Forget virus scanners and whatever, this is where the CIO's going to run into problems -- why was the network at each location set up so incompetently? If the tills connect to a "back of house" server to do all transactions, they should not be able to reach the internet at all, and the back of house should be behind a firewall that only lets it connect to the card processor and whatever Home Depot machines it needs to connect to to record sales transactions. If the tills do this themselves, then they should be similarly restricted. The fact that this information could get out at all means they were not doing this.
People put windows on tills because it is cheaper.
People don't hire security experts to produce secure designs and architecture because it is cheaper
People connect tills to the internet (instead of a hardened private networks) because it is cheaper.
People ignore their IT staff's good advice because it is cheaper.
Hammer-selling, C-fools will only understand when:
Allowing insecure payment systems BECOMES TOO EXPENSIVE or PAINFUL to be allowed,
Basically, we need an IT-Security Ralph Nader to wake people up and galvanize the industry into action.
Until then, paying cash is probably a good idea.
Did anyone else notice that the comments to the article may contain more actual information about the incident than either the Reg. or NYT articles?
On the other hand, is enough publicly known yet to make reasonable conclusions about who did what wrong, other, apparently, than the kind of slackness common in large organizations?
Did anyone else notice that the comments to the article may contain more actual information about the incident than either the Reg. or NYT articles?
That's the main reason I read the Reg, the articles are usually good, better than most, but the Commentariat is what makes this red-top one of the best sources of information on t'interwebs.
Most big companies I've worked for are run by marketing boneheads who rose up in the ranks and became executives. Marketing boneheads, usually having been the jocks and frat boys in school, know next to nothing about computers.
They care about one thing: Money. To them, IT is just an expense-center filled with a bunch of nerds who only want to spend the company's money on new toys they don't need. We were merely an annoyance to them and any protections we try to put in place that make the company loads safer, but their routine a tiny bit more involved are shut down.
Basically hearing about how the executives treated the IT Security staff comes as absolutely NO surprise to me. And being told the customer database is off-limits is also not surprising. Marketing goons are too stupid to realize that in order to protect your data, you have to allow access to it to trusted people who need access.
The article implied that the antivirus had not been updated since 2007. Windows probably also had no security updates for the same reason. That's all you need for it to reboot before waiting on customers. A simple DOS or Unix box programmed to do one thing only would have been cheaper and better. And do not connect to the interwebs!
Biting the hand that feeds IT © 1998–2019