As you’ve probably seen on the news, Home Depot is said to be the latest victim in a recent string of hacking attacks against major companies, such as Target, Neiman Marcus, Michaels, Sally Beauty, P.F. Chang’s and UPS. While the “massive” Home Depot data breach is still under investigation, if the speculation is proven to be true, it will actually be larger than the infamous Target breach of last year.
In this post, we’ll quickly examine some of the key details of this breach, and explain why this looks like another case of prevention-centric IT security gone awry – where hackers were able to metaphorically “walk through the front door undetected” and make off with stolen data, much like we saw with the JP Morgan security breach. We’ll also examine how this breach affects the IT security strategies of other companies going forward, using some insights from an exclusive Gartner report. Let’s get started.
What do we know about this and other similar targeted attacks?
With details slowly emerging from law enforcement and the Home Depot spokespeople, there are few things we know for sure. We do know for fact that a significant batch of new stolen credit and debit cards were posted for sale on the black market yesterday, and that this data is presumed to have come from Home Depot’s customer base. Taking what we know about this Home Depot attack and other key details from similar incidents this is what we know;
- The home-improvement chain said yesterday it is working with law enforcement to investigate “unusual activity” that could suggest a cyber-attack.
- In the Target Breach hackers stole credit or debit card information from about 40 million customers, and other pieces of personal information, like email and mailing addresses, from about 70 million people. (Home Depot’s breach can be much larger)
- This is just the latest in targeted attacks from hackers and it is certainly not going to be the last. In fact, according to Bentley University professor Steve Weisman, a cyber-security expert “We’re going to see this over and over again.” Companies right now are very reactive, and have never experienced security attacks like those affecting them in the last few months.
It’s unfortunate for us to witness prevention-centric security strategies, employed by so many organizations, starting to crumble right before our eyes.
What’s does a “prevention-centric” security strategy actually entail?
In basic terms, a prevention-centric approach to IT security focuses on systems, infrastructure and data. It identifies the risk areas (i.e. what hackers might target) and places barriers to entry, so that they can only be accessed by authorized personnel. The obvious problem with this approach is when unauthorized personnel steal user credentials and access data completely undetected, as is the case with the vast majority of data breaches in the enterprise.
The signs of a prevention-centric approach are littered throughout the Home Depot story.
Let’s take a look at few notable instances:
- Slow Response Time: Brian Krebs, an independent cybersecurity journalist, was the first to break the story yesterday. According to his reports, hackers might have had access to Home Depot’s systems since May of this year. If true, that’s an incredibly long time to be unaware of a breach, especially one this size. A lag in response time is usually a good indication that an organization was focused solely on preventing an attack, but had no methods for detecting one. When you accept that the data breaches are inevitable (and unpreventable), the best you can hope for is to mitigate the effects. To do that, you need to know the exact moment when a breach has occurred.
- Lack of Evidence: Home Depot spokesperson Paul Drake confirmed that the company was looking into some “unusual activity” but made no mention of any specifics. While we cannot say for sure, it would be safe to assume that the company is still looking for answers to the most pressing questions of any data breach: who did what and when? As we noted, unlike a user-centric approach to IT security, a prevention-centric approach only focuses on the systems and data, while ignoring the role that people play in a data breach. Without insight into user activity, forensic evidence will be hard to come by and often times, inconclusive.
- Third-Party Discovery: Did you know that more than half of data breaches are discovered by people outside of the targeted organization? This is yet another classic symptom of prevention-centric IT gone wrong. It’s entirely possible that Home Depot – like so many other big-name brands – found out about the hack the same way we all did (via Brian Krebs) and has been in reactionary mode ever since. In order to reduce the negative impact of a data breach, the organization must be the first to know about it – not consumers or the media.
Home Depot is not the first major brand to suffer from an overreliance on prevention-centric IT security, and they will not be the last. Gartner agrees, and goes so far to suggest “advance targeted attacks make prevention-centric strategies obsolete” in their recently release research report. This report also discusses how securing enterprises will change over the next six year and what major shifts are required.
What are your thoughts on the Home Depot data breach story? Do you think Gartner’s research and predictions of securing the enterprise in 2020 is accurate? Please share in the comments section below!