(This article was originally written by Jim Jaeger for Third Certainty and was published on January 14, 2015)
According to urban legend, early 20th century bank robber Willie Sutton once said that he robs banks because, “that’s where the money is.” When you think about it in the context of the recent spate of hacks on retailers – ranging from Target to Home Depot to Kmart – this makes sense. After all, that’s where the credit cards are.
Of course, this is not strictly true. While credit cards are used at retail locations, the data is rarely stored there. In actuality, the data is with the issuers and processors, which handle the information associated with hundreds of millions of credit cards. However, issuers and processers have really stepped up their IT security over the past five years, making their networks much more difficult to hack.
Once it was discovered that these companies had hardened their security, the hackers moved downstream to retailers and their POS terminals. Many retailers have not been able to quickly invest in the sophisticated security tools that the issuers and processors have increasingly employed, so there has been an increase in successful attacks in the retail industry.
Sophisticated hacking tools such as RAM scrapers capture encrypted credit card data during that brief moment when they are decrypted, processed and re-encrypted. These tools were developed to hit the big credit card processors and retailers that lack a strong security posture. Because they are harder to detect, RAM scrapers have made it easier, faster and safer to hack into the network of retailers and push malware to a large number of stores and terminals.
Industries often learn from their mistakes, forcing hackers to move on to the next set of targets as previous victims employ a broader, hardened security posture.
This begs the question: where will hackers go next? Regardless of their motivation (financial, political, etc.), information is currency to hackers–and hackers follow the money. Organizations with large amounts of information–credit card account numbers, personally identifying information and valuable intellectual property–are common targets.
Hackers will follow the information and access is crucial. A targeted organization might not have sought-after information. But it might provide access to an organization that does. This means that third party partners and vendors with lagging security postures will continue to be used as entry points by hackers.
It’s more important than ever – regardless of industry – for organizations to ensure that they have the technology, tools and educated staff in place to prevent a breach, as well as a plan of action should the bad guys find their way in.
Organizations need to assess their overall security hygiene. Hackers look for the easiest entry point. So organizations that don’t enforce basic best practices, such as patching and employee education related to phishing schemes and social engineering, will easily fall victim.
Imagine Sutton walking into an empty bank that left the vault open with money ready for the taking. That may be how your network is looking to a hacker.
You never know when you might be next on a hacker’s list and you don’t want that day to be the first day you think about security! Start talking about your security posture now – before it’s too late.
More on emerging best practices