Hearing It from Somewhere Else, After the Fact
Today's news via Brian Krebs http://krebsonsecurity.com/2016/01/wendys-probes-reports-of-credit-card-breach/ is suspicion of a payment card breach at Wendy's. Not good - for Wendy's and anyone else potentially snared in the loop - but neither is it surprising.
That's not to say I have any reason to believe Wendy's was particularly vulnerable or in any way at fault - just that my gut reaction felt like "yeah, another big retailer is hacked - I wonder how bad it will be for them - oh well, business as usual eh..." accompanied by a shrug and turn to other news of the day.
But, there's a problem as I see it: sure lots of retailers, big and small have been hacked, many more will be too. Mostly they have been PCI-compliant - or maybe not, according to a plethora of lawsuits and counter-suits and insurance claims, paid or not. Mostly they have sophisticated (read: expensive, onerous, high-overhead, mothership-sized) cybersecurity systems in place to scan the horizon for dangers, detect breaches, perform extensive log file analytics, search for anomalous user behaviours, detect and eliminate malware, tokenize critical data bits and much more. Fair enough, everybody does it. However, in almost every case, the anomalous payment card transaction histories have been discovered, over a longer term, by banks or payment processors' analytics - not by the retailers. And it was HP 's eye-watering 2014 quote "intruders are in your infrastructure an average of 243 days before they are detected" that sums it up succinctly.
All that begs the question - how is it that the alarms in these cases are almost universally raised by those third-party banks or payment processors? Why are the breaches almost universally not detected (not to mention, stanched before losses of any scale) and dealt with by those superbly-equipped retailers themselves? Could it be that all of those systems and processes with which retailers (and others) gird themselves are simply not good enough? I guess not. Hence the catchy phrase "Compliance does not equal Security" and my own quote "Despite the honest best efforts of an entire industry, data theft occurs on an increasingly frequent basis". And nowadays everyone agrees "It's not a matter of 'if' your organization will be breached, but 'when'."
So - what to do? Well, you can patch, patch, patch your Juniper firewalls so NSA and GCHQ can't see your data via backdoors (sorry Juniper), check your AMX conferencing systems so hackers can't listen to your boardroom conversations (sorry AMX) and patch your FireEye appliances so targeting e-mails won't enable theft of all your firm's e-mails (sorry FireEye).
And you can talk to me – about Privacy and Security Audit services to make sure you are toeing the line to documented compliance levels – and about my service that protects your critical data assets better than anything you've yet seen, regardless whether unintended users from outside or inside your infrastructure have access -and that likely would have protected all those big retailers and others that have suffered such egregious breaches in recent months. Ask me, you won't be disappointed.