There’s a lesson CISOs can learn from the infamous theft of tens of millions of pieces customer information at international retailer Target Brands, but the head of Dell Inc’s security says it’s not the one you think.
C-level executives who took the fall “weren’t fired because they got breached,” John McClurg, vice-president and CSO of the computer manufacturer told a conference in Toronto on Thursday, “but because having spent shareholder money on possible solutions they didn’t leverage those to actually mitigate the damage.”
McClurg, was a good friend of Target’s head of security and said the incident was “a painful experience.” CIO Beth Jacob resigned after the company learned 40 million credit and debit cards and 70 million records with personal information were lifted after attackers infected Target’s point of sale system.
Hackers got into the retailer’s system in November, 2013 by going through the system of a ventilation contractor who had online access to Target, reportedly through a phishing attack.
A Target vice-president later told Congress that the intrusion was detected by its security systems, but the company’s security professionals didn’t act until notified by the U.S. Justice department of the breach.
There are news reports that Target’s FireEye malware intrusion detection system and Symantec end point anti-virus software triggered alerts.
“Everybody’s being compromised these days; you don’t get fired for that,” McClurg told reporters after his presentation. “It’s how quickly did you detect it, how well were you enclave so when you did detect it the damage was contained, how thoroughly and robustly was information they were after encrypted, and how quickly do you expel them, and how well did you leverage the incident into a stronger prowess?”
He was speaking at the annual conference of the Ontario Association of Community Care Access Centres, a not-for-profit member and technology shared services organization that supports Ontario’s 14 Community Care Access Centres (CCACs), The centres help provide home and community care.
McClurg has some experience with break-ins: About five years ago, shortly after becoming vice-president of global security at Honeywell International, the FBI told him one of the conglomerate’s servers had been breached and was linked to a botmaster in China. Unlike Target, there were no warnings from internal systems.
That, he said was part good news/bad news.
The bad news was that a server was compromised on the eve of negotiations on a sensitive negotiation with China and Honeywell competitors.
The good news was the FBI confirmed the worries of McClurg, who had been wondering why the company hadn’t been hit by an attack that other corporations were reporting.
He’d combed through log files sensing there must be evidence of something suspicious, but found nothing.
The call from the FBI gave him a “a mixed feeling,” McClurg admitted to reporters. “On the one had you liked validating what you’re gut’s telling you. Happy feeling. On the other hand, what does it really mean …”
He convinced company executives to leave the exploit for several months to gain information. Analysis showed the server had been compromised two years before; the attackers sat silent, likely waiting for information to help China in the product negotiations.
McClurg wouldn’t say if the attackers got any information.
The incident shows the importance of industry and government agencies working together to share security information, he said.
“Clearly in some instances we’re up against (state and criminal) adversaries who look like they’re better funded, better staffed.”
Also while talking to reporters he said one of the biggest mistakes CSOs make is not fully understanding their environment and related risks. “Without understanding your environment you can’t properly interpret the signals coming in on what you should do,” he said. Security pros have to question whether are risks internal, external, human, and how threats align potentially with the organization’s vulnerabilities.