Network Solutions Data Breach Proves Savvy Aren't Always Secure
The data breach at Network Solutions, where hackers broke into the company's servers and stole info on 573,000 credit cards, shows how vulnerable even the presumably Net savvy can be. Hey, if a domain registrar and Web host can have their systems breached, is anyone safe?
July 27, 2009
The data breach at Network Solutions, where hackers broke into the company's servers and stole info on 573,000 credit cards, shows how vulnerable even the presumably Net savvy can be. Hey, if a domain registrar and Web host can have their systems breached, is anyone safe?
Of course, the counterargument is that it's usually not lack of knowledge, or a poor understanding of security issues, which leads to data breaches. It's a failure to assiduously apply proper security procedures, because those procedures form the first line of defense, and are a deterrent to all but the most determined bad actors. (I was going to say, Maginot Line, and in many cases that's apt, because it's important to note that simply having a collection of procedures in place, and passing a security audit, often give companies a false sense of security, rather than true security.)
On the plus side, Network Solutions is doing a decent crisis-management job, being has upfront about the breach. It posted a message to customers, headlined "Data Security Alert - Problem Fix and Customers Notified," which indicates that the credit card theft reported in the mainstream media was rooted in code which sucked in e-commerce transactions. Here's the money quote:
"After conducting an analysis with the assistance of outside experts, we determined that the unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data from approximately 573,928 cardholders for certain periods this spring. Exposure varied by merchant, but in all cases took place sometime between March 12, 2009 and June 8, 2009. Transactions after June 8, 2009 were not exposed to the unauthorized code. We have notified law enforcement and are working closely with them on the investigation. "
In the wake of the incident, I received an email from database-security vendor Secerno, whose founder and CTO Steve Moyle, laid the blame on today's recession-inspired, resource-constrained environment.
What many are likely asking is how this breach could have happened and gone on for such an extended period after the lessons of Heartland [the infamous January, 2009 credit-card breach]," said Moyle. "The reality is that many enterprises are behind in security protection efforts, such as Anti-Virus updates, due to shrinking IT budgets. In a recent webinar offered by Forrester and Secerno, Forrester revealed that 60 percent of enterprises are behind in implementing security patches, which is consistent with what we are seeing in the field. The IT departments simply do not have the resources to complete these updates in a timely fashion, resulting in network vulnerabilities that are easily exploited."
I don't doubt there's a lot of truth in this, but it's not the whole truth. It's possible that there's an element of security experts fighting yesterday's war. E-commerce hacking, while not new, appears to be the current hot spot in the security world.
As Moyle puts it: "What happened at Network Solutions can be considered a primer to the MO of this generation of hackers: Malware was planted on locations with access to credit card and other financial data, with the data grabbed and sent to a location off the Network Solutions network."
So maybe the answer is a more agile approach to security. I've written previously about some of this stuff (see my old InformationWeek posts "8 Dirty Secrets Of The Security Industry" and "Is 'Good Enough Security' Good Enough?"), including an overreliance on audits and methodologies which worked well for the N-1 threat.
What it all boils down to is, when you think you've got your security under control, that's when you're most vulnerable.
Follow me on Twitter.
Write to me directly [email protected].
About the Author
You May Also Like