3 of the worst responses to cyber security threats

A large part of cyber security is monitoring; without monitoring your network, it’s damn near impossible to know which threats you’re facing and what they’re targeting.

So, if you get a red flag about a possible intrusion, or several members of staff raise concerns, then you listen and gather all the evidence you can, and come to a conclusion about whether you do something.

Or you can do what the following three organizations did.

“We sell hammers”

In September 2014, Home Depot admitted suffering a data breach that exposed over 52 million credit card transactions. Bad point number one.

The warning signs were there: Home Depot’s Senior Architect for IT Security, Ricky Joe Mitchell, was convicted in May 2014 for sabotaging a previous employer’s network when he “remotely accessed EnerVest’s computer systems and reset the company’s network servers to factory settings, essentially eliminating access to all the company’s data and applications for its eastern United States operations.” Bad point number two.

Several Home Depot employees had raised concerns about lax security and requested additional security training and equipment. Senior management told them that they didn’t need it because “we sell hammers”. Bad point number three.

In information security terms, “we sell hammers” means “please take our customer data”.

No room for mistakes in information security

Mistakes happen. I understand that. If I made a completely unintentional mistake, I’d expect some slack from my peers. But if that mistake led to the theft of the details of 40 million credit and debit cards then I wouldn’t expect so much slack.

When Target’s threat detection tool picked up what would soon be revealed as the threat that caused the massive breach, the security team chose to not act upon it.

“Each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team,” said Target spokeswoman Molly Snyder via email. “That activity was evaluated and acted upon.”

Unfortunately, however, the security team appears to have made the wrong call. “Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up,” she said. “With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different.”

Target invested hundreds of millions in data security only to suffer a breach when their threat detection system was overruled by human operatives – oops.

You actually have to practice to make perfect

When code repository Code Spaces suffered a DDoS attack in 2014, little did they know it would be the beginning of the end for the organization.

During the attack, an unnamed cyber criminal broke into the organization’s Amazon EC2 control panel. Extortion demands were left for officials, along with a Hotmail address to contact the criminal on.

The first step at this stage should have been to shut the doors and find out exactly what the criminal had accessed.

Code Spaces nearly got that right, choosing to change the password for the EC2 panel to kick the hacker out.

Unfortunately for Code Spaces, the hacker had created backup logins, and when they saw Code Spaces’ attempts to regain control they deleted all of the organization’s data and backups, leaving many customers incredibly unhappy and without their code.

A cache of Code Spaces’ website shows promises of full redundancy and claims that code is duplicated and distributed among data centers on three continents.

“Backing up data is one thing, but it is meaningless without a recovery plan, not only that a recovery plan – and one that is well-practiced and proven to work time and time again,” Code Spaces said. “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.”

It turns out that that was untrue and Code Spaces announced their closure 12 hours after the attack began.