If you manage an information system you have to plan for “the event”.  The event will come when you least expect it.  It will come from a place you didn’t even know existed.  It will happen when no one and everyone is looking.  What is this event?  It’s the day you get hacked.  Actually the system will probably be hacked multiple times over its lifespan. 

Some information security events will be worse than others.  Some will happen on the inside while others from the outside.  The question really is not if you’ll be hacked, but will you even know it?  We’ve been involved with many information security breach investigations where the systems have been compromised for months.  The warning signs were there.  Sometimes they were flashing neon signs with air horns.  If you’re not looking and listening you’ll miss those signs and alarms.

Read more: Why Security Information and Event Management (SIEM) is an Essential Security Tool

It’s been a while since I touched on this subject but it has come up during a number of audits and information security investigations the team at Integrity has been a part of over the past few weeks.  Egress filtering is a basic principle that should be implemented at every organization to prevent hacking activity from leaving your network.  Granted, you can’t stop everything, but you can at least try.  True information security is based on incremental success.

Here’s how it works.  We always do ingress filtering.  That is, we only allow trusted and known traffic into the firewall from the internet.  This traffic is typically allowed into a DMZ and then traffic from the DMZ is allowed through to the internal network.  This traffic is allowed only from selected IP addresses and specific ports.  Everything else is blocked.

Read more: The Importance of Egress Filtering at the Firewall

If you’re one of the 145 million eBay users who was notified to change your password after a security breach was discovered, raise your hand.  If you were affected by the Target breach, raise your hand.  Michaels breach?   The hack on Iowa State University?  The University of Northern Iowa’s information security breach?

I think you’re starting to see the trend here.  Iowans typically think of themselves as living in a safe community.  Even the capital city of Des Moines has low crime rates when compared to many other areas of the country.  I still know people who don’t lock their doors or leave keys to the car on the seat with absolutely no thought that they’ll be a victim of crime.

Read more: Cybercrime Hits Home - Even in Iowa

eBay has a long history of taking information security seriously.  In 2003 they hired Howard Schmidt as their CISO.  Mr. Schmidt is considered to be one of the leading authorities on cyber security.  He led Microsoft’s effort and served as the head of cyber security for both President George W. Bush and President Barak Obama. 

I have no doubt that Ebay has a very robust and mature information security program.  Still, they were hacked.  You can read their statement here.  Is this the new norm?  Are we becoming numb to the events?  It’s like living in another part of the world where physical violence is a part of everyday life.  Do we simply learn to deal with it

I don’t think that’s the answer.  When organizations that take security seriously are breached on a regular basis, something needs to change.  The way we do business; the way we store data; the expectations we have on data custodians; the punishment we hand down for criminals.  Something.  Everything.  Change is needed.

Iowa State University reported an information security breach yesterday.  Officials stated that 5 network attached storage (NAS) devices were hacked.  These devices were departmental devices and used to store social security numbers for students who took certain courses between 1995 and 2012.  You can find out if you are impacted at this link.

I’ve read through the official statement and there are two issues which are concerning to me.  The first issue is why the individual departments had a need for student social security numbers.  SSN has not been allowed as an identifier by most colleges in Iowa for over two decades.  The student ID number replaced the SSN.  I was a CIO at a community college in Iowa more than 10 years ago and the SSN was not used as an identifier.  What was the purpose of the initial request for these social security numbers and why was it stored for so long?

Read more: 5 Network Attached Storage Devices Hacked at ISU

We, the internet using community, have been bitten by the Heartbleed bug.  It came fast and the implications are serious.  Integrity’s team of security professionals has been working with customers over the past several days to identify vulnerable systems and determine a course of action.

This vulnerability in the implementation of OpenSSL should teach us a few things.

  1. Theory is great, but how that theory is implemented will determine long term success or failure.  The encryption methods of OpenSSL weren’t bad, there was simply a mistake in the code which caused all the problems.

  2. We need to stop treating the internet as if it is just the “Internet of Things”.  It is not.  It is critical infrastructure.  We all agree that power grids, banking systems, transportation systems, etc. are critical.  What if we couldn’t trust common security systems used on the internet?  E-commerce would fail and economies across the world would have severe impacts.  The internet is critical infrastructure whether we care to admit it or not.  We need to take security seriously.

  3. How security and technology vendors responded to Heartbleed should tell you a lot about how that company deals with risk management and security.  Did they notify you of the vulnerability quickly?  Did they provide updates and patches in a timely fashion?  If they were slow getting to the party, one has to wonder why.  Don’t be afraid to ask your firewall vendor why they were the last major vendor to supply a patch. 

There will be consequences of this vulnerability.  Systems were hacked.  Data was stolen.  We may not know for a while what the full impact was but there was an impact.  If you’ve been worried about zero-day threats but not been able to get management to understand the risks, this incident should help.

If you need more information on the Heartbleed bug, you can follow the developments on CVE-2014-0160 at the NIST National Vulnerability Database.

I want to clear some things up on the Target breach front.  There are hundreds of bloggers making accusations and assumptions that are unfounded and simply incorrect.  I get I’m just going to give you a list here.  No fluff, no opinion, just fact.

False Statement #1: Target couldn’t have been PCI compliant because attackers stole CVV numbers and storing of numbers violates PCI.

Facts: Nowhere have I read a factual account from Target or law enforcement that says the CVV was being stored.  The CVV is read from the magnetic stripe at the PIN pad and transmitted to the POS.  It could have been intercepted during transmission.  Now, the data transmission between the PIN pad and POS is typically encrypted so we can assume that the data was probably stored somewhere and stolen.  If you are going to make assumptions, state them in your post or article.

False Statement #2:  Target couldn’t have been PCI compliant because it took them 18 days to discover the breach.  They obviously weren’t doing their daily security monitoring.

Facts: Networks are complex. Applications are complex.  Attacks are complex.  Obviously there was some security monitoring going on.  Sometimes it takes time to recognize an attack, investigate it and address the issues.  This isn’t Hollywood.  We don’t save the world in a 42 minute episode.  Is it likely that Target will need to change their security monitoring procedures?  Yep.  Can anyone say they weren’t monitoring at all?  Nope.

False Statement #3:  This breach was timed specifically for the holiday shopping season.

Facts: Did the hackers themselves proclaim this?  While it is entirely possible that this was a timed breach, it’s also just as likely that the hackers were simply lucky.  Hackers strike while they can.  It only takes one patch to foil a well-planned breach attempt. I’m not saying the intent may have been to hack during the holiday season but we don’t know that for certain just because it occurred during the holiday season. 

In essence, I’ve been very frustrated with the coverage of all this over the past 10 days.  Expert after expert has been on this news program and that claiming all these “facts” when in fact all they have at this point are opinions.  Oh…and because it’s sensational news, the journalists are calling them out on it.  They let the opinions stand as fact.  What has become of journalistic integrity?

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724