Sunday, 6 May 2007

"What we have here is... failure to communicate..."

"...Some men you just can't reach, so you get what we had here last night, which is the way he wants it. Well, he gets it, and I don't like it any more than you men. " - Strother Martin, Cool Hand Luke.

There's a lot in the news today about the vulnerabilities which TJX left in their network to allow their recent breach to take place. They were apparently using WEP to secure their stockroom wireless, which had access to the central user database. This goes beyond careless, and it's therefore unsurprising to hear that it could cost TJX in excess of $1bn. What is worth taking a look at is exactly how that is being calculated however. I'm not going to steal Alex's thunder on this one, including the possible costs of securing ($100million), as he's done a great job.

What I'm interested in considering is the business case which TJX could have presented to avoid this. A company with a $13bn turnover surely has some security people SOMEWHERE, probably different ones now, but this wasn't new news. TJX had been vulnerable for around 4 years, and had been warned previously that they were vulnerable, so somewhere something has gone wrong.

From previous discussions I've had here and on PCI Answers, it is clear that security is not well understood by many people running a business. Of course now anyone with any doubts can just site TJX, but what could TJX have done?

First let's examine the facts again, they used WEP encryption, with no MAC filtering and broadcast SSIDs. This is like closing your front door, leaving the key under the mat, with a note on the door saying "The key's under the mat". Turning off SSID broadcasting, putting in MAC filtering and using WPA is a 10 minute job, basically free of charge. It doesn't cost $100million and certainly not $1bn.

I'm sure there were other holes, they were not PCI compliant after all, but this is the thing that got them and the issue which is in the news today.

So, assuming that there were security and technical people aware of these securing methods, and they are the most basic ones I can think of in wireless security, the issue really lies somewhere else. TJX is a vast company, covering many countries, and the evidence is that only this one area was hit. That sounds lucky. The issue seems to come down to one of communication, pure and simple. This is so often the case in security breaches and one rarely discussed.

As I said, business people are rarely in tune with security, they are focused on profit, and security does not equal profit (unless you are a vendor). A vital part of security is communicating ideas, making sure people know about password strengths, recommended practices, etc. It may well be that someone at TJX had already rung alarm bells, but unless that person has a voice, it can be ignored. It's time for businesses to put more emphasis on security, and the only way we are going to have those voices listened to is by enforcing regulations.

PCI is a good start, along with SB1386 disclosure rulings, ISO17799 guidelines, etc. but until we have international laws instructing businesses in how to communicate and not giving get-out clauses (PCI has compensating measures), these events will continue to occur.


Michael Fleming said...

No doubt that the best tool to teach a business that it needs to keep an eye on these matters is to show the corpses littered over the fields. Still, one wishes that businesses would instead be willing to entertain that concept in the abstract, and address the need in anticipation rather than as a reaction, and before somebody has to get hurt, no?

Rob said...

Hi Michael,

I've tried this for years across Europe, and it's still very hard to do.

I think you've hit the issue right on the head by using the phrase "in the abstract". What the business people can't see hitting them in the face, they tend to ignore until it does.

Yes, it is crazy.