According to an excellent new article by BloombergBusinessweek, multiple security technologies in place at Target detected the intrusion that led to the company’s losing 40 million credit card numbers, but the company’s security staff apparently ignored them. It reminds me most of that common cause of airplane crashes: pilot error. So we have another reason to focus not only on our technologies, but on our people.
The article is entertaining as well as informative. I recommend it to folks who don’t feel up to date on security. It takes us from Target’s computers, through staging servers in Virginia, Utah and California, to a hosting service in Moscow. The whole thing seems to have been orchestrated by hackers in Odessa, Ukraine, which the article describes as “the Tortuga of the Russian-speaking world.”
The moral of this story, however, is that no matter how good your technology is, you need to make sure your operational routines are in place and followed. Despite warnings from technology supplied by security firm FireEye, and additional warnings from Symantec Endpoint Protection, the human operators in Target’s Minneapolis Security Operations Center ignored the alerts. The story also mentioned that the “breach could have been stopped there without human intervention.” But the feature enabling that was turned off.
This is not as outrageous as it sounds. It’s fairly common in disaster recovery situations, for example, to require human authorization before computers are shut down or operations are switched to alternatives. This is because erroneous warnings can otherwise trigger activities that themselves are hard to recover from. But this assumes that your human computer staff is on the ball.
It’s easy to think the the world of gigantic retailers and the loss of millions of credit card numbers is far from our readers’ usual concerns. But the same kind of human error can occur on a smaller scale. A good point to start in assessing your IT procedures in general is the ITIL set of practices for running an effective IT shop. While they are aimed at organizations with lots of resources, the ideas there can be applied selectively to smaller organizations, too.