A few years ago, it was Target, Home Depot and Sony that were hacked. This year it’s Equifax.
And now we can add the global consulting and accounting firm, Deloitte.
Hackers penetrated the company’s defenses last November. Deloitte didn’t discover the breach until four months later, in March of this year.
How do such attacks — where hackers roam a corporate network undetected, stealing valuable data over a period of weeks or months — keep happening? To answer, let me tell you a quick story.
When I was in college, I was a concert security guard.
It was easy enough work. I was generally assigned to keep people from congregating in front of a swath of emergency exit doors.
But at one all-star country music event, I wound up guarding the backstage holding area, where I was told to make sure only the main acts used the space — and to keep out their entourages and other hangers-on.
The place was crowded with people milling about. I knew Mel Tillis’ face; same for Carl Perkins. You can’t miss Barbara Mandrell.
But those bearded guys in street clothes, leaning against the back wall, looked suspicious — like they might have snuck in from the concert floor, a few dozen feet away.
It turned out they were one of country music’s biggest acts at the time, the Oak Ridge Boys!
The problem was the backstage passes. The promoters issued far too many. Some performers gave theirs away to buddies. Some never bothered wearing them at all.
So how was I supposed to know who belonged and who I needed to kick out?
That’s the same cybersecurity challenge faced by companies like Deloitte and Equifax.
When someone needs access to a corporate computer system, they’re issued the equivalent of a backstage pass — it’s called a “network credential.”
Big companies issue these credentials like candy. For instance, information technology (IT) departments often hire freelance programmers for a project, and they’ll issue network credentials so they can access the system.
When the project is finished, the programmer moves on — but the company often forgets to cancel the credentials. Often those credentials are floating around on the internet itself.
For instance, sharp-eyed readers of the IT blog, The Register, found Deloitte’s network credentials on an employee’s Google Plus page. Others found important password details on GitHub, a website where programmers share their coding knowledge.
Clearly, preventing cyberattacks is impossible — not with so many system
“backstage passes” hiding in plain sight.
On the other hand, if a company could keep a tight rein on those passes — so it knew exactly who had them and when to cancel them out — it would cut off most hacking attempts at the knees. Potentially devastating cyberattacks could be easily detected, monitored and thwarted.
We’ve already identified one such company for Total Wealth Insider readers in our growing portfolio of top cybersecurity investments.
Those who understand this shifting dynamic — detection, not prevention — will be the big winners in the coming ramp-up of cybersecurity spending of up to $1 trillion between now and 2021.
Jeff L. Yastine
Editor, Total Wealth Insider