banner

Thales Blog

When Hacking Gets Very Real And Very Scary: ISIS Targeting Families

April 11, 2016

Charles Goldberg Charles Goldberg | VP, product marketing More About This Author >

ISIS targeting familiesWhen you think about breaches and organizations targeted, a local uniform vendor probably wouldn’t top your list of obvious hacking threats. However, a recent hack at a uniform vendor that serves New Jersey Transit police officers presents a very illustrative cautionary tale. For enterprise security teams, the message is clear: Even the best defenses will be futile if your vendors’ security is weak.

Click To Tweet: ISIS Hacking Targets Families: Data Security = Personal Security @chvrles bit.ly/20vYL9K

Security and privacy have been making international news quite a bit recently, but one particularly scary development seems to have escaped much widespread notice. As reported by Asbury Park Press, an apparel vendor known as Action Uniform recently encountered a data breach. Action Uniform is a vendor that serves a number of businesses and agencies, including New Jersey Transit.

What’s really chilling is the “why” behind the breach. Rather than pursuing credit card or identity theft, these attackers had a much more sinister motive. A pro-ISIS group known as the Caliphate Cyber Army was behind the attack, and they proceeded to post the names, addresses, and phone numbers of the transit agency’s police officers, along with a call to carry out “lone wolf” attacks on these individuals. Given these officers’ charter of counter-terrorism, these developments are troubling under any circumstances, but particularly more so in the weeks following the terrorist attacks in Brussels.

Vendors Leaving Businesses Exposed

When a lion goes after a herd of gazelles, they’ll target the slowest animal in the herd. In the cyber security sphere, a large company or agency with significant security investments will represent a more difficult target. While no details have been given around the specific nature of the attack, and what kind of security Action Uniform had in place, it seems pretty safe to assume that their defenses were lacking, making their servers a much easier targets than the New Jersey Transit’s systems.

This recent Action Uniform breach isn’t the first time that cyber attackers went after a vendor or supplier in order to get to the data of a well secured, or at least better secured, business. In fact, it’s very common for payment processors, backup and archiving service providers, point-of-sale system vendors, and other service providers and supply chain vendors to be the cause of a larger enterprises’ data breach.

The Implications for Enterprise IT

When it comes to employee and customer data, organizations may have many different reasons to protect it. They may be concerned about a competitor obtaining employee data for recruitment. They may need to guard against attackers looking to gain access to payment data to sell it on the black market. They may be focused on contending with cyber attackers that want to leverage health care records to perpetrate identity theft. Historically, many IT security teams wouldn’t have thought that this data could be exploited to pose physical threats to exposed individuals, but clearly that’s now the reality. This Action Uniform attack underscores a very profound fact. In many cases, the organizations that manage customer and employee data aren’t just responsible for these individuals’ privacy, they’re responsible for their very safety.

When I first landed at Vormetric, I dug into our business by analyzing our customers’ use cases.  What soon became clear is that a large number of businesses were encrypting sensitive data because they were compelled to. While many were driven by compliance requirements, a very big portion were also compelled by the fact that they were managing data on behalf of their customers, and they needed to employ encryption to ensure it was secure, either as part of a contractual obligation or simply a business imperative.

This Action Uniform breach shows that all large companies and agencies, even local ones like New Jersey Transit, need to take responsibility for the security of their vendors.  They need to impose contractual security requirements on the organizations that they are entrusting this data to. They need to make sure these vendors are taking the steps necessary to safeguard sensitive information, such as encrypting employee and customer data.

No Organization is an Island

There’s the old joke about two guys out in the woods who confront a bear. When one gets ready to run, the other says, “You can’t outrun a bear.” As he takes off, the man replies, “I don’t have to be faster than the bear, I just have to be faster than you.”

This “every man for himself” mindset may work as a near term survival strategy for an individual, but it’s not sustainable for a business or government agency. In today’s business and technology climate, any given business is increasingly reliant on an ecosystem of managed service providers, cloud service providers, application vendors, and more. If IT security teams take the mindset of focusing only on the security of their own businesses, but leave their vendors and partners behind, they’ll remain highly exposed.

New EU Rules Prohibit Passing the “Security Buck”

Historically, many businesses have seemed to view vendor security as someone else’s problem, effectively passing the “security buck.” The Action Uniform breach underscores the danger of this approach. If this reality isn’t enough to compel businesses to action, new EU regulations may serve to force the issue. In some very tangible ways, the new EU General Data Protection Regulation (GDPR) seeks to hold businesses to account for their vendors’ security.

The GDPR separates responsibilities and duties of data controllers (those who are originally entrusted with individuals’ personal data) and their processors (those who manage or access the data on the organization’s behalf). The GDPR requires controllers to use only those processors that are compliant with the rule. Item 63a of the standard says the “controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing.” The GDPR also details the core tenets of security, including the encryption of personal data, as well as ensuring integrity and resiliency of systems, and the ongoing testing and reassessment of security safeguards.

Conclusion

For today’s security managers, it’s plenty tough to battle against increasingly focused and pervasive cyber attacks. However, focusing solely on safeguarding internal systems and services isn’t enough. It’s vital to audit existing vendors, and determine which ones have sensitive assets—whether customer data, intellectual property, credentials, or any other elements—that can be exploited. Once that has been determined, it’s vital to take steps, whether contractually or any other way needed, to ensure they’re doing what’s required to keep those assets secure.  In these times, it could be a matter of life and death.