Dec 18 2014

A Cyber Attack On… Yourself?

Some cyber security polices are thrust upon us and that is the topic of this post. Just likeWindows XP expiring in April 2014 there are times when software or hardware we are running on our systems comes to the end of life. No more cycles to run….

With technical and security support gone, you are flying without a net. How do you solve this problem? With solid policies, governance, information assurance, and a business continuity plan. Which, by the way, is a great way to run and monitor the state of your cyber security posture [pun intended]. Just like solving for the Pythagorean Theorem, if one part of your equation changes value, it impacts the sum of your security.

Excellent example here on Krebs and an excerpt here:

“Last week, several thousand credit card payment terminals at various retailers across the country suddenly stopped working, their LCD displays showing blank screens instead of numbers and letters. Puzzled merchants began to worry that this was perhaps part of some sophisticated hacker attack on their cash registers. It turns out that the incident was indeed security-related, but for once it had nothing to do with cyber thieves.

On Dec. 7, 2014, certain older model payment terminals made by Hypercom stopped working due to the expiration of a cryptographic certificate used in the devices. ‘The security mechanism was triggered by the rollover of the date and not by any attack on or breach of the terminal.’ The certificate was created in 2004 with a 10 year expiry date.’”

When bringing technology into a company it impacts the other elements of the equation. Before bringing in new software, one has to assess the elements (below are just a few for your consideration):

  • The security vulnerabilities it imparts
  • The way security is integrated (license that will expire)
  • The other systems it talks to, and;
  • How in that communication process it causes exposures (worth it or not?)
  • Will this change your security posture, and potentially your cyber insurance coverage?
  • Will this affect your security policy?
  • How will the administration of this new software impact the governance of your IT security?
  • Will business processes change because of the new software?

It’s easy to cast stones, but to be fair, in the example above, the company brought the POS systems on line in 2004, and security wasn’t nearly the conversational topic then as it is now. In 2004 the country was just happy that Y2K wasn’t really a thing.

As a country that thrives on businesses, we as business are now past the point where we can just bring on new software tools and processes without considering the business continuity impact.

As my old man always says… learn from other people’s mistakes, it’s much cheaper.