The firewall -- has the "magic" box lost its mojo?
May 3, 2016
What Can We Learn from the Home Depot Data Breach?
September 30, 2014
The details of the apparent Home Depot data breach are now coming into focus. A malware program named Mozart appears to have been in place on self-service registers since April, not being discovered until September. The program was customized to work with the Home Depot systems. Mark my words – some insider, employee or contractor, will ultimately be implicated. Most such breaches have an insider involved, and it would be hard for someone outside to get enough information about the Home Depot systems to pull this off.
Of greatest concern to me is the fact that we did not learn about the data breach from Home Depot directly but rather via banks. It is probably safe to assume that the banks called their good customer Home Depot, and alerted them to their suspicions long before they went public. This means that Home Depot probably knew earlier but kept silent. This is a direct violation of regulations that require such disclosure. Given the risk of flogging the innocent however, I'll withhold further comment into all the details are known.
Both businesses and consumers have much to learn from the situation however, mainly diligence.
On the consumer side, you need to be diligent in checking your statements every month. If you're anything like me you get a statement in the mail, scan it, look at the bottom total, and if it seems reasonable, you pay it. Those days are long over. Home Depot, despite some internal issues, has been regarded as reasonably secure. They have a huge IT budget, and an IT staff to go with it. If they can be breached, anyone can.
If you run a business, your livelihood is on the line, and you are up against a formidable foe. Gone are the days of the teenage hacker. Instead we have professional crime syndicates with major resources to throw at hacking into systems. We know the Chinese have been after us for some time, and it's logical to believe that terrorist organizations, when they discover how much disruption security breaches can cause, will eventually be getting into the act as well. They have almost unlimited motivated resources.
You need to be diligent in ensuring your network is and stays as secure as possible, and this is a DAILY job. You need a firewall with intrusion prevention and you need to have the logs reviewed constantly. You need written policies and procedures in place that people are following, with good staff security training. You need log consolidation and asset management and theft tracking services. The list is long.
We all need to take PCI requirements seriously. In the early days of PCI, many businesses did the best job they could to look compliant without actually digging into the requirements. Home Depot is already the subject of many lawsuits, and more expected. Should your business have a breach, you need to be able to demonstrate via logs, procedures, and staff training that you did everything possible to protect yourself. Home Depot has broad shoulders, and will weather the lawsuit storm. If the lawsuits happened to you, could your business survive?