Posts Tagged: security maturity


14
Jul 16

The Value of a Hacked Company

Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.

If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.

ValueOfHackedCompany

This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.

In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.

These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.

That data mining process involves harvesting and stealthily testing interesting and potentially useful usernames and passwords stolen from victim systems. Today’s more clueful cybercrooks understand that if they can identify compromised systems inside organizations that may be sought-after targets of organized cybercrime groups, those groups might be willing to pay handsomely for such ready-made access. Continue reading →


16
Nov 15

Chipotle Serves Up Chips, Guac & HR Email

The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain “chipotlehr.com” — a Web site name that the company has never owned or controlled.

chipemailTranslation: Until last week, anyone could have read email destined for the company’s HR department just by registering the domain “chipotlehr.com”. Worse, Chipotle itself has inadvertently been pointing this out for months in emails to everyone who’s applied for a job via the company’s Web site.

This security oversight by Chipotle was brought to light by KrebsOnSecurity.com reader Michael Kohlman, a professional IT expert who discovered the bug after applying for a job at the food retailer.

Kohlman, who’s between jobs at the moment, said he submitted his resume and application to Chipotle’s online HR department not necessarily because he wanted to be a restaurant employee, but more to satisfy the terms of his unemployment benefits (which require him to regularly show proof that he is actively looking for work).

Kohlman said after submitting his resume and application, he received an email from Chipotle Careers that bore the return address @chipotlehr.com. The Minnesota native said he became curious about the source of the Chipotle HR email when a reply sent to that address generated an error or “bounce” message saying his missive was undeliverable.

“The canned response was very odd,” Kohlman said. “Rather than indicating the email didn’t exist, [the bounced message] just came back and said it could not resolve the DNS settings.”

A quick search for ownership records on the domain showed that it had never before been registered. So, Kohlman said, on a whim he plunked down $30 to purchase it.

The welcome message that one receives upon successfully submitting an application for a job at Chipotle discourages users from replying to the message. But Kohlman said a brief look at the incoming email associated with that domain revealed a steady stream of wayward emails to chipotlehr.com — mainly from job seekers and people seeking password assistance to the Chipotle HR portal.

Continue reading →


27
Apr 15

What’s Your Security Maturity Level?

Not long ago, I was working on a speech and found myself trying to come up with a phrase that encapsulates the difference between organizations that really make cybersecurity a part of their culture and those that merely pay it lip service and do the bare minimum (think ‘15 pieces of flair‘). When the phrase “security maturity” came to mind, I thought for sure I’d conceived of an original idea and catchy phrase.

It turns out this is already a thing. And a really notable thing at that. The graphic below, produced last year by the Enterprise Strategy Group, does a nice job of explaining why some companies just don’t get it when it comes to taking effective measures to manage cyber risks and threats.

SecurityMaturity

Very often, experience is the best teacher here: Data breaches have a funny way of forcing organizations — kicking and screaming — from one vertical column to another in the Security Maturity matrix. Much depends on whether the security professionals in the breached organization have a plan (ideally, in advance of the breach) and the clout for capitalizing on the brief post-breach executive attention on security to ask for changes and resources that can assist the organization in learning from its mistakes and growing.

But the Security Maturity matrix doesn’t just show how things are broken: It also provides a basic roadmap for organizations that wish to change that culture. Perhaps unsurprisingly, entities that are able to manage that transition typically have a leadership that is invested in and interested in making security a core priority. The real trick is engineering ways to influence the leadership, with or without the fleeting momentum offered by a breach. Continue reading →