Our Take on “Lax security led to TJX breach
 |
|---|
Our Take is contributed by SafeBoot Chief Technology Officer, Simon Hunt
I must admit, I'm not too surprised that TJX group didn’t have secure wireless networks. Drive around nowadays and you'll find dozens of such WEP protected networks in commercial districts. It seems that now you can't buy a router without it having some wireless capability, but for some reason they still seem to promote WEP as the default security measure rather than WPA, which is no harder to activate.
I can remember working out of one of SafeBoot's development centers a year or so ago - I merrily turned on my laptop and it connected to a wireless network. I thought for a time that our IT department had set up a node off our global VPN in the development center, but thought it strange as we were going through security appraisals and had a mandate for wired networks only in development at the time.
On further investigation, it seems my laptop had happily connected to the (completely) unprotected network of the high security cash-handling company across the street. TJX, like many other reputable companies, suffer from the problem of IT visibility. It's so easy for someone to go to Best Buy and purchase a wireless router, plug it in and get instant wireless network.
So how does an IT department, which may have a top level mandate to secure the network, discover that router? How does that department measure the quality of security on thousands of disparate endpoints, on many locations? This particular attack is one of a thousand stories.
Unless everyone is aware of all the risks, how can any central department police an entire enterprise network? Luckily there are a few emerging technologies under the topic "Network Quarantine" which propose to remediate this situation. Cisco, Vernier Networks and Microsoft seem to be leading the charge, but like any other enterprise change, it takes time, effort and dedication to implement such a switch.
Between now and then, we need to work at the human level and strive through education and policy to mitigate as many of these potential entry points as possible. Unfortunately, there's no magic solution to security, there's no one product you can implement which covers all the bases, and there never will be. Security is a mindset and a game of least effort - most reward
Media Contact for SafeBoot International:
| Non-EMEA / APAC | EMEA/APAC |
| Eric Sommerton | Tom de Jongh |
| eric.sommerton@safeboot.com | tom.dejongh@safeboot.com |
| +1.239.430.0386 | +31(0)30 634 88 00 |
