June 5, 2014

TSG IntelBrief: Removing Hack Shame and Collaborating in Cyber Security

• Criminal hackers have stepped up attacks on mid-level and large-sized US retailers, taking advantage of lower technical defenses relative to financial institutions
• As the massive Target hack shows, brick-and-mortar businesses, even those with no web sales, are at similar risk for cyber hacking as purely online enterprises
• Human Resources departments, which are targeted for their valuable personally identifiable information (PII), are highly vulnerable to social engineering (phishing) attacks that render pointless even the best cyber defenses
• Hackers tend to crowdsource their capabilities and tools while businesses suffer in shamed isolation
• Business and government entities are slowly adapting by establishing information sharing systems to fight against the threat.


The saying “there are two types of companies: those that have been hacked and those that just don’t know it yet” is less hyperbole these days, as criminal hackers turn more to so-called soft targets that don’t think they’re “hack-worthy.” Increasingly, hackers are attacking non-financial targets such as retailers, large and small. This progression was inevitable, given the protections the high-profile targets have put into place over recent years. It’s as if the robbers tired of trying to rob the bank—with its difficult vault and armed guards—and began to take from the customers coming in to make deposits.

The massive Target data breach in December 2013 reinforced for criminals the opportunities latent in targeting customer payment information in retail purchases, not just online but in the physical space. Money certainly motivates criminals, and as a frame of reference, total US retail and food sales for April 2014—just for April, and US only—was $434 billion. It doesn’t matter if the sale is offline, the details are online, and so every retailer, whatever its size, is at risk. Given the low-cost and easily repeatable nature of hacks, even the smallest firm is a revenue-win for criminals.

While ‘zero-day attacks’ (that exploit a previously unknown vulnerability, a strike out of the blue) get headlines, most hacks involve long-known flaws and vulnerabilities that remain unpatched by large numbers of easy prey (shame, if you’re reading this using Windows XP). Additionally, it’s not just US retailers that are being targeted. According to a recent study by the Anti-Phishing Working Group, Chinese Internet giant Alibaba’s e-commerce unit Taobao trailed only e-Bay as the most spear-phished company in 2013.

More troubling, because it’s less expected, is the recent focus by hackers on the human resources departments of any company, not just retailers. HR holds the personally identifiable information (PII) of employees and contractors, as well as banking and routing information. To access these crown jewels, hackers don’t break in so much as they are invited in, through social engineering. Personnel recruitment units using employment sites such as Monster have fallen prey to malware inserted in fake sites and loaded resumes. Also, by giving out, or replying to, specific HR employee email accounts—which is good customer service—companies give hackers a legitimate account to spoof (people will open an email from a known HR person far more often than a generic mailer). Because they hold so much PII information, HR departments need more than perfunctory annual training on how not to click on suspicious emails.

On the positive side, business and government entities are finally adapting to the true nature of the threat by cooperating and collaborating with one another. The days of the Scarlet Letter H, when companies hid their being hacked and suffered in silence while the hackers crowdsourced their attacks and became a learning organism, are coming to an end. In May, a group of major US retailers, including Target, announced the launch of the Retail Cyber Intelligence Sharing Center (R-CISC), an independent organization that works with the FBI and US Department of Homeland Security, among other organizations, to share cyber threats and best practices. This is a significant step, since most companies hesitate to acknowledge attacks, let alone work with direct rivals on sensitive issues such as information system vulnerabilities.

While the real-time reporting and monitoring of emerging and trending cyber threats is helpful, it might be the training aspect of the R-CISC that proves more valuable. Hacker forums are filled with advice, guidance, and tools, as the criminals continue to learn and adapt. Members of the R-CISC can send representatives to learn best practices in both technical and social engineering defenses, with these people then able to train personnel in their respective organizations. By collaborating with educational institutions as well as government organizations, cooperatives such as R-CISC help smooth out the reactive learning curve that collaborating criminals impose on individual companies. The threat is network-based and therefore one of the best defenses against the threat is also network-based, a network of learning and adaptive targets.


.   For tailored research and analysis, please contact:


Screen Shot 2013-10-21 at 9.32.42 AM