- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
This holiday season, Americans will spend more than $600 billion buying gifts for friends, colleagues, and loved ones. Roughly 46 percent of the transactions will be done online, with the remaining purchases made in stores. Most shoppers will use credit or debit cards, assuming (incorrectly) that manufacturers and retailers are doing everything possible to protect their personally identifiable information from being stolen by malicious hackers. The truth about whether your information is adequately secure depends upon the security standards and practices that manufacturers and distributors use, which oftentimes fall short.
One way that the private sector can make it far less likely that your personal information will be stolen this holiday season is with red teams, the topic of my new book, Red Team: How to Succeed by Thinking Like the Enemy. Red teaming is a structured process that seeks to better understand the interests, intentions, and capabilities of an institution—or a potential competitor—through simulations, vulnerability probes, and alternative analyses. The protection of computer networks involves red team vulnerability probes, which emulate those malicious hackers that pose the greatest—and most likely—threat to a company’s computer networks.
The costs of not conducting realistic vulnerability probes can be highly consequential for corporations, in terms of their profits, reputation, and even the employment of senior leaders. One prominent example of how a red team might have protected consumers occurred two years ago when Target’s networks were breached during the holiday shopping season.
Every year, malicious hackers steal tens of millions of debit and credit cards, which they use to print fake cards for in-store purchases, resell to other cyber criminals, or to attempt illegal cash withdrawals or online purchases. These account for worldwide fraud losses of $16.31 billion each year. Unsurprisingly, malicious hackers were constantly attempting to breach the computer networks of Target, the sixth highest grossing U.S. retailer, which conducts $72.6 billion worth of customer transactions annually.
Rather than exploit a vulnerability in the company’s own relatively well-defended networks, the hackers found the weakest point of defense—Fazio Mechanical Services, an outside heating, ventilation, and air-conditioning vendor (HVAC) that was hired to monitor energy-use levels in stores. This began with a malware-laced phishing attack e-mail sent to employees at the HVAC firm. Once inside that vendor, the hackers were able to steal the network credentials that Target had willingly provided to Fazio Mechanical Services.
After using those credentials to get inside Target’s networks, the hackers used BlackPOS malware—developed by a 17-year-old Russian hacker and available on black markets for $1,800-$2,000—to hijack the retailer’s security and payments system. Subsequently, whenever customers swiped debit and credit card at registers, that information was sent to a remote server controlled by the hackers. In an eighteen day period, the hackers were able to steal 40 million customer credit and debit card accounts and personal information of 70 million customers without Target knowing—they only learned of the data breach when they were informed by security expert Brian Krebs one week before Christmas. The cumulative cost to Target so far is $290 million, the retailer’s reputation, as well as the firing of the CEO and chief information officer.
Tragically, the Target hack might have been avoided with red teaming. Just days after learning of the breach, Target hired Verizon to conduct a red team vulnerability probe to evaluate the extent of the company’s network vulnerabilities. Verizon confirmed that once the hackers entered Target’s network, they had direct and unsolicited access to cash registers at 1,800 stores. It found that password protocols were not being followed—they cracked 86 percent of Target’s passwords—and security patches were missing or outdated. Finally, and this is a warning for the internet-of-things future, Verizon was able to communicate directly with Target’s checkout registers at one store after accessing a deli meat scale at a different Target store. Had the retailer authorized this vulnerability probe before the holiday season hack, rather than afterward, it may have saved a few hundred million dollars.
Target, like all retailers, spends a lot of money defending its computer networks, and secures them consistent with industry standards. However, today’s cyber defenses and standards will always be overcome by tomorrow’s proficient malicious hackers. Thus, all companies that hold information of value should assume that criminals will attempt to obtain, corrupt, or hold hostage this information. Red teams, which emulate the methods of malicious criminal hackers, can help any company test its networks, identify vulnerabilities, and recommend corrective measures. In the absence of such red team vulnerability probes, companies are just hoping that their data has been adequately security. Of course, hope is never a plan of action.