Last week was a particularly bad week for millions of retail customers, both at home and abroad.
First, global credit checking agency Experian reported the theft of the customer database from primary business partner, T-Mobile. Then Australian retailers Kmart and David Jones both admitted that an unnamed third-party exploited a vulnerability in their IBM WebSphere-based websites.
The attackers were able to make off with customer names, email addresses, delivery and billing addresses, phone numbers and product purchase details.
Both Kmart and David Jones claimed customers’ credit card details were not included in the heist, as they use online third-party payment gateways for all credit card payment processing.
But if you were notified by either retailer, you should be concerned about ID theft.
It’s a real possibility given the information that was stolen, so it would be smart to monitor bank accounts for unrecognised transactions, and report bills or letters from credit or online shopping agencies, unrecognised mobile phone contracts or unexpected letters from debt collectors to the police.
Some hard questions need to be asked as to why this problem is escalating.
Are hackers getting more sophisticated? Are the technologies we use to protect ourselves less effective than vendors are suggesting?
Why are traditional infosec defences not working? Are enterprises simply ignoring good security practices for the sake of rapid delivery or fear of downtime?
Or is there something more fundamental going wrong?
Looking at the examples of Kmart and David Jones, both companies have a common ecommerce platform poised as a prime target on the internet.
Given the kind of data that was released in this breach, it's not difficult to imagine how an attack on the IBM WebSphere product could be responsible.
Taking a quick look at NIST’s national vulnerability database, on September 14, 2015, vulnerability CVE-2-15-4980 details an unspecificed vulnerability in IBM WebSphere Commerce 184.108.40.206 through 220.127.116.11 that allows "remote authenticated users to obtain sensitive personal information via unknown vectors".
IBM released a patch for this vulnerability on August 28, 2015, giving customers just over two weeks to patch the problem prior to details being officially released on the NIST database.
Security teams at Kmart and David Jones would have received the bulletin from IBM and, given the description of the patch on IBM's website - "an authenticated shopper could exploit a security vulnerability in WebSphere Commerce to expose a user's personal data" - the security ops guys should have prioritised it as a critical patch and rolled it out immediately.
Whilst we don’t know all the details, we can speculate what might have gone wrong based on observations from other recent data breaches, such as the Office of Personnel Management.
Organisations always struggle to prioritise the workload of their security operations teams, since plans are often reviewed monthly (or weekly if you’re lucky).
Security teams are often smaller than they should be, maybe with vacancies in the core team, and hence overworked. If no one in the business is prioritising work from the perspective of the threat environment (which we know is continually changing), then the static workplan drives their daily grind.
It’s fair to say that many enterprises have systems that remain unpatched for a lot longer than they should, but since these systems are harder to get to (and hence, exploit), it’s not so bad.
But when a vulnerability is discovered on your web front-end then the directive should be to drop everything else and remediate.
An inadequate approach to security patching is all too often the cause of a security breach.
Maybe Kmart and David Jones need to look at adopting a threat-centric approach to prioritising their security operations work.