The Buzz

Red Teams are Santa’s Helpers this Holiday Season

This holiday season, Americans will spend more than $600 billion buying gifts for friends, colleagues and loved ones. Roughly 46 percent of the transactions will be done online, with the remaining purchases made in stores. Most shoppers will use credit or debit cards, assuming (incorrectly) that manufacturers and retailers are doing everything possible to protect their personally identifiable information from being stolen by malicious hackers. The truth about whether your information is adequately secure depends upon the security standards and practices that manufacturers and distributors use, which oftentimes fall short.

One way that the private sector can make it far less likely that your personal information will be stolen this holiday season is with red teams, the topic of my new book, Red Team: How to Succeed by Thinking Like the Enemy. Red teaming is a structured process that seeks to better understand the interests, intentions and capabilities of an institution—or a potential competitor—through simulations, vulnerability probes and alternative analyses. The protection of computer networks involves red team vulnerability probes, which emulate those malicious hackers that pose the greatest—and most likely—threat to a company’s computer networks.

The costs of not conducting realistic vulnerability probes can be highly consequential for corporations, in terms of their profits, reputation, and even the employment of senior leaders. One prominent example of how a red team might have protected consumers occurred two years ago when Target’s networks were breached during the holiday shopping season.

Every year, malicious hackers steal tens of millions of debit and credit cards, which they use to print fake cards for in-store purchases, resell to other cyber criminals, or to attempt illegal cash withdrawals or online purchases. These account for worldwide fraud losses of $16.31 billion each year.  Unsurprisingly, malicious hackers were constantly attempting to breach the computer networks of Target, the sixth highest grossing U.S. retailer, which conducts $72.6 billion worth of customer transactions annually.

Rather than exploit a vulnerability in the company’s own relatively well-defended networks, the hackers found the weakest point of defense—Fazio Mechanical Services, an outside heating, ventilation and air-conditioning vendor (HVAC) that was hired to monitor energy-use levels in stores. This began with a malware-laced phishing attack e-mail sent to employees at the HVAC firm. Once inside that vendor, the hackers were able to steal the network credentials that Target had willingly provided to Fazio Mechanical Services.

After using those credentials to get inside Target’s networks, the hackers used BlackPOS malware—developed by a 17-year-old Russian hacker and available on black markets for $1,800-$2,000—to hijack the retailer’s security and payments system. Subsequently, whenever customers swiped debit and credit card at registers, that information was sent to a remote server controlled by the hackers. In an eighteen day period, the hackers were able to steal 40 million customer credit and debit card accounts and personal information of 70 million customers without Target knowing—they only learned of the data breach when they were informed by security expert Brian Krebs one week before Christmas. The cumulative cost to Target so far is $290 million, the retailer’s reputation, as well as the firing of the CEO and chief information officer.