Are we a Target?


2014 has started out with a bang in terms of publicly disclosed compromised systems.  We entered the year with a slew of privacy events starting with Target’s massive breach, followed by other retailers such as Neiman Marcus and Michael’s and a current investigation with lodging and food services giant White Lodging.  The Syrian Electronic Army (SEA) has made multiple appearances in headlines already this year with claims including PayPal and eBay, XBox’s Twitter account, and more recently Facebook’s domain record.

Despite these privacy concerns painted all over the news, we still frequently run into IT organizations that do not seem to have the support of their business partners when it comes to security.  The rationale often falls somewhere along the lines of “How could we be a target?  All we do is sell xyz widgets.” Granted, this mentality has become somewhat rare in those industries that have been under scrutiny for a while (i.e. financial, government, healthcare).  But others are still experiencing the “Are we really a target?” syndrome.

Given the wide range of motives in the year 2014, every organization should consider itself a potential target and should be asking itself better questions.  The most obvious attackers are financially motivated and after credit cards and personal information.  Do you store or process any of this type of data?  Then you are most definitely a target, and if you haven’t already done so it is time to get your PCI-compliance groove on!  Some attackers are hacking into organizations just to make a statement.  They will seek out ways to tie their name to any organization that could result in gaining free publicity and attention.  Do you have a marketing department?  News feeds?  Blog?  Do you get a lot of website traffic?  Any of these things can make your organization a target!  Some attackers are after the end users, often considered the “weakest link” in an organization.  They will attempt to compromise employee machines to gain a foothold or distribute malware and grow botnets using employees and customers alike.  Do your employees use computers?  Do your customers use your website?  Then yes, you are a target!

In 2014 every business needs to think about and invest in security.  Organizations need to assume they are targets and ask themselves questions such as “Are we really doing everything we should be doing to protect the privacy of our employees and customers?”  and “What would be the consequences if our network was breached or data stolen?”.  In most cases the answer to the question “Are we a target?” should be assumed to be a big fat “Yes”.

Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of
a penetration test or other security consulting services you can contact him at, on Twitter @JGillam, or visit the Secure Ideas – ProfessionallyEvil site for services provided.