Security Sense: Big Guys Still Get Hacked Because They’re Staffed by Little Guys

You see this outrage all the time – “How could Sony / Anthem / Target get hacked when they’re so big?!” – as though size alone provides some sort of defense against attack. Sometimes these attacks are successful because they’re sufficiently sophisticated that ultimately even very good defenses are circumvented. However much of the time, that’s not quite the case.

Here’s a perfect example best illustrated pictorially:

This is an organization earning a couple of billion dollars a year yet somehow, Burger King’s Twitter account has ended up favoring Big Macs over Whoppers. Of course Twitter wasn’t hacked and the resulting imagery above was due to nothing more sophisticated than sloppy account management on Burger King’s behalf, but it’s still enormously embarrassing for a global brand.

Continuing the fast food theme, last year it was Dominos in France that had 650,000 accounts infiltrated followed by ransom demands and ultimately the public disclosure of the data. That’s a similar sized organization too with another couple of billion in annual revenue. This is exactly the sort of attack we see day in and day out via SQL injection which is incidentally the same attack vector that brought Sony Pictures undone the first time back in 2011.

So how does this happen? How do organizations with such enormous revenue streams continue to wind up victims of simple attacks? One answer is that particularly within large companies, digital assets such as websites and apps get distributed across all sorts of different agencies and third parties. Someone in the marketing department has a bright idea put to them by their creative agency and before you know it, somebody’s brother’s neighbour’s old room mate who does a bit of web design has stood up a branded site on a $5 a month host. Sometimes, the first the technology department knows about it is when there’s a Guy Fawkes mask on the front page.

Another answer is that regardless of how large and powerful a multinational might appear, at the end of the day it’s still staffed by a bunch of fallible humans. Like in all walks of life, some of them are very good at what they do and others, well, not so much. Certainly there’s not always a direct correlation between the size of the company and the quality of the technology people, particularly when technology is support service as in the examples here and not “core business”.

So what’s to be done about all these individuals who keep making mistakes? It’s often a question of organizational maturity with regards to security. For example, do software developers actually get any dedicated security training? Are security constructs such as threat modeling built into the development process or is it an implicit requirement? Are there formal processes for security review be that manual or even automated? And while we’re talking about reviews, is that just a one off at launch or does it happen regularly to ensure that Mary hasn’t made an insecure config change or Johnny inadvertently pushed a brand new vuln?

Big guys still get hacked because little guys make mistakes. The key difference with large orgs is that they have a better ability to implement the processes that helps the little guys do their jobs. That we still see as many incidents as we do at multinationals is a sure sign that all too often, these processes are entirely inadequate.

Troy Hunt
http://troyhunt.com
@troyhunt
Microsoft MVP - Developer Security