Surprise Security Testing? Welcome To Worst Practices

Written by Frank Hayes
October 10th, 2012

The CIO for Tulsa, Okla., was put on administrative leave on October 1, after a security company hired by the city ran an unannounced penetration test, and no one in the IT department realized it was a test. The usual tut-tutting aside (“How could he forget he hired this outfit?”), we’re wondering whether it’s time to dump the security “best practice” of doing surprise pen tests.

Yes, those tests should be a surprise to the security and ops people. But to the CIO? In today’s legal environment, with PCI and personal information on the line? That’s crazy. For a retailer, it’s even crazier.

What actually happened seems pretty clear at this point: The city’s Web sites were taken offline on September 12, after one of the city’s servers “was targeted by an unknown source,” the city said. Six days later, the city sent out 90,000 letters to people whose personal information was on the server because they had applied for jobs with the city over the past decade. Total cost of the mailing: $20,000. (No, we’re not sure how they sent out 90,000 time-critical, individualized letters for 22 cents each.)

Further investigation turned up an E-mail from the pen-testing company, SecurityMetrics, that was sent a few days after the “breach” with results of the test. Oops. That’s when CIO Tom Golliver was put on leave. The city also spent another $25,000 on a security postmortem, which exposed problems with the police department’s Web site so bad that the Web site is being completely rebuilt.

The standard wisdom on this type of incident is that the breach response checklist should have included checking with the security vendor to make sure it wasn’t the source of the attack. One big problem with that: Just because there’s a pen test going on doesn’t mean you’re not also being attacked by cyberthieves.

After all, that was the tactic used in last year’s huge attack on Sony’s PlayStation Network E-Commerce site: A denial-of-service attack was used as a diversion while thieves targeted information on millions of customers. In that case, both attacks were by the same thieves. But thieves are opportunistic, and they monitor high-profile Web sites constantly. If they spot a site that’s under DoS attack—for real or as a test—that’s the perfect time to launch their own intrusion.

But that’s not the only problem with surprise pen-test attacks, especially for retail chains. There are definitely wrong times for a retailer to get a surprise attack: during a major online sale or promotion, for example, or while newly upgraded equipment is coming online after a planned outage. The point of pen testing is to identify ongoing vulnerabilities—not to interfere with business (or with getting back to business). If the test isn’t coordinated with IT executives, there’s no way to minimize disruption to the business.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.