New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.
The attackers got in using a vendor’s username and password. They then exploited a Microsoft elevation of privilege vulnerability. Microsoft patches a lot of those–there will be seven of them in the November 2014 Patch Tuesday bundle, and there were two in October. This gave them enough permission to jump into the retail point-of-sale network and install malware. Critically, Home Depot deployed the relevant patch while the attack was in progress. But at that point it was too late to stop that attack–just future attacks. As far as this attack was concerned, the damage was done. Deploying a patch probably isn’t going to stop an attack that’s in progress, unless perhaps it happens upon one in its very earliest stages.
This is why you patch early and often. Many people are hesitant to patch because they think patches break things, but not patching lets people break into things. This is also why you deploy every applicable patch, not just the ones marked “Critical.” I’m pretty sure Home Depot considers the vulnerability that these attackers used critical now, regardless of how Microsoft rated it originally.
Having 100% of available patches deployed to 100% of existing systems doesn’t make you invincible, but it greatly limits an attacker’s options and the attacker will probably abort and go attack someone else. It’s like having the best locks in your neighborhood. If you have $50 locks on your doors, a thief is probably going to move on because odds are there are at least two houses on your street that have $8 locks.
The reason only self-checkout registers were affected was due to naming convention. I never thought of my employer’s cryptic, completely undescriptive and sometimes misleading naming convention as a security feature, but in this case, it was. The regular checkout registers couldn’t be readily identified by name, but the self-checkout registers could. So the attack easily could have been 10 times worse.
There are many ways to get data out of a network once you’re inside, even if a company has good security. So there’s less lesson to be learned there, and preventing exfiltration is a more advanced security practice. The failures here were at the basics: Running outdated software and not patching the current software quickly enough. That said, most companies I know of don’t execute on the basics perfectly.
I’ve seen several news articles describe the attack as “clever.” I don’t see it as clever, perhaps because I sit next to a penetration tester. The thing is, the occasion didn’t call for sophistication, and an attacker will be exactly as sophisticated as the network forces him to be.
I know I’ll be sharing these lessons from this particular breach for weeks to come, if not months. Patching is extremely undervalued, and this attack shows precisely why.