Cyberthieves Getting Good At Connecting The Dots, Expert Reports

Recent reports indicate that the cyberthieves who raided the IT systems of T.J. Maxx parent company TJX for customer data likely first gained entry to the systems by plucking poorly protected wireless data out of the air.

The resulting scenario paints a picture of a rapidly maturing cybercriminal element that's grown patient enough to quietly defeat IT security obstacles one at a time in order to avoid detection. Even more troubling, the theft of TJX customer data demonstrates the danger of focusing security efforts more on controlling admission into IT environments and less on managing users once they've been granted access.

Today's more sophisticated cyberthieves understand the value of scoring pieces of information that lead to the bigger picture. "They aren't just focused on the information, such as customer information stored on a stolen laptop," says Lloyd Hession, chief security officer for BT Radianz, whose IP-based RadianzNet network provides transaction and information services to the financial services industry. "They're peeling back the onion, collecting passwords and whatever else they need for authentication."

This latest twist in the TJX case, which follows the use of that data by thieves in Florida to fraudulently buy Wal-Mart give cards, sheds some light on the early stages of criminal activity that later lead to identity theft. It can begin as simply as an attempt to poach wireless data out of the air using a tactic known as "wardriving," which requires only a laptop, a telescope antenna, and an 802.11 wireless LAN adapter.

Even seemingly harmless information gleaned through wardriving, such as IP addressing schemes or IT device naming conventions, can expose how a company's internal networks are set up and help cyber thieves further penetrate a company's network. "There are ways just by sending innocuous traffic or a TCP connection request that gets bounced back to tell you if a port is open, for example," Hession says.

Such tactics make clear the need to not only network control access but also a user's movement within the network itself. Hession's approach at BT Radianz has been to first distinguish between users who are company employees and those who are contractors or business partners. "If you're a contractor, you get Internet access but you can't see any of our internal systems," says Hession, who also served as a chief architect of Internet security at IBM. Once this is done, security managers can further break down the levels of employee access based upon their job function or job title. "You're building a jigsaw puzzle for access to the network, and network access control is only part of this," he adds.

One way to make create a more difficult puzzle for cyberthieves to solve is through the use of secure switches within the network in conjunction with network admission control appliances that check to ensure devices attempting to connect into a network are free of malware and have all the most recent software patches. ConSentry Networks earlier this week introduced its latest, the CS-4024, a 24-port Gigabit Ethernet switch that will hit the streets by September for about $6,000.

Companies likely won't replace their existing networks immediately because they've already invested so much money in their current infrastructures. "We have a big investment in Cisco at this point," Hession says, adding that BT Radianz's infrastructure extends into 40 countries worldwide. BT Radianz already uses ConSentry LANShield controllers to filter traffic between Cisco switches and is looking to implement the new secure switches where they're needed most. "I'm in the process of figuring out how to get this into my organization," he adds.

Of course, Cisco itself is looking to be a big player in the network access control market, as is Microsoft. While these goliaths refine their strategies, CSOs like Hession can choose from a number of network access control technologies, including those from Lockdown Networks, Mirage Networks, Vernier Networks, and at least a dozen others. As the unfolding TJX story shows, the most effective NAC products will have to account not only for network admission but internal network access as well.