They say that in investing, you should invest what you know. On Seeking Alpha, that translates to writing about what you know. I am not an investment professional. I understand compound interest. I understand inflation. I fear not having enough money at retirement.
My background -- what I know
I have worked in a lot of IT departments, and I have peeked under the hood of many more. I think I have a reasonable comprehension of what symptoms in the IT department tend to indicate for companies as a whole.
I'm not an IT security professional. My specialty is data and databases. I have, in the past, done some development where security was a major consideration. Developers need to understand security so they can build that in. I feel like I have a minimally adequate understanding of security for a developer which probably puts me ahead of 90% of the people actually doing development in the U.S. Any true black hat hacker or security professional, however, will laugh at my knowledge and skill set.
With that said, I thought I would take a look at the question of whether security breaches indicate general infrastructure problems within an organization.
Security and Breach Vocabulary:
Script Kiddies: Individuals with little or no true technical skill who run pre-packaged scripts to attack. In general, organizations that pay any attention to security are not at risk from script kiddies -- see penetration testers below.
Kiddie Scripts: Scripts used by script kiddies. They're generally available on the internet, often for free. Most people in the security community -- black hat and white hat -- have a library of these things.
Junior Penetration Tester: A white hack hacker who is paid to run kiddie scripts against your system and tell you what gets breached.
Penetration Tester: A white hat hacker with considerable skill who performs a few tests on your system in addition to running the kiddie scripts.
Sophisticated Attack: Anything that breached our system. Seriously, has any company that announced a breach ever admitted they were breached by anything less than a "sophisticated" or "advanced" attack? (Even Kiddie Scripts can seem pretty sophisticated to an old school security manager with a physical view of security.)
Definition of Security:
Like safety in investments, all security is relative and it involves a lot of trade-offs. If you ask somebody if a system is secure, and they answer "yes", fire them on the spot. They are either incompetent or lying. If you expect to hear "yes", either educate yourself or fire yourself. No system is secure. Any system can be breached. I don't think a true security professional can ever say "yes" about a system that can be turned on and plugged in.
Is the system secure is the wrong question to ask. The questions to ask are things like "How secure is the system?" or "Is the level of security adequate to the value of the information?". The other question is, are we implementing the usual and standard best practices?
To the Question
So, to our question, what can security breaches indicate about an organization? Can they offer clues to infrastructure inadequacies within an organization?
I'm going to say the answer is it depends on the breach. Because I am of the opinion that all systems are vulnerable, I'm going to say that anybody can be breached. The fact that an organization got breached doesn't mean much to me. The headlines are going to be the fact of the breach. The headlines mean bad press and the company's stock may be down for a couple weeks. In terms of indications about company infrastructure, though, breach headlines mean nothing.
TGTgot hit recently -- might be a good time to buy Target. Lets do some due diligence on the breach.
You have to look at the facts of the breach. What do the security professionals say about the sophistication of the attack? How quickly was it identified? How quickly was it stopped? What was the company's response.
Never trust the company's press release about the sophistication of the attack. The breached entity will always use terms like "sophisticated" or "advanced". Has anybody ever admitted to being cracked by a a Script Kiddie? Go to the security blogs. What do the security professionals say about the attack?
If the security professionals are using terms like "new", "novel", "advanced", "sophisticated", or "zero-day", then it probably really is sophisticated or advanced. The fact of the breach probably tells you nothing about the organization's IT.
If the security professionals are saying things like "patch available" or "preventable", then you know that IT security at the organization is not keeping up.
If you see terms like "well-known", "previously identified", the simple fact of the breach may tell you something about the organization's IT, but you have to dig a little further. Look at how long it has been well known and when it was previously identified. Has the organization had time to respond? Was it identified five years ago, or was it identified last week? In general, if the organization has had a month to patch the system and failed to do so, then the simple fact of the breach tells you something.
Basic IT security these days includes utilizing automated penetration testing tools and employing penetration testers. Basic and well known attacks simply shouldn't be able to get through. when a basic or well-known attack gets through, that speaks volumes -- negative volumes.
In the case of the TGT breach, it seems to be a sophisticated new attack taking advantage of some known, but hard to address, vulnerabilities. The fact of the breach at TGT does not alarm me a great deal. Perhaps TGT should have had a more aggressive security stance, but their stance seems pretty standard and I don't think a pretty standard stance is going to stop this breach.
In terms of what it says about TGT's management or TGT as an investment, I don't think it really says much. The industry standard security profile is a little lax and TGT is not out of line.
The real key to looking at an attack is the identification of and response to the breach. How long was it going on? How difficult or easy was it to identify that the breach had happened? Did it last past one password change cycle? Were any hints or suggestions ignored?
Sometimes organization press releases are helpful here, particularly if you have an IT background. Again, the security blogs are the place to look. Since all breaches are different, it's hard to quantify or provide guidelines. A very subtle breach may, reasonably, go undetected for six months, while a more obvious breach should be identified and shut down in minutes or hours. Many should be identified in daily or weekly log monitoring cycles. You will have to depend on the security blogs to get clues as to what the security professionals think about the response.
In the case of the TGT data, the fact of the breach may have been hard to recognize, but the data being sent out of the organization was not. TGT should have recognized that somebody was sending huge volumes of data outside the firewall to unusual destinations. Yes, it happened on Black Friday when a data spike is expected. However, my opinion is that an organization like TGT probably should have noticed the data flow was above and beyond what was expected for Black Friday within 24 hours and identified that data flow as a threat within an additional 24 hours. From everything I have read, they completely missed the outbound data flow, and I fault them very heavily for that.
Simply identifying the outbound data flow doesn't identify the vector. TGT would still have had a lot of work to do to figure out where the data was coming from. However, there is a good chance the data can be contained within the TGT firewall and no further information compromised. From what I have read, there is no indication this sort of reaction happened. I'll fault TGT heavily for that.
There are suggestions -- I don't know if it is fact or speculation -- that TGT had information about an increased frequency of compromised cards somehow associated with TGT. Even if they did know they were likely the source of the breach, knowing where to look is hard. I've been there, "Yes boss, I believe we are the source of the leak. I have no idea where it's coming from." Very frustrating. You simply have to make a plan to check everything you can think of and you have to work the plan systematically. The outbound data volume was there to see. I think it's a lack of attention to detail. However, since this notification may be rumor rather than fact -- hard to say what TGT knew and when -- it's hard to say this indicates an issue with TGT's infrastructure.
If you want to steal credit cards, you go where the credit cards are -- and retailers are the weak link in the chain right now. Retailers are going to get hacked. I don't fault TGT for being a target (no pun intended). I don't know how much you can say about a company for being a (lowercase) target.
The entry and data collection was sophisticated. I don't fault TGT for the attack getting in. In general, I don't think you can fault organizations for entry of cutting edge attacks, but you can fault them for entry of lower-level and preventable attacks.
The data exit from TGT was reportedly brute force and obvious. Apparently, this is something TGT should have identified and responded to much faster than they did. This raises questions in my mind about TGT's it. It always raises questions when an organization fails to respond to an attack or doesn't even know they have been attacked.
TGT's technical response to the breach raises questions in my mind about their infrastructure. These questions may or may not be valid, but they are enough that I wouldn't sleep well at night if I held the stock.
Not all breaches are a negative indicator for the breached organization, and some, in fact, may create buying opportunities. The recent TGT breach -- at least for me -- is not.
Disclosure: I have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.
Additional disclosure: No direct holdings in TGT or intent to buy any time soon. Probably long some ETF or fund that holds TGT.