Sometime late in 2006 security analysts reported several potential flaws and unprotected records to the 800-store chain T.J. Maxx. The analysts proposed procedural and equipment remedies costing between $50,000 and $75,000. Managers of the retail giant, however, deemed the cost excessive and ignored the warning.
On January 19, 2007, thieves hacked into T.J. Maxx and stole a whopping 95 million credit card numbers with personal information. The company ended up being fined $216 million for allowing the security breach, with estimates in lost sales reaching $1.35 billion.
Providing these ounces of prevention — and publicizing the penalties of their neglect — has been a life long passion of Florindo Gallicchio, risk management assessor with Melillo Consulting Inc. in Somerset. Gallicchio will discuss “Security Challenges in the Mid-Atlantic Area” as part of the New Jersey Technology Council’s 2008 Mid-Atlantic Security and Defense Expo on Thursday, June 19, at 11 a.m. at the Sarnoff Corporation. Cost: $100. Visit www.njtc.org. Several presenting companies and a host of exhibitors will join the workshops.
The many venues of Gallicchio’s security career have brought him a score of shifting challenges in the same old problem of protecting one’s assets. Born in Bronx, Gallicchio grew up in Brewster, New York, and attended the SUNY-Cortland for a year until his funds ran out. Seeking both income and training, he joined the U.S. Navy and began working for the National Security Agency. His native knowledge of Italian and school-learned Spanish placed him in the NSA’s foreign language intelligence section. “I studied constantly for six of my ten years there and came out just flooded with all the latest intelligence methods,” Gallicchio says.
Gallicchio entered a small private security firm in Manhattan, before coming to Johnson & Johnson to manage information security for the company’s entire global network. He then moved to Prudential Insurance where he became a risk assessment expert. After dabbling with his own security firm, Gallicchio joined Melillo Consulting Group five years ago.
“We have a lot less to fear from planes flying into buildings or physical threats than we do from the theft of intelligence, capital, and vital data,” says Gallicchio. Fending off flaming missiles and smuggled poisons may demand costly legions of vigilants, but avoiding equivalent chaos wrought by computer invasions can be achieved with more brains than cash.
Identifying assets. Security-minded managers of late have shown a greater willingness to establish security systems than to think about where they should go. They are posting guards without knowing where the fence lies. Most of this comes from the development of threat-based protection plans. Managers hear that some type of breach could happen in their company, so they patch up a system against it. Another potential breach is rumored. Up goes another system.
Gallicchio suggests a more sensible, custom-tailored approach. “First identify all your assets,” he says. List them in categories of criticality. Only then do you decide what the threats might be and take steps of risk protection.” This assets-first method frequently brings to light many vital information systems that otherwise might be ignored and left unprotected. It also provides an overview that keeps protection practices less redundant and more economical.
The inside man. Last year a large entertainment company rejected Gallicchio’s bid for a risk management analysis. Then, three days before Christmas, the company cried for help. Gallicchio traced the data streams and discovered one worker who was viewing massive amounts of data not concerned with his job. He brought this to the attention of the company’s CIO who announced, “Why, we fired that man over a month ago.” The disgruntled employee had been stealing information via his remote access account, which had never been closed after his termination.
“Companies tend to be very good at protecting data and systems,” says Gallicchio. “They love to install great encryption and lock down tools. But most tend to totally ignore the management of that data and the human factor.” It is in the handling and application retrieval that most errors and thefts take place. Yet these areas remain the least guarded.
Procedures vs. gadgets. It was a large, global bank whose operations were one step short of paranoid. They had a 100-person security department all busily working when Gallicchio came to perform his risk assessment. Most of these employees operated their new automated detectors that traced cash and information flow.
Fancy as the new tool was, Gallicchio unearthed more than 6,000 data accounts lying totally unprotected. In defiance of banking’s privacy of data requirements, these items lay open to anyone within the department to manipulate at will. Automated systems provide a good first brush, but it takes manual review and detection methods to discover such systemic flaws.
“They violated the fundamental security rule of segregation of duties,” says Gallicchio. “Only two people needed to work on those files. The rest shouldn’t have even known the files existed.” Compartmentalizing the work and operating on a need-to-know basis not only prevents temptation, it keeps the company within legal compliance.
“Virtually all of our major infrastructure today runs on computers, and this makes security more vital than ever,” says Gallicchio. “I cannot tell you the number of times I have hacked into systems and been able to turn on the flow valve of a chemical plant from 80 miles away.” The solutions are less Orwellian and costly than supposed.
Recently the FBI released a study saying the 70 percent of all security breaches could have been fixed with procedural applications, rather than purchases of new equipment. It’s mostly a matter of limiting access, backing up files, setting up retrieval protocols, and tracing the flow. It may mean hiring another person to spread the security tasks, rather than piling more work on an already burdened staff.
Is it worth the expense to hire more workers just to handle security details? Just ask the managers of T.J. Maxx.