And even if a company pays close attention to security, the complexity of the organization can trip it up, says Patrick Peterson, a security expert at Cisco Systems. He points out that other parts of Citigroup apparently had addressed this same security hole, even though the credit card group did not. The company “might have 20, 30, 40 lines of business,” he notes, “and 99.999 percent of the time they get it right. Then someone forgets something. It doesn’t make it okay, but it is difficult to scale things forever.”
Chris Novak, managing principal of Verizon’s security branch, which consults with businesses about intrusion prevention, says security oversights often result from an us-or-them approach. In other words, many organizations assume that employees and other insiders can be trusted, so they focus on defending against outside threats. But in designing their systems with these two groups in mind, they often overlook a third group: those who are “not an unknown but not an employee.” That’s essentially what happened in the Citi heist, when the hackers were never faced with the defenses meant for complete outsiders. It’s as if the company assumed that bank robbers don’t have bank accounts.
Novak says that when organizations are shown the vulnerabilities these users-but-not-employees can exploit, their first response is usually, “Well, why would a user do that?” Furthermore, he adds, a lot of large organizations “have a mind-set that they don’t have small problems.” They end up worried about “Mission: Impossible situations,” he says, but the vast majority of attacks are “opportunistic.”
Schneier suggests a more calculating explanation for Citi’s lack of proper defenses. Maybe the bank didn’t spend the money on good security because it figured that it would be cheaper and simpler to reimburse its customers for any fraudulent charges, he says.
Whatever the reason, these basic security weaknesses are more common than you might expect, Novak says. Faults similar to Citigroup’s show up each year in Verizon’s Data Breach Investigation Report, an analysis of hundreds of intrusions. In the 2011 report, for instance, only 18 percent of the cases Verizon investigated resulted from hacks of “high” difficulty—requiring “advanced skills.”