Clicky

Neiman Marcus Ignores Their Security | Altaware, Inc. Cyber Security Blog

Neiman Marcus Ignores Their Security

As information slowly becomes available, now we find a bit about the Neiman Marcus data breach. Once again we're told it was sophisticated.

However, we're told that their security systems had 60,000 entries. In my book sophisticated means undetected. 60,000 entries and nobody noticed, that's ignorance not sophistication.

However, we're told that their security systems had 60,000 entries. In my book sophisticated means undetected. 60,000 entries and nobody noticed, that's ignorance not sophistication.

More we're told:
- 60,000 alerts over three and a half months
- This was less than 1 percent of the endpoint protection logs

That means that:
- These were alerts and not "blocked" entries, why?
- Why didn't anyone act on them?
- Existing alerting systems are able to prioritize and consolidate entries, was that not happening with Neiman Marcus?
- Security logs are supposed to be reviewed and approved, so did anyone, who?
- Is anyone wondering about the other 99 percent of the security alerts?

Comments:
- So it was sophisticated because it had a name similar to one of their applications, would this person have opened an Email message claiming to be UPS?
- Didn't someone investigate it further to see if the spelling of the filename and directory was EXACTLY correct?
- Would a single alert have been less "sophisticated" to them?
- How about if an alert had said for file name "approved-by-CIO" would that have been sophisticated too?
- I'm sorry, something that sets up 60K alerts and isn't investigated is not sophisticated
- We're to believe that a mere 60K alerts out of say roughly 6M warrants no effort or investigation
- That's similar to someone tripping an exit alert fraud system at a store and carrying many bags that look like Neiman Marcus and just letting them go

I have no idea yet if they in fact were complying with PCI, though as was the case with Target, I have to ask:
1) How did the malware get in undetected?
2) How was the malware able to change systems and be allowed to continue?
3) How were these infected systems allowed to directly access the Internet and send out our data?

We have to get back to security basics and demand that large processors of credit cards prove they are in compliance with accepted best practices and existing PCI requirements.