Target's Three Security Failures
02/20/14 Category: Thoughts
Target seriously violated our trust and didn't live up to their security requirements. While we've been led to believe the attack was quite sophisticated, it appears the reality is their oversight was not.
Target failed on multiple accounts and they had at least three opportunities to detect and block it:
1) Malware got in undetected
2) They didn't detect the change to their POS (Point of Sale systems)
3) They didn't detect the sensitive information leaving
Malware got in undetected
So far what we know is stolen credentials were used from a contractor that had access to the heating and cooling systems. Lets look at what went wrong:
- Why were the POS systems not segmented away from the building environmental network?
- Why was two factor authentication not in place?
- Was their no role based security in place?
- Why didn't security logs detect and alert on this access?
- Why didn't perimeter security detect the malware? We've been told it was sophisticated and undetectable by all solutions. I know of at least three vendors that supply robust solutions that would have detected it (one begins with P, one with an F and one with a B). Modern virtual sandboxes are used to detect what code actually does. Pattern matching alone is no excuse.
POS systems were modified
- File Integrity Monitoring is used to detect key operating system file changes from a known good.
- In order to capture the stolen data, malware had to be "inserted" into the POS systems and a change would have been made.
Information was sent out
We've been told that a Tor was used and undetectable. Again, wrong and concerning.
- Why were POS systems allowed to access the internet?
- Next generation firewalls can block applications even like Tor.
- Even if data is encrypted, we know it was heading to the Internet and we would know where it originated from.
- Next generation firewalls can even block traffic based upon country designations.
If we're to believe what target management said about the breach, they violated PCI compliance standards (some noted above):
- Who did the PCI audit?
- What management signed Target's PCI compliance form?
- Did Target in fact lie, on multiple fronts about their compliance?
It's shameful and in violation of existing compliance and frankly they should be held accountable. We don't need new laws, we need large corporations to take security seriously, it's the law!