Ira Winkler: 6 failures that led to Target hack
The storyline that a single point of failure allowed a sophisticated attacker to steal millions of card numbers from Target just doesn't hold up
Computerworld - A recent edition of the Computerworld Security Daily Newsletter contained no fewer than four articles discussing the data breach at Target, which was first disclosed way back in December. What exactly happened to Target remains a matter of great interest.
What's being said about the hack is that it was enabled by a single point of failure. The blame is pinned on unstoppable malware on the point-of-sale (POS) systems or, alternatively, on a compromise of an HVAC contractor's credentials. Either way, Target wants you to believe that the chain was exactly what its name implies: the target of a highly sophisticated attacker.
But the truth is that systematic failures, and not a single point of failure, led to the Target hack. No single vulnerability was exploited. There were vulnerabilities throughout Target's security architecture that led to the theft of 110 million payment card numbers, along with the personally identifiable information of most of the affected cardholders.
Let's assume that Target's assertion is correct and that its network was compromised because its HVAC vendor was hacked. If that indeed led to the theft of millions of card numbers, then it suggests that Target's network was not properly segregated to allow the HVAC vendor to have access only to required systems. So that was the first failure.
Once the attackers were on the network, they clearly had to perform reconnaissance for an extensive period of time to find systems that would enable the distribution of their malware. That suggests that Target had inadequate or perhaps even no intrusion detection deployed that could identify extensive probing of the network, especially critical network segments where the POS systems reside. That was the second failure.
It appears that the intruders were able to get the malware on the POS systems via Target's own software distribution system, through worm-like methods of distribution, or by some combination of both. The attackers are thought to have tested the malicious software in a limited distribution, as a proof of concept, prior to wide-scale distribution. Either method should have been detected. Worm-like activity should have been picked up by network monitors. And if the attackers exploited Target's internal software distribution system, then Target should have had practices in place to verify any additions to the standard software being pushed out. Failure No. 3.
Most POS systems enable whitelisting, which lets only approved software run on the system. Malware introduced to a POS system with whitelisting enabled would be rendered inoperable, even if it hadn't been picked up by antivirus software. So not enabling whitelisting was the fourth failure.
More by Ira Winkler
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- 8 realities about location-based apps
- Ira Winkler: Is Google evil? The jury is out
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Protection for Every Enterprise: How BlackBerry Security Works Get an IT-level review of BlackBerry® Security, addressing data leakage protection, certified encryption, containerization and much more.
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the... All Cybercrime and Hacking White Papers | Webcasts