Major companies, like Target, often fail to act on malware alerts
Target paid the price for its apparent failure; other big firms follow the same pattern and could face the same fate, analyst say
Computerworld - Companies that suffer major data breaches almost always portray themselves as victims of cutting edge attack techniques and tools. The reality, though, is often much more mundane.
Case in point: Target, which last year was hit with a major data breach that exposed to hackers data on some 40 million credit and debit cards and personal data on another 70 million customers.
The retailer on on Thursday acknowledged that it could have mitigated or even avoided the breach had it paid closer attention to alerts generated by a security monitoring tools.
Target spokeswoman Molly Snyder said the company investigated but ultimately dismissed early signs of a data breach. "Based on their interpretation and evaluation of that activity, the [Target security] team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different," she said.
Target isn't alone in making such mistakes, says Joe Schumacher, a security consultant for Neohapsis, a security and risk consulting company.
"I have seen enterprises roll out very expensive systems to handle security monitoring, yet there is no subject matter expert for this technology or risks within the enterprise," he said.
Often, companies deploy security technologies with default alerts, resulting in many false positive warnings, Schumacher added.
"Any organization looking to implement security technologies should make the same investment in their people to help configure the technology," he said.
Eric Chiu, president and co-founder of HyTrust, a cloud security company, added that companies often ignore security alarms because they are numb to them, they get too many false warnings or because they are understaffed.
"You can have all the alarms you want, but unless you put security in a prominent position in the company and have enough staff to review them, those alarms don't mean anything," he said.
While alarms are great at signaling that something bad may be happening, they're just a means to monitor for inappropriate actions, he said.
In Target's case, a newly installed a network monitoring tool from security vendor FireEye alerted Target security personnel of malware on its networks on two separate occasions before it was hit by hackers, according to a Bloomberg BusinessWeek report. The installation of the tool cost Target around $1.6 million, according to Bloomberg, which interviewed several former Target employees, law enforcement officials and security researchers familiar with the case.
According to the report, a team of security specialists in Bangalore, India, spotted the alerts and relayed the information to counterparts at Target's headquarters in Minneapolis, who apparently failed to follow up.
The retailer's security pros should have been able to shut down the attack relatively easily had officials acted on the warnings, sources told Bloomberg. Target's Symantec Endpoint protection software also detected the "absolutely unsophisticated and uninteresting" malware early on and pointed to the same server identified by the FireEye alerts, the report said.
The FireEye system could have been configured to automatically remove the threat, but apparently because the software was new and untested at Target, the feature wasn't activated.
Such incidents show why IT operations can't depend on technology alone to secure business networks, said Gartner analyst Avivah Litan. Companies also need strong security polices and processes for managing systems -- and for dealing with alerts, she said.>
"In this case, Target apparently fell short on process and policies -- they had the technology piece down," Litan noted.
She added Target's response is typical for large organizations. "In fact, I have heard several times and from several sources that in the case of each large breach over the past few years, the alarms and alerts went off but no one paid attention to them."
Jeremy Kirk of the IDG News Service contributed to this story.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- US agencies to release cyberthreat info faster to healthcare industry
- UPS now the third company in a week to disclose data breach
- Healthcare organizations still too lax on security
- Why would Chinese hackers want US hospital patient data?
- About 4.5M face risk of ID theft after hospital network hacked
- Supervalu breach shows why move to smartcards is long overdue
- Grocery stores in multiple states hit by data breach
- Update: Payment cards with chips aren't perfect, so encrypt everything, experts say
- U.S. agencies halt background checks by contractor after cyberattack
- Five unanswered questions about massive Russian hacker database
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts