Last week, we dove into the details of the 2013 target data breach that resulted in 40 million customers having their debit and credit card details stolen, as well as another 70 million who had personal data stolen. Now, we’re going to break down what went wrong and see what we can learn from it.
Poor security at the vendor
The initial intrusion into Target’s systems came through a third-party HVAC vendor. While the vendor claimed that “our IT system and security measures are in full compliance with industry practices”, the cybersecurity journalist, Brian Krebs, states that the company was only using the free version of Malwarebytes Anti-Malware. While Malwarebytes is well regarded, it is not intended for corporate use, nor does it offer real-time protection. If the vendor was using a more appropriate tool with real-time scanning, it’s likely that the malware would have been picked up and the attack stopped before it ever even made its way to Target’s systems.
Supply-chain security problems
In general, we want to be searching for suppliers that can meet our security and compliance needs. We also want this to be backed up with ironclad contracts stipulating which controls need to be in place. However, we ultimately don’t have that much control over our vendors, and we need to be mindful that their security failures can very quickly become our problems.
Sure, the HVAC vendor should have upped its security game and had real-time malware monitoring, but it’s not as though Target is totally innocent in this matter. The details are unclear, but it looks like a couple of things could have gone wrong. Either Target allowed its vendor too much access to its systems, or Target insufficiently isolated the systems its vendor had access to from its payment systems.
If it’s the first case, it’s really a situation of poor supply-chain management. Sure, it makes sense that Target has systems that the vendor can use to complete its tasks, but Target should only be granting the vendor access to the bare minimum that it needs to do its job. The HVAC vendor shouldn’t be anywhere near the payment infrastructure.
If it’s the latter, extremely sensitive systems like those used for payments should be physically isolated—hosted on its own hardware away from everything else. While logical isolation can be useful in many instances, if it is configured incorrectly, hackers may be able to work their way toward other systems that are hosted on the same physical device.
Ignoring security alerts
To pull off an attack of this scale, you may think that the attackers were absolute masterminds using cutting edge techniques to evade detection. Nope, the attacks were actually detected by two different systems before the data was exfiltrated. According to a report from Bloomberg, the security vendor FireEye sent multiple alerts to Target, indicating that malware was on its systems. Symantec Endpoint Detection also detected the intrusion.
We aren’t sure why exactly the security alerts were ignored, but a couple of options spring to mind. First, there could have been a communication issue—were the people responsible for protecting the relevant servers actually getting the alerts?
If they did receive the alerts, perhaps the analysts were suffering from alert fatigue. Alert fatigue occurs when analysts are overwhelmed by too many alerts to keep track of. It’s often caused by poorly tuned security tools that send too many false positives, which are alerts that end up not actually being indicators of an attack. The issue of receiving too many false positives can be addressed by tuning the security tools to be less sensitive. However, you need to be wary not to tune them too low to the point that a false negative occurs. This means that an attack is ongoing, but no alert is sent to the analysts.
As you can see, with just a few simple security tweaks, this massive breach could have easily been preventable. Hopefully you can learn from Target’s mistakes and ensure that your own organizations don’t have such major security lapses.
