Attacks/Breaches
2/13/2014
01:47 PM
Bala Venkat
Bala Venkat
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Data Security Dos & Don’ts From The Target Breach

The holidays brought attacks on the retail industry. If you aren't in retail, your industry could be next.

The New Year certainly got off to an interesting start in the world of information security, as a seemingly never-ending spate of retail data breaches made, and are making, headlines almost daily.

First, before Christmas, there was the massive breach at Target, comprising an estimated 40 million credit and debit card account holders during the peak of the holiday shopping season. The cyber-criminals infiltrated Target’s network and installed sophisticated malware in its point of sale (PoS) terminals that could not be detected by anti-virus or other traditional security defenses. Later, we learned that the breach was even bigger, compromising the personal information of some 70 million more customers, including names, phone numbers, and email and mailing addresses.

Next was the breach at Neiman-Marcus, where a reported 77 out of 85 stores were hit by sophisticated malware, exposing the personal information of 1.1 million consumers. This breach was reported to have occurred between mid-July and October, but wasn’t discovered and contained until early January. Just a week later, the Michael’s chain of arts and crafts stores announced that it also had been breached -- its second breach in three years.

Major investigations are now underway at these retailers, and details continue to emerge almost daily. Chief executives are on the hot seat, testifying in front of Congress about what happened and what immediate measures they are taking to ensure such breaches don’t happen again. Worse, all three incidents have had a widespread impact on consumer confidence, which will likely cost the organizations millions of dollars to restore.

It’s an object lesson that even the best security defenses may not stop cyber-criminals from breaking in and stealing customer data. While the debates over encryption, Payment Card Industry (PCI) compliance standards, and chip-and-pin systems among retailers continue, there are also lessons to be learned by any industry that works with significant Web applications, a highly-connected supply chain, and a large number of credit card transactions. Here are three dos and don’ts based on what happened at Target, Neiman-Marcus, and Michael’s stores.

Do scan for application vulnerabilities continuously and proactively. It’s important to monitor constantly for changes that may enable attackers to gain entry. Vulnerability scanning is no longer a one-time project. In fact, applications are the number one point of entry for attackers year after year. They create an easy front door hackers can enter to steal data. Ongoing vulnerability scanning will keep that door locked and ensure the security of your code.

Don’t overlook the security of your supply chain partners. Many of today's hacks are coming through third parties that handle sensitive information, because attackers know that an attack on a business partner is often simpler and easier to hide than a direct attack. They’ve also learned that a breach in one partner’s environment can easily propagate across today’s digitally-connected networks, further complicating data loss and damages.  

The latest reports on the Target breach indicate that the hackers may have stolen Target’s network credentials from a third-party, Pennsylvania-based heating, ventilation, and air conditioning (HVAC) provider. These days, enterprise security means not only scanning your own environment, but also checking your partners’ applications to ensure that their security is solid and won’t compromise your customers’ data.

Don’t forget to regularly update and patch specialized hardware. Resource-constrained security administrators often overlook the security of specialized devices, such as PoS terminals deployed at remote sites. The makers of these industry-specific devices and applications are often slow to roll out new patches. In most cases, PoS terminals are compromised through improperly configured remote-access technologies used in their PoS applications.

It’s also smart to utilize two-factor authentication for all remote access. Enterprises should ensure that their environments are well suited to download and install patches for core operating systems, critical applications, or anti-malware controls. Many retail enterprises aren’t. 

While no one can be certain that these three breaches could have been avoided, one thing is very clear: All it takes is one hole in one application to give cyber criminals access to sensitive data. Companies must -- without delay -- put in place tight security policies to protect their applications across the software development life cycle. They also must use ongoing application security scanning and vulnerability assessments to ensure the security of their own systems, as well as those of their partners.

If they don’t, cyber criminals will continue to exploit that one single point of failure, gain access to the organization’s crown jewels of corporate and personal data, and lead the industry further down the path of never-ending data breaches.

Bala Venkat joined Cenzic in April 2012, with more than 25 years of technology industry leadership and executive management experience. He is recognized as a visionary for a unique talent that blends business, technology, and market trends into compelling value ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/14/2014 | 10:13:13 AM
Re: What happened to Target could have happened to any company
I've seen estimates including:
  • a $30 million liability to credit unions  
  • $550 million if Target has to replace 110 million cards (not including  penalties, credit watch expenses, law suit settlements and beefed up cybersecurity systems)
  • between $400 million to $1 billion in fines (esimate from Jefferies investment banking firm).Bu

But nothing about the aggregate cost to individuals. 
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/14/2014 | 2:54:12 AM
Re: What happened to Target could have happened to any company
Agreed, threats are evolving at a fast pace, I believe that firms are also evolving at a fast pace to combat these threats, but it would be nice if the security industry could collaborate in an attempt to strengthen overall security standards and its cost.

POS has been coming under a lot of fire, what's the situation of online transactions?
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/14/2014 | 2:41:54 AM
Re: What happened to Target could have happened to any company
Great point: all the links of the chain have an active responsibility in ensuring that the chain cannot be broken -- businesses that wake up every morning in order to be productive and satisfy their customers need to forward any information or best practices to their partners/supply chain in order to make the entire ecosystem safe.

It has been quite some time now since the Target breach occurred, I wonder whether they have been any estimates on the dollar figure loses that customers are paying for directly through their pockets.
Bala Venkat
50%
50%
Bala Venkat,
User Rank: Apprentice
2/14/2014 | 2:32:13 AM
Re: What happened to Target could have happened to any company
Yes, Marilyn. That report was very insightful confirming how the threat mechanics are evolving to new levels today!
Bala Venkat
50%
50%
Bala Venkat,
User Rank: Apprentice
2/14/2014 | 2:29:35 AM
Re: What happened to Target could have happened to any company
Yes, Alison. Unfortunately, the problem is only getting worse . . .  with corporations opening easy entry into their vaults through third party connections. These days, when I present - I increasingly see the topic of "Vendor Risk Management" resonate strikingly with the audience. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
2/13/2014 | 5:03:15 PM
Re: What happened to Target could have happened to any company
Study after study shows how unprepared SMBs are against cyberattacks -- and study after study shows just how attractive these smaller businesses are for exactly this reason: as a conduit into a big corporation like Target, Nieman Marcus, Citibank, or the DoD. It's imperative that all links in the chain are equally strong. We've just seen what happens when they're not.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/13/2014 | 2:15:09 PM
What happened to Target could have happened to any company
You make a great point, Bala, especialy in the wake of today's news that the Target breach begin with a phishing attack.  Mat Schwartz has the details, citing a report by security journalist Brian Krebs: (Paste this link into your browser: http://www.informationweek.com/security/attacks-and-breaches/target-breach-phishing-attack-implicated/d/d-id/1113829?)
This could have happened to anyone, not just retailers during a busy holiday season.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.