Attacks/Breaches
2/13/2014
01:47 PM
Bala Venkat
Bala Venkat
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Data Security Dos & Doníts From The Target Breach

The holidays brought attacks on the retail industry. If you aren't in retail, your industry could be next.

The New Year certainly got off to an interesting start in the world of information security, as a seemingly never-ending spate of retail data breaches made, and are making, headlines almost daily.

First, before Christmas, there was the massive breach at Target, comprising an estimated 40 million credit and debit card account holders during the peak of the holiday shopping season. The cyber-criminals infiltrated Target’s network and installed sophisticated malware in its point of sale (PoS) terminals that could not be detected by anti-virus or other traditional security defenses. Later, we learned that the breach was even bigger, compromising the personal information of some 70 million more customers, including names, phone numbers, and email and mailing addresses.

Next was the breach at Neiman-Marcus, where a reported 77 out of 85 stores were hit by sophisticated malware, exposing the personal information of 1.1 million consumers. This breach was reported to have occurred between mid-July and October, but wasn’t discovered and contained until early January. Just a week later, the Michael’s chain of arts and crafts stores announced that it also had been breached -- its second breach in three years.

Major investigations are now underway at these retailers, and details continue to emerge almost daily. Chief executives are on the hot seat, testifying in front of Congress about what happened and what immediate measures they are taking to ensure such breaches don’t happen again. Worse, all three incidents have had a widespread impact on consumer confidence, which will likely cost the organizations millions of dollars to restore.

It’s an object lesson that even the best security defenses may not stop cyber-criminals from breaking in and stealing customer data. While the debates over encryption, Payment Card Industry (PCI) compliance standards, and chip-and-pin systems among retailers continue, there are also lessons to be learned by any industry that works with significant Web applications, a highly-connected supply chain, and a large number of credit card transactions. Here are three dos and don’ts based on what happened at Target, Neiman-Marcus, and Michael’s stores.

Do scan for application vulnerabilities continuously and proactively. It’s important to monitor constantly for changes that may enable attackers to gain entry. Vulnerability scanning is no longer a one-time project. In fact, applications are the number one point of entry for attackers year after year. They create an easy front door hackers can enter to steal data. Ongoing vulnerability scanning will keep that door locked and ensure the security of your code.

Don’t overlook the security of your supply chain partners. Many of today's hacks are coming through third parties that handle sensitive information, because attackers know that an attack on a business partner is often simpler and easier to hide than a direct attack. They’ve also learned that a breach in one partner’s environment can easily propagate across today’s digitally-connected networks, further complicating data loss and damages.  

The latest reports on the Target breach indicate that the hackers may have stolen Target’s network credentials from a third-party, Pennsylvania-based heating, ventilation, and air conditioning (HVAC) provider. These days, enterprise security means not only scanning your own environment, but also checking your partners’ applications to ensure that their security is solid and won’t compromise your customers’ data.

Don’t forget to regularly update and patch specialized hardware. Resource-constrained security administrators often overlook the security of specialized devices, such as PoS terminals deployed at remote sites. The makers of these industry-specific devices and applications are often slow to roll out new patches. In most cases, PoS terminals are compromised through improperly configured remote-access technologies used in their PoS applications.

It’s also smart to utilize two-factor authentication for all remote access. Enterprises should ensure that their environments are well suited to download and install patches for core operating systems, critical applications, or anti-malware controls. Many retail enterprises aren’t. 

While no one can be certain that these three breaches could have been avoided, one thing is very clear: All it takes is one hole in one application to give cyber criminals access to sensitive data. Companies must -- without delay -- put in place tight security policies to protect their applications across the software development life cycle. They also must use ongoing application security scanning and vulnerability assessments to ensure the security of their own systems, as well as those of their partners.

If they don’t, cyber criminals will continue to exploit that one single point of failure, gain access to the organization’s crown jewels of corporate and personal data, and lead the industry further down the path of never-ending data breaches.

Bala Venkat joined Cenzic in April 2012, with more than 25 years of technology industry leadership and executive management experience. He is recognized as a visionary for a unique talent that blends business, technology, and market trends into compelling value ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/14/2014 | 10:13:13 AM
Re: What happened to Target could have happened to any company
I've seen estimates including:
  • a $30 million liability to credit unions  
  • $550 million if Target has to replace 110 million cards (not including  penalties, credit watch expenses, law suit settlements and beefed up cybersecurity systems)
  • between $400 million to $1 billion in fines (esimate from Jefferies investment banking firm).Bu

But nothing about the aggregate cost to individuals. 
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/14/2014 | 2:54:12 AM
Re: What happened to Target could have happened to any company
Agreed, threats are evolving at a fast pace, I believe that firms are also evolving at a fast pace to combat these threats, but it would be nice if the security industry could collaborate in an attempt to strengthen overall security standards and its cost.

POS has been coming under a lot of fire, what's the situation of online transactions?
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/14/2014 | 2:41:54 AM
Re: What happened to Target could have happened to any company
Great point: all the links of the chain have an active responsibility in ensuring that the chain cannot be broken -- businesses that wake up every morning in order to be productive and satisfy their customers need to forward any information or best practices to their partners/supply chain in order to make the entire ecosystem safe.

It has been quite some time now since the Target breach occurred, I wonder whether they have been any estimates on the dollar figure loses that customers are paying for directly through their pockets.
Bala Venkat
50%
50%
Bala Venkat,
User Rank: Apprentice
2/14/2014 | 2:32:13 AM
Re: What happened to Target could have happened to any company
Yes, Marilyn. That report was very insightful confirming how the threat mechanics are evolving to new levels today!
Bala Venkat
50%
50%
Bala Venkat,
User Rank: Apprentice
2/14/2014 | 2:29:35 AM
Re: What happened to Target could have happened to any company
Yes, Alison. Unfortunately, the problem is only getting worse . . .  with corporations opening easy entry into their vaults through third party connections. These days, when I present - I increasingly see the topic of "Vendor Risk Management" resonate strikingly with the audience. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Apprentice
2/13/2014 | 5:03:15 PM
Re: What happened to Target could have happened to any company
Study after study shows how unprepared SMBs are against cyberattacks -- and study after study shows just how attractive these smaller businesses are for exactly this reason: as a conduit into a big corporation like Target, Nieman Marcus, Citibank, or the DoD. It's imperative that all links in the chain are equally strong. We've just seen what happens when they're not.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/13/2014 | 2:15:09 PM
What happened to Target could have happened to any company
You make a great point, Bala, especialy in the wake of today's news that the Target breach begin with a phishing attack.  Mat Schwartz has the details, citing a report by security journalist Brian Krebs: (Paste this link into your browser: http://www.informationweek.com/security/attacks-and-breaches/target-breach-phishing-attack-implicated/d/d-id/1113829?)
This could have happened to anyone, not just retailers during a busy holiday season.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.