Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/6/2014
08:11 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Target Begins Security And Compliance Makeover

Security gets a higher exec profile at the beleaguered retailer in the wake of its massive data breach as Target starts the road to reorganizing its security and compliance operations

The departure of Target's CIO yesterday, along with the creation of a dedicated chief information security officer position (CISO) and a new compliance officer (CCO), began a new chapter in the retailer's post-breach security posture.

Security experts say that aside from the executive changes and reorganization, the megaretailer will have other holes to plug to prevent another massive breach like the one that resulted in the theft of 40 million customer credit and debit card numbers, plus the names and contact information of up to 70 million people.

CISO duties at Target previously had been split among multiple people. The new CISO at Target will have centralized oversight and responsibilities for the retailer's information security; Beth Jacob, Target's executive vice president of Target Technology Services and chief information officer, has now left the post she had held since 2008.

Raj Ramanand, founder and CEO of Signifyd, said it's surprising that the CIO was managing security duties at Target. "In most large enterprises, the CISO has a direct reporting line to the board of directors and to the CIO of the company," he says. "I'm surprised by the fact that this was all being managed by the CIO, and they didn't have separate officers in charge."

Target chairman, president, and CEO Gregg Steinhafel explained in a statement that the executive moves are a first step in overhauling the retailer's security and compliance operations. "While we are still in the process of an ongoing investigation, we recognize that the information security environment is evolving rapidly. To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target. As a first step in this effort, Target will be conducting an external search for an interim CIO who can help guide Target through this transformation," he said.

Steinhafel said Target's current vice president of assurance risk and compliance had already planned to retire at the end of the month, so the retailer also will be hiring a chief compliance officer to fill that role. Both the CISO and CCO positions will be filled with candidates outside of Target, he said.

[Attackers are believed to have stolen network credentials belonging to Fazio Mechanical Services, a provider of refrigeration and HVAC systems, and used them to ultimately compromise Target's point-of-sale systems with malware. See Target Compromised Via Its HVAC Contractor's Network Credentials .]

The good news is that Target took the time to handle the reorganization, says Signifyd's Ramanand. "They took the time to understand what was causing [their gaps] before they went out and cut people ... They are doing the right thing," he says.

Despite having what several insiders have characterized as a relatively strong in-house security team, Target had its gaps the way many other organizations and retailers do. Ramanand expects Target to tighten its physical security, as well, because gaps there with its HVAC contractor were a weak link in the chain. "Those go hand in hand," he says of physical and logical security.

"They were focused on the core of the company, as opposed to looking at the weakest link. Security is not just about the most important systems, but also the weakest link," Ramanand says. "I think there were lax security measures around noncore systems."

There also appear to have been visibility problems that prevented Target from spotting the attackers moving the stolen data out of its network, other experts say.

"In my opinion, how was someone able to send gigabytes of data out without [Target] knowing? How can you send out so much data without someone noticing?" says Aviv Raff, CTO at Seculert. The signs were in the logs if someone had been monitoring them, he says.

The question is whether there were just too many security silos in Target not sharing or cooperating with one another, experts say.

While Target's point-of-sale servers may have been in tight lockdown, the attackers were able to find other more gaping holes in its environment. The attackers "had to move laterally" once they got in, so the key for Target would have been to make it harder for them to exit with the stolen payment card information, says Mike Lloyd, CTO at Red Seal Networks. "You can control the path back out," he says. "You need to make the outbound mazes harder."

Former Target CIO Jacob, who holds an MBA, began her career with Target in 1984 as an assistant buyer in Target’s department store division, Dayton’s, for two years. She was hired by Target in 2002 as director of guest contact centers, and named vice president, guest operations in 2006.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EbonyC129
50%
50%
EbonyC129,
User Rank: Apprentice
3/18/2014 | 4:42:54 PM
re: Target Begins Security And Compliance Makeover
NC is the birthing room for cyber-terror in Pitt County NC there is abundant education in IT Skill sets but ZERO availability of computer forensic experts or even IT personnel interested to any real extent in the implications of an emerging regional economy such as is the case in Greenville NC
The sudden access to global bank accounts to open new businesses and investments creates a feeding frenzy for citizens of a formerly severely depressed rural economy....and little desire exists in local politicians most blinded by partisan political ambitions anyway.....the result is predictable....instances of identity theft at local banks is so common place it is considered a tongue-in-cheek event.....
Sophisticated hacking tactics are seen daily even by youth using file cracking as the new "tag" technique.......all the while partisan political concerns trumps commonsense concerns over the real implications of a climate where cyber-intrusions are a laughing matter ...we will see more of the TARGET sort of attacks and unfortunately little will be drawn from the events by those entrusted with the authority to watch such events.......
Go to any public library or even the local campus libraries, computers are pre-set with devices that will collect all sorts of personal information.........keylogger programs are not uncommon, nor is active intrusions often with the assistance of those entrusted with administrative pass access to public networks......in fact in a few cases I know of political activist who have staffers basically on call to allow intrusions of mostly "political" information they don't desire..but who is say where the line is drawn, after that undesirable political comment is blocked , redirected , or deleted ..who is to say that same employee who has such little regard for professionalism is not connected to others who want bank information, social security numbers etc,etc,...?
jeremyarcher
50%
50%
jeremyarcher,
User Rank: Apprentice
3/7/2014 | 8:07:22 PM
re: Target Begins Security And Compliance Makeover
Here is what makes you qualified to be a CIO at Target:

"Former Target CIO Jacob, who holds an MBA, began her career with Target in 1984 as an assistant buyer in TargetGs department store division, DaytonGs, for two years. She was hired by Target in 2002 as director of guest contact centers, and named vice president, guest operations in 2006."

I'm sure she still doesn't understand what happened. Technical expertise does matter for CIOs the same way accounting knowledge matter for CFOs.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13934
PUBLISHED: 2020-07-14
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
CVE-2020-13935
PUBLISHED: 2020-07-14
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of ser...
CVE-2020-15721
PUBLISHED: 2020-07-14
RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XSS because of the href attributes for AddStudents.php and User.php.
CVE-2020-7592
PUBLISHED: 2020-07-14
A vulnerability has been identified in SIMATIC HMI Basic Panels 1st Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI KTP700F Mobile Arctic ...
CVE-2020-7593
PUBLISHED: 2020-07-14
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (V1.81.01 - V1.81.03), LOGO! 8 BM (incl. SIPLUS variants) (V1.82.01), LOGO! 8 BM (incl. SIPLUS variants) (V1.82.02). A buffer overflow vulnerability exists in the Web Server functionality of the device. A remote unauthenticate...