Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Ignored Data Breach Alarms
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
3/17/2014 | 9:02:21 AM
Re: Deactivation of FireEye's Automatic Response
Do you know what Target's procedure is when they see an alarm in the software, false or otherwise?  I would think that they have a policy in place to investigate the alarm to determine its validity. I know that things can move very slowly in the corporate world but this is the type of issue that most companies prepare for.
rradina
50%
50%
rradina,
User Rank: Apprentice
3/16/2014 | 9:19:13 PM
Deactivation of FireEye's Automatic Response
There's a reason this was done.  Over the years protection software has triggered false alarms and quarantined needed programs and libraries rendering either software or subsystems (like printing) inoperable.  The last thing you want is to have thousands of POS lanes die because an automated response, triggered by a false positive, removed an important program or library module.
BGREENE292
100%
0%
BGREENE292,
User Rank: Apprentice
3/15/2014 | 5:53:42 PM
Re: These stories all present misleading or incomplete data with sensational titles
.
hhendrickson274 said, "... these stories all present misleading or incomplete data with sensational titles..."
 
 
NOT HARDLY
 
Enough information is already present for an informed judgment about the Target IT team response. To plead unlikely extenuating circumstances such as (1) the team was overwhelmed by the volume of alerts, and was unable to distinguish signal from noise, or (2) the team might have seen similar alarts, which were investigated (despite the overwhelming volume of alerts) and dismissed as probable false positives, or (3) any Russian IP address is not necessarily cause for suspicion, since "(we do not know why) they would feel outbound connections from their POS to a Russian based IP wouldn't be suspicious" is worthy of a press release from Target public relations.

The FireEye system did its job well enough, elevating the alerts to the attention of Target IT, which eliminates the "sheer overload" excuse. Likewise, if the administrator had turned off automated response, it was critical to forge a field-tested policy for dealing with such detections manually, and then follow it to the letter. As for a number of Russian IPs, that in itself carries enough negative freight to merit special consideration-- aside from the principle that any "strange" address merits investigation.

Target did none of these things. What Target did is typical of the "90-day Wonder" policy of generating new managers ex nihilo, an IT person placed in the job for reasons that have little to do with experience or competence. As the survival tactic of one lacking experience, that manager essentially bought a well-respected brand, and then tried to hide behind it-- blaming FireEye for what was a Target responsibility.

Any Target promotion of a favored, specific person over those with more skill and'or experience is also excruciating commentary on the politics of Target management, since it focuses on factors which have little or nothing to do with professionalism. Such "fast track" promotions insidiously kill incentive among staff to demonstrate responsibility and competence. Fast track staffing is also disingenuous to the extreme, a breach of trust between executive management and staff-- especially those who were told promotion is based on demonstrated effort, competence and experience.

With the extremely questionable managerial culture at Target, the only possible defense against a charge of deliberately risky behavior with customer accounts is "mistakes were made"-- an abject confession of incompetence. While every manager is entitled to on-the-job training, that training should ensure millions of customer credit cards and bank accounts are not also at risk.
Duane T
100%
0%
Duane T,
User Rank: Apprentice
3/14/2014 | 6:58:36 PM
You need more security that tech that tells you you've been infected
PCI and Security are like insurance, unfortunately Target spent $M on detection and left the response process to manual labor. But your insurance shouldn't just tell you that you're sick. This is like having insurance that just tells you that you indeed have an illness. They should have also spent at least 10% of that budget on process and technology to automatically investigate, prioritize, and lock down/contain their detected threats. You would think that they could have asked FireEye who they recommend for automated incident response. The tech is out there and available, and all this craziness and costs could be avoided.

Think of it this way, Target probably saw 1000s if not 10s of thousands of alerts each day, and they know it. They probably detect more than they can process effectively, and the result is that malware gets through. They probably could have spent a fraction more to get automated incident response technology in house.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
3/14/2014 | 3:42:04 PM
Re: Target Security team is inexperienced and or incompetent.
I wonder whether this incident will help retailers understand that retaining credit card data is more trouble than its worth. "No Data" should become the next "Big Data."
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
3/14/2014 | 3:15:40 PM
Re: Target Security team is inexperienced and or incompetent.
"This also underscores the near uselessness of the PCI spec. It is not a something to use to avoid a breach, its something to use to reduce the chance of a lawsuit." True PCI is about covering your business. The retail data breaches are causing pain, but healthcare data breaches may someday make these look tame by comparison.
VWalker
50%
50%
VWalker,
User Rank: Apprentice
3/14/2014 | 2:50:00 PM
Re: Image credit?
Thank you - I've fixed the attribution here and on a previous story where we used this image. Vicki Walker, News Editor.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
3/14/2014 | 2:25:44 PM
Does automated security watch for the right things?
I'd like to know the context: how many total alerts did FireEye provide during the hour it signaled the intrusion? How did it distinguish those that applied to the intrusion. I woujld think a notice that malware was being fanned out to multiple Target servers should be made to stand out. If you know the malware won't automatically be eliminated, what's the action plan to get it out of there? Wsa there any alert on 11GBs of internal data flowing out to Russia? Even in context, I'm afraid Target's response is going to be judged and judged harshly. Continuous sensitive credit card data should have triggered alarms that normal transaction data wouldn't. If it can happen to anyone with a large number of alerts pouring at them, then we're in more trouble than I realized.
ke4roh
50%
50%
ke4roh,
User Rank: Apprentice
3/14/2014 | 2:17:47 PM
Image credit?
Wikimedia Commons did not create this image.  The image was taken by Flickr user Jay Reed who requires attribution to HIM for its distribution.  Wikimedia says that here. Please credit the photographer and copyright owner rather than the venue on which you found the picture!
hhendrickson274
50%
50%
hhendrickson274,
User Rank: Strategist
3/14/2014 | 1:43:59 PM
These stories all present misleading or incomplete data with sensational titles
I don't know any more than what is in the various articles written about this, but everyone is some quick to jump on the Target team for reviewing and ignoring the alarms.  And articles like this with sensational titles don't help. That's really disingenuos without understanding the entire circumstances around the situation.  No meniton is made to the volume of alerts that may have been coming out of the FireEye system (or other systems they had deployed) to know if this was seen as normal noise or not.  Was that team used to seeing alerts similar to this that turned out to be false positives or of little significance? 


What I can fault them for would be not taking at least basic precautions like blocking outbound access to the IP that the malware was communicating with, and sending a sample off to their A/V vendor for analysis and inclusion in signature updates.  I can't say that either of those would have really made much of an impact, but I'm not sure how much business Target does with users in Russia to understand why they would feel outbound connections from their POS to a Russian based IP wouldn't be suspicious.  Maybe they did some of these things, I have no idea. 

I guess what my point is, let's not rush to judgement before we have all the facts.  They are only coming out in dribs and drabs at this point.  Hindsight is 20/20 and it's easy to be critic.  I'd rather we tried to be constructive and learned from this event.
<<   <   Page 2 / 3   >   >>


Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.