Comments
Newest First | Oldest First | Threaded View
Re: Deactivation of FireEye's Automatic Response
Their security system specialists obviously need to resit for their security courses and tests. Due to their poor choice of defense mechanisms on that fateful day, things had turned out like how the retailer wouldn't have anticipated them to. This is a costly mistake that the team could refer to as a learning point. Having invested so much for their security system setup, the retailer obviously had greater expectations of the team and they had most likely anticipated such an incident to hit them.
Re: Deactivation of FireEye's Automatic Response
It certainly does. My last employer has been using it since ~2004/5 -- before McAfee bought Solidcore. Back then the employer was flagged for not having virus protection on their POS systems. We had to constantly ask for a compensating control. That left me with a poor impression of the PCI rules and those who conducted the audits. It's similar when calling a support line that isn't staffed by trained and experienced resources. They cannot truly understand problems. They can only read a script and follow a yes/no logic tree.
Re: Deactivation of FireEye's Automatic Response
I believe this solution exists (McAfee Solidcore)
Happens far too often
Unfortunate, but the fact that they ignored the warning signs isn't a surprise. There is a dramatic need for a shift in culture. One would think the cost alone would be enough. On average attacks cost companies $11.6 million according to the 2013 HP Ponemon Cost of Cyber Crime report (http://www.hpenterprisesecurity.com/ponemon-study-2013).
Peter Fretty (j.mp/pfrettyhp)
Peter Fretty (j.mp/pfrettyhp)
Re: Deactivation of FireEye's Automatic Response
Locking them down assumes an OS security exploit was not used to install the malware. I think it's been established Target's POS uses Windows. I'll even go further and make an assumption that it's probably XP.
I'm not aware of any XP built-in solution to prevent a security hole being exploited to install malware. If it's a remote attack vector, it'll typically involve a network service of some kind. Most services generally have escalated privileges and if compromised, the hacker can almost always use them to gain root access.
What Windows needs is a helper that monitors via read/write hooks and compares all file-system changes on system/software components with a dictionary made on the original system's image. If anything is found out of spec, an alert is issued and the processes that use the corrupt image are terminated. Further, such a helper also needs to scan DLLs and applications IN MEMORY to make sure they too are appropriate. If not, the processes are terminated. If an new process begins that's tied to an executable that's not part of the original image, it's terminated before it even finishes loading into memory.
Such products exist for XP and had they been using them, it would have been really tough to infect their POS systems even if a USB thumb drive was inserted. Hackers would first have to figure out how to disable that software before exploiting the system. Unfortunately this would require hacking the system so the protection mechanism can be hacked. It's a chicken and egg scenario. Certainly not foolproof but arguably difficult enough to perhaps convince them a company using such protection is not low hanging fruit.
I'm not aware of any XP built-in solution to prevent a security hole being exploited to install malware. If it's a remote attack vector, it'll typically involve a network service of some kind. Most services generally have escalated privileges and if compromised, the hacker can almost always use them to gain root access.
What Windows needs is a helper that monitors via read/write hooks and compares all file-system changes on system/software components with a dictionary made on the original system's image. If anything is found out of spec, an alert is issued and the processes that use the corrupt image are terminated. Further, such a helper also needs to scan DLLs and applications IN MEMORY to make sure they too are appropriate. If not, the processes are terminated. If an new process begins that's tied to an executable that's not part of the original image, it's terminated before it even finishes loading into memory.
Such products exist for XP and had they been using them, it would have been really tough to infect their POS systems even if a USB thumb drive was inserted. Hackers would first have to figure out how to disable that software before exploiting the system. Unfortunately this would require hacking the system so the protection mechanism can be hacked. It's a chicken and egg scenario. Certainly not foolproof but arguably difficult enough to perhaps convince them a company using such protection is not low hanging fruit.
Re: Deactivation of FireEye's Automatic Response
You would think that the POS terminals would be locked down as tightly as possible. It's not like your cashiers should be installing anything on them but not knowing all the details it is possible that the application used the name of a Windows service or application.
unacceptable
It just keeps getting worse for Target. To now know they had the systems in place that could have stopped this breach if they just used the system correctly is unacceptable. This just goes to show you that the best systems are rendered useless id people don't use them correctly.
Re: Deactivation of FireEye's Automatic Response
They should respond manually. If the product constantly cries wolf, either the alert config needs review or the product needs to be replaced. If that's not an option then they should push the alerts to Splunk and mine the noise for credible events that correlate with other intrusion events (assumes firewalls and other stuff are pushed to Splunk). My point was automated responses might be tolerated for devices that aren't customer facing but you do not want call center devices, bank ATMs or POS systems downed by a false alarm that automatically removes a vital component.
As a side note, I still don't understand why a POS system could have ANYTHING new installed on it outside of planned events. They shoud use white list protection or an OS that won't run unsigned apps (like IOS, Android or Windows RT).
As a side note, I still don't understand why a POS system could have ANYTHING new installed on it outside of planned events. They shoud use white list protection or an OS that won't run unsigned apps (like IOS, Android or Windows RT).
Block botnets
Target IT dept fail many ways. 1) If Target blocked all connections to botnet centers, the malware could not send data out. 2) The HVAC vendor said they didn't monitor Target remotely, why did Target give them a corp/network account? 3) Target should not give that account full access to the POS. 4) Security,access auditing was ignored. 5) Ignored alarms. 6) POS should have a seperate network. Target tried to save money here.
White Papers
Video
1 Comments
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations ProgramAs cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
How Enterprises Are Developing Secure Applications
IT security and application development are disparate processes that are increasingly coming together. Here's a look at how that's happening.
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2019-7068
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
From DHS/US-CERT's National Vulnerability Database CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2019 UBM, All rights reserved
Tweet This
User Rank: Apprentice
7/11/2018 | 4:54:43 AM