Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Ignored Data Breach Alarms
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
7/11/2018 | 4:54:43 AM
Re: Deactivation of FireEye's Automatic Response
Their security system specialists obviously need to resit for their security courses and tests. Due to their poor choice of defense mechanisms on that fateful day, things had turned out like how the retailer wouldn't have anticipated them to. This is a costly mistake that the team could refer to as a learning point. Having invested so much for their security system setup, the retailer obviously had greater expectations of the team and they had most likely anticipated such an incident to hit them.
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
7/11/2018 | 4:54:11 AM
Re: Deactivation of FireEye's Automatic Response
Their security system specialists obviously need to resit for their security courses and tests. Due to their poor choice of defense mechanisms on that fateful day, things had turned out like how the retailer wouldn't have anticipated them to. This is a costly mistake that the team could refer to as a learning point. Having invested so much for their security system setup, the retailer obviously had greater expectations of the team and they had most likely anticipated such an incident to hit them.
rradina
50%
50%
rradina,
User Rank: Apprentice
3/24/2014 | 3:19:56 PM
Re: Deactivation of FireEye's Automatic Response
It certainly does.  My last employer has been using it since ~2004/5 -- before McAfee bought Solidcore.  Back then the employer was flagged for not having virus protection on their POS systems.  We had to constantly ask for a compensating control.  That left me with a poor impression of the PCI rules and those who conducted the audits.  It's similar when calling a support line that isn't staffed by trained and experienced resources.  They cannot truly understand problems.  They can only read a script and follow a yes/no logic tree.
Duke_Bauer
50%
50%
Duke_Bauer,
User Rank: Apprentice
3/24/2014 | 12:03:15 PM
Re: Deactivation of FireEye's Automatic Response
I believe this solution exists (McAfee Solidcore)
pfretty
50%
50%
pfretty,
User Rank: Apprentice
3/19/2014 | 4:04:28 PM
Happens far too often
Unfortunate, but the fact that they ignored the warning signs isn't a surprise. There is a dramatic need for a shift in culture. One would think the cost alone would be enough. On average attacks cost companies $11.6 million according to the 2013 HP Ponemon Cost of Cyber Crime report (http://www.hpenterprisesecurity.com/ponemon-study-2013).

Peter Fretty (j.mp/pfrettyhp)
rradina
50%
50%
rradina,
User Rank: Apprentice
3/18/2014 | 11:54:26 AM
Re: Deactivation of FireEye's Automatic Response
Locking them down assumes an OS security exploit was not used to install the malware.  I think it's been established Target's POS uses Windows.  I'll even go further and make an assumption that it's probably XP.

I'm not aware of any XP built-in solution to prevent a security hole being exploited to install malware.  If it's a remote attack vector, it'll typically involve a network service of some kind.  Most services generally have escalated privileges and if compromised, the hacker can almost always use them to gain root access.  

What Windows needs is a helper that monitors via read/write hooks and compares all file-system changes on system/software components with a dictionary made on the original system's image.  If anything is found out of spec, an alert is issued and the processes that use the corrupt image are terminated.  Further, such a helper also needs to scan DLLs and applications IN MEMORY to make sure they too are appropriate.  If not, the processes are terminated.  If an new process begins that's tied to an executable that's not part of the original image, it's terminated before it even finishes loading into memory.

Such products exist for XP and had they been using them, it would have been really tough to infect their POS systems even if a USB thumb drive was inserted.  Hackers would first have to figure out how to disable that software before exploiting the system.  Unfortunately this would require hacking the system so the protection mechanism can be hacked.  It's a chicken and egg scenario.  Certainly not foolproof but arguably difficult enough to perhaps convince them a company using such protection is not low hanging fruit.
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
3/18/2014 | 8:43:30 AM
Re: Deactivation of FireEye's Automatic Response
You would think that the POS terminals would be locked down as tightly as possible.  It's not like your cashiers should be installing anything on them but not knowing all the details it is possible that the application used the name of a Windows service or application.  
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
3/17/2014 | 7:16:26 PM
unacceptable
It just keeps getting worse for Target. To now know they had the systems in place that could have stopped this breach if they just used the system correctly is unacceptable. This just goes to show you that the best systems are rendered useless id people don't use them correctly.
rradina
50%
50%
rradina,
User Rank: Apprentice
3/17/2014 | 5:33:00 PM
Re: Deactivation of FireEye's Automatic Response
They should respond manually.  If the product constantly cries wolf, either the alert config needs review or the product needs to be replaced.  If that's not an option then they should push the alerts to Splunk and mine the noise for credible events that correlate with other intrusion events (assumes firewalls and other stuff are pushed to Splunk).  My point was automated responses might be tolerated for devices that aren't customer facing but you do not want call center devices, bank ATMs or POS systems downed by a false alarm that automatically removes a vital component.

As a side note, I still don't understand why a POS system could have ANYTHING new installed on it outside of planned events.  They shoud use white list protection or an OS that won't run unsigned apps (like IOS, Android or Windows RT).
hho927
50%
50%
hho927,
User Rank: Guru
3/17/2014 | 2:25:10 PM
Block botnets
Target IT dept fail many ways. 1) If Target blocked all connections to botnet centers, the malware could not send data out. 2) The HVAC vendor said they didn't monitor Target remotely, why did Target give them a corp/network account? 3) Target should not give that account full access to the POS. 4) Security,access auditing was ignored. 5) Ignored alarms. 6) POS should have a seperate network. Target tried to save money here.
Page 1 / 3   >   >>


A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.