Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Ignored Data Breach Alarms
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
3/17/2014 | 9:02:21 AM
Re: Deactivation of FireEye's Automatic Response
Do you know what Target's procedure is when they see an alarm in the software, false or otherwise?  I would think that they have a policy in place to investigate the alarm to determine its validity. I know that things can move very slowly in the corporate world but this is the type of issue that most companies prepare for.
rradina
50%
50%
rradina,
User Rank: Apprentice
3/16/2014 | 9:19:13 PM
Deactivation of FireEye's Automatic Response
There's a reason this was done.  Over the years protection software has triggered false alarms and quarantined needed programs and libraries rendering either software or subsystems (like printing) inoperable.  The last thing you want is to have thousands of POS lanes die because an automated response, triggered by a false positive, removed an important program or library module.
BGREENE292
100%
0%
BGREENE292,
User Rank: Apprentice
3/15/2014 | 5:53:42 PM
Re: These stories all present misleading or incomplete data with sensational titles
.
hhendrickson274 said, "... these stories all present misleading or incomplete data with sensational titles..."
 
 
NOT HARDLY
 
Enough information is already present for an informed judgment about the Target IT team response. To plead unlikely extenuating circumstances such as (1) the team was overwhelmed by the volume of alerts, and was unable to distinguish signal from noise, or (2) the team might have seen similar alarts, which were investigated (despite the overwhelming volume of alerts) and dismissed as probable false positives, or (3) any Russian IP address is not necessarily cause for suspicion, since "(we do not know why) they would feel outbound connections from their POS to a Russian based IP wouldn't be suspicious" is worthy of a press release from Target public relations.

The FireEye system did its job well enough, elevating the alerts to the attention of Target IT, which eliminates the "sheer overload" excuse. Likewise, if the administrator had turned off automated response, it was critical to forge a field-tested policy for dealing with such detections manually, and then follow it to the letter. As for a number of Russian IPs, that in itself carries enough negative freight to merit special consideration-- aside from the principle that any "strange" address merits investigation.

Target did none of these things. What Target did is typical of the "90-day Wonder" policy of generating new managers ex nihilo, an IT person placed in the job for reasons that have little to do with experience or competence. As the survival tactic of one lacking experience, that manager essentially bought a well-respected brand, and then tried to hide behind it-- blaming FireEye for what was a Target responsibility.

Any Target promotion of a favored, specific person over those with more skill and'or experience is also excruciating commentary on the politics of Target management, since it focuses on factors which have little or nothing to do with professionalism. Such "fast track" promotions insidiously kill incentive among staff to demonstrate responsibility and competence. Fast track staffing is also disingenuous to the extreme, a breach of trust between executive management and staff-- especially those who were told promotion is based on demonstrated effort, competence and experience.

With the extremely questionable managerial culture at Target, the only possible defense against a charge of deliberately risky behavior with customer accounts is "mistakes were made"-- an abject confession of incompetence. While every manager is entitled to on-the-job training, that training should ensure millions of customer credit cards and bank accounts are not also at risk.
Duane T
100%
0%
Duane T,
User Rank: Apprentice
3/14/2014 | 6:58:36 PM
You need more security that tech that tells you you've been infected
PCI and Security are like insurance, unfortunately Target spent $M on detection and left the response process to manual labor. But your insurance shouldn't just tell you that you're sick. This is like having insurance that just tells you that you indeed have an illness. They should have also spent at least 10% of that budget on process and technology to automatically investigate, prioritize, and lock down/contain their detected threats. You would think that they could have asked FireEye who they recommend for automated incident response. The tech is out there and available, and all this craziness and costs could be avoided.

Think of it this way, Target probably saw 1000s if not 10s of thousands of alerts each day, and they know it. They probably detect more than they can process effectively, and the result is that malware gets through. They probably could have spent a fraction more to get automated incident response technology in house.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
3/14/2014 | 3:42:04 PM
Re: Target Security team is inexperienced and or incompetent.
I wonder whether this incident will help retailers understand that retaining credit card data is more trouble than its worth. "No Data" should become the next "Big Data."
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
3/14/2014 | 3:15:40 PM
Re: Target Security team is inexperienced and or incompetent.
"This also underscores the near uselessness of the PCI spec. It is not a something to use to avoid a breach, its something to use to reduce the chance of a lawsuit." True PCI is about covering your business. The retail data breaches are causing pain, but healthcare data breaches may someday make these look tame by comparison.
VWalker
50%
50%
VWalker,
User Rank: Apprentice
3/14/2014 | 2:50:00 PM
Re: Image credit?
Thank you - I've fixed the attribution here and on a previous story where we used this image. Vicki Walker, News Editor.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
3/14/2014 | 2:25:44 PM
Does automated security watch for the right things?
I'd like to know the context: how many total alerts did FireEye provide during the hour it signaled the intrusion? How did it distinguish those that applied to the intrusion. I woujld think a notice that malware was being fanned out to multiple Target servers should be made to stand out. If you know the malware won't automatically be eliminated, what's the action plan to get it out of there? Wsa there any alert on 11GBs of internal data flowing out to Russia? Even in context, I'm afraid Target's response is going to be judged and judged harshly. Continuous sensitive credit card data should have triggered alarms that normal transaction data wouldn't. If it can happen to anyone with a large number of alerts pouring at them, then we're in more trouble than I realized.
ke4roh
50%
50%
ke4roh,
User Rank: Apprentice
3/14/2014 | 2:17:47 PM
Image credit?
Wikimedia Commons did not create this image.  The image was taken by Flickr user Jay Reed who requires attribution to HIM for its distribution.  Wikimedia says that here. Please credit the photographer and copyright owner rather than the venue on which you found the picture!
hhendrickson274
50%
50%
hhendrickson274,
User Rank: Strategist
3/14/2014 | 1:43:59 PM
These stories all present misleading or incomplete data with sensational titles
I don't know any more than what is in the various articles written about this, but everyone is some quick to jump on the Target team for reviewing and ignoring the alarms.  And articles like this with sensational titles don't help. That's really disingenuos without understanding the entire circumstances around the situation.  No meniton is made to the volume of alerts that may have been coming out of the FireEye system (or other systems they had deployed) to know if this was seen as normal noise or not.  Was that team used to seeing alerts similar to this that turned out to be false positives or of little significance? 


What I can fault them for would be not taking at least basic precautions like blocking outbound access to the IP that the malware was communicating with, and sending a sample off to their A/V vendor for analysis and inclusion in signature updates.  I can't say that either of those would have really made much of an impact, but I'm not sure how much business Target does with users in Russia to understand why they would feel outbound connections from their POS to a Russian based IP wouldn't be suspicious.  Maybe they did some of these things, I have no idea. 

I guess what my point is, let's not rush to judgement before we have all the facts.  They are only coming out in dribs and drabs at this point.  Hindsight is 20/20 and it's easy to be critic.  I'd rather we tried to be constructive and learned from this event.
<<   <   Page 2 / 3   >   >>


US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16669
PUBLISHED: 2019-09-21
The Reset Password feature in Pagekit 1.0.17 gives a different response depending on whether the e-mail address of a valid user account is entered, which might make it easier for attackers to enumerate accounts.
CVE-2019-16656
PUBLISHED: 2019-09-21
joyplus-cms 1.6.0 allows remote attackers to execute arbitrary PHP code via /install by placing the code in the name of an object in the database.
CVE-2019-16657
PUBLISHED: 2019-09-21
TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/.
CVE-2019-16658
PUBLISHED: 2019-09-21
TuziCMS 2.0.6 has index.php/manage/notice/do_add CSRF.
CVE-2019-16659
PUBLISHED: 2019-09-21
TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF.