Thursday, January 30, 2014


Target Confirms Unauthorized Access...


ANALYSIS:


In recent days we have heard quite a bit about the 2014 Target Breach.  Additionally we have heard about the Neiman-Marcus breach which is said to be independent of the Target event but reports are that the malware used is similar.  Target is now investing billions of dollars to repair both its image and capabilities.  We have been discussing the Target breach and are trying to learn from each aspect of the incident as it becomes public.  The rationale has been to better our own security posture and help improve the overall security posture of the industry as a whole.  This breach investigation will evolve and we at Integris Security will evolve with it and learn as information becomes reliable and forthcoming.

Everything known at this point is speculation and inconclusive until the Target Corporation steps up to the microphone and gives a full autopsy. Not likely to happen any day soon as legal process is just now gathering information.

Law Enforcement (U.S. Secret Service or FBI) is typically very tight lipped about the circumstances and causes (operational details) leading up to such an event like this since they are in various stages of presenting materials to grand juries, attending to hearings, participating in a prosecution, etc..  Normally afterwards which could be a year or better after suspects are declared innocent or a conviction the details slowly pour out and begin to be known.

We are providing here some links which were discussed on weekly conference calls and provided to us by a number of different sources. Target is known as having very strong internal security procedures, posture and no one should take this post to mean target is not helping its own cause.  Previously we have spoken to Target personnel and know full well something seriously went awry. 

We have a deep sense of intrigue which is only natural and want to learn every single detail about this serious beach.  However as security practitioners we must be responsible and utilize some common sense and respect for the internal practitioners with the Security Teams at Target.  The security teams, their tasks, workload, etc these days must be daunting (incident response, business continuity programs and disaster recovery plans will receive plenty of scrutiny this time around).

We are posting from Neiman-Marcus as well even through the two cases have not been connected.

http://www.zdnet.com/neiman-marcus-1-1-million-cards-compromised-7000025513/
http://www.nytimes.com/2014/01/24/business/neiman-marcus-breach-affected-1-1-million-cards.htmlhttp://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114

http://m.computerworld.com/s/article/9245877/Target_says_attackers_stole_vendor_credentials?source=CTWNLE_nlt_security_2014-01-30
http://krebsonsecurity.com/
http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
http://www.cnbc.com/id/101329300
http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112
http://www.us-cert.gov/ncas/alerts/TA14-002A
http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/
http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores

This listing is a short list but can lead to many solid sources.  We would also like to acknowledge the SANS organization that provides all of us some well thought out background discussion on this topic in its newsbites publication.  


CONCLUSION: 

Integris Security would be falling short not to mention to our clients and prospects that security awareness starts before a breach, before an employee is let go, before the budget cycle crows no more.  Simple security awareness proves to be an effective first step in a series of steps required to withstand the hailstorm which now befalls Target and others.   Security is not something JUST for those high tech guys and gals to mull over and talk about.  The security discussion from the smallest to the largest corporation starts with the CEO and is a culture he/she causes to infect every single part of the corporation.   This is a difficult thing for some when nothing seems to be happening.  Like fire drills being prepared with worth billions as we now see Target is prepared to spend.  



UPDATE:  3/10/2014

Thanks to our members.  The truth about the Target Breach is getting out.  Here is the latest:

"Troy Leach, the lead security standards architect for the PCI Council, testified March 5 that the vulnerabilities of magnetic-stripe card transactions have to be addressed. But he stressed that a migration to more secure chip card technology that conforms to the Europay, MasterCard, Visa standard would not, by itself, eliminate all security risks. In fact, he contended that the use of chip cards would not have prevented the exposure of card data caused by the malware attacks against Target and Neiman Marcus."

http://www.bankinfosecurity.com/target-hearings-emv-enough-a-6607


UPDATED: 3/13/2014

http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

Business week outlines the missed opportunities that TARGET had to stop the bad guys at the front door.  Some generalization about what happened overseas as well as adding to "Who" dropped the ball.  We may live in a global society but what part of the "global" isn't getting the "Security" message - this is not clear.  Assertions have been made that if kept inside the U.S., this security failure would not have happened, but that is easier said then done.  It is to be seen if analyst have the time....with all the blown data breaches if "OUTSOURCING" is in fact a savings or part of the overall cost house.  In this case it would appear as though TARGET may have save some cash by keeping things in the U.S., but all of this is very much UNPROVEN at the time of this post.

Fact was that Target was one of the big box companies at the vanguard of security.  Perhaps in hindsight they have realized that the security staff in place was not as "state of the art" or as "progressive" as one needs to be given the size and complexity of a major corporation.  Then one needs to ponder is this a problem of a CIO, CTO, CISO or other security persons?  Or is this a total miscalculation of the CEO, COO, CFO and do shareholders derserve a say in whether these individuals have earned a long term seat at TARGET?  Truly a let down, a major disappointment of a highly successful retailer here in the U.S.

UPDATED: 3/17/2014
http://www.computerworld.com/s/article/9246942/Major_companies_like_Target_often_fail_to_act_on_malware_alerts

The blog is updated with this article to highlight the fact that technology alone will not solve the IT security issues.  Ongoing professional development, exercises that test the effectiveness of staff with combined with indepth knowledge, skills and abilities about onboarding specific security tools is not cheap, but is the likely candidate for success of any security team.  Combining human resources and effective tools such as Fire Eye is a receipe for success.  Not cheap, but for certain an investment worthy of a healthy report card for any major corporation.

Joseph Concannon