In December 2013, Target became a target itself as the victim of the biggest retail hack in US history. Attackers planted point-of-sale malware and intercepted approximately 110 million records worth of payments, transaction, and other personally identifiable data. The aftermath was not just a loss of reputation – Target’s profit for the holiday shopping period fell 46 per cent from the same quarter the year before; the number of transactions suffered its biggest decline since the retailer began reporting the statistic in 2008, and more than 90 lawsuits have been filed against the company.
An easy target
Target’s security and payments system was compromised by malware designed to capture customers’ credit card details used at any of their US stores. The moment a shopper swiped their credit card, the number was captured and stored on a Target server seized by the hackers. But this was a conventional attack, and one that Target had prepared for, having installed a US$1.6 million malware detection tool six months earlier. In addition, Target had an offshore Security Operations Centre (SOC) monitoring its systems around the clock. Despite this, the retailer’s systems were lacking the virtual walls and motion detectors found in secure networks. So what went wrong?
The malware detection tool picked up the attack and generated alerts that were passed on to Target’s team of security specialists in Minneapolis, but no action was taken. It was only two weeks later when the US Department of Justice notified the retailer of the breach that it reacted to the problem. By this point, the attackers had been working undetected for two weeks. Not only should the alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network.
There were multiple factors that led to data loss in the Target case: network segregation was lacking, point-of-sale systems were vulnerable to memory scraping malware, and detection strategies employed by Target failed. How could the outcome have been avoided?
- Understand your security environment
If Target had had a firm grasp on its network security environment, it would have observed this behaviour occurring on its network. Target would have benefited from a risk-based approach to security that would have involved analysing threats and vulnerabilities of all systems within the company on a regular basis. Risks would have then been prioritised so that some of the vulnerabilities used to attack the systems in this breach may have been prevented.
- Segment the network
Target’s system, like any standard corporate network, is segmented so that the most sensitive parts – including customer payments and personal data – are walled off from other parts of the network and the Internet. However, there were obviously holes which vulnerability scanning could have identified. Although its security systems used encryption, the encryption was rendered useless because the data was accessed in memory where it was unencrypted. Vulnerable configuration and accounts allowed segmentation strategies to be bypassed. It appears that there were vulnerabilities in each layer of defence employed by Target that ultimately allowed the attackers to gain access to some of their most sensitive data.
- Implement response processes
Multiple alerts were triggered by different systems – and ignored. Processes with the SOC should ensure a response and escalation based on alert severity. Despite the fact that Target had purchased expensive monitoring software, employees were not well trained and there appeared to be no adequate processes in place to respond to system warnings.
Prepare for the worst, hope for the best
Target identified the risk of hacking and put state-of-the-art security technology in place, but a security system is only as strong as its weakest link. A robust, business-centric security model, using the appropriate architecture, policies and technology, is needed to adequately protect an enterprise. To find out what such a strategy entails, download your free copy of our new whitepaper, ‘Security in a world with no parameters: A business-centric security architecture’.