Home / Blogs

One Year Later: Lessons Learned from the Target Breach

Gunter Ollmann

As the autumn leaves fall from naked trees to be trampled or encased in the winter snow, it reminds us of another year quickly gone by. Yet, for organisations that were breached and publicly scrutinised for their security lapses, it's been a long and arduous year.

It was about this time last year that the news broke of Target's mega breach. Every news outlet was following the story and drip feeding readers with details, speculation and "expert opinion" on what happened, why it happened and who did it.

A full 12-months later we're still talking about it and trying to take stock of the breach's effect. The breach was so large and influential on institutional security thinking that it's now common-place to refer to "the Target effect" when discussing the business consequences of a breach.

There are several articles examining the story behind the breach and while the background of the breach makes for exciting reading to those not already familiar with the tools and tactics of international cybercrime, it also highlights a chain of critical security failures that could have been countered at any stage to mitigate or even prevent the breach.

The unfortunate reality of the Target breach is that it could have quite literally happened to any major retailer around the world — and probably is happening to several dozen this very minute.

Short of waiting for Matt Damon to star in a cyber-thriller loosely based upon the Target breach with car chases through winter snow drifts and shootouts in the Ukraine, there are perhaps five key lessons that we should all look to learn from:

The easiest route to compromise is likely to be via the employee or service side-door, rather than the well protected front door.

Just like your home, while you have just one front door, you have many side windows and other doors. If you can't protect every door to the same level, you should look towards internal systems that monitor all ingress and egress points for anomalies.

Trusting third-party vendors and contractors with employee-level access requires the same (if not higher) levels of security validation used for your own employees. Multi-factor authentication is a necessary and critical first-step.

Security software and appliances are only as valuable as the actions you take after they alert you to a threat they didn't stop.

The industry uses the term "defense in depth", but the practical reality is that organisations increasingly find themselves swamped by alerts from hundreds of disparate security products. Regardless of the alerting technology, ensure that a 24/7 response plan exists for each alert category.

If your organisation doesn't have the human resources to respond to alerts from a new detection product, either invest in third-party managed services to monitor it on your behalf or don't buy the product (it's wasted money that could be better spent elsewhere or you may be labelled negligent).

Annual certification against the minimum bar of an industry standard is meaningless to an intruder and your customers.

While certifications such as PCI are required for business assurance purposes, you'd be lucky if they pose more than a speed-bump in an attack. A program of continual vulnerability scanning, code reviews and regular penetration tests from a hackers-eye-view are now the minimum levels an organisation should be investing in when assessing their security stature.

A rapid mitigation response to an alert trumps post-attack forensics in almost all cases.

The sooner an organisation can classify and respond to an alert generated by their security monitoring solutions, the higher the probability that the threat can be mitigated and a breach contained. It is typically better to remediate a potential flaw automatically first than to waste valuable resources understanding why the flaw appeared in the first place.

For example, automatically reimaging a virtual server from a known-good instance, rather than trouble-shooting why the server was misbehaving. Only if a repeated pattern persists is it time to invest in a costly forensic analysis.

Malware is a tool that can be infinitely morphed and disguised, yet artifacts of the malware's command and control are often easily detectable by their network communications.

Today's malware is often constructed uniquely for an attack and only used once. As a consequence, nothing generates more false positives and is more distracting than automated malware analysis. However, the infrastructure an attacker must invest in to command and control the malware they have built and remotely access the tools they have deployed are not nearly as easy to disguise or hide. Network anomaly detection and blacklist/whitelist IP alerting play a critical role in alerting organisations to hackers that have managed to defeat perimeter defenses.

Conclusion

Organisations that appreciate and understand these five lessons learned from the Target breach will be in a much better position to respond, mitigate and remediate cybercrime attacks this winter and make the coming year a more enjoyable one.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft
Follow CircleID on
Related topics: Cyberattack, Cybersecurity
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

I don't think upper management's learned anything Todd Knarr  –  Dec 15, 2014 1:08 PM PST

I don't think upper management's learned anything from the Target breach. They still seem to treat security breaches as a public-relations problem rather than a security problem (ie. the problem isn't the breach but the public knowledge of and reaction to the breach, and the solutions are aimed at defending against the reaction and insuring the company isn't held liable for the consequences). Until that changes, I don't think there's going to be any success seen in getting your very reasonable 5 lessons addressed.

One thing may get upper management to change their attitudes. That's the lawsuit by the banks against Target holding Target liable not just for the relatively small penalties for the breach but for all of the costs the banks incurred cleaning up the consequences of the breach. Nothing gets management's attention faster than a big hit to their bottom line and the potential for being unable to avoid future similar hits. I hope the banks succeed, because it's the only hope I see for getting companies to actually take security seriously.

To post comments, please login or create an account.

Related

Topics

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

Brand Protection

Sponsored byAppDetex

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC