4IT Blog

4IT has been serving the Miami area since 2003, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Top 10 Things We Can Learn from the Target Breach

cyber-security-1923446

For those of you not familiar with the SANS institute http://www.sans.org, the SANS Institute was established in 1989 as a cooperative IT security research and education organization that today reaches more than 165,000 security professionals around the world.  It is a tremendous resource for everything related to IT security, and I highly encourage any organization or individual serious about IT security to visit the website and examine all that SANS has to offer.

I am giving well deserved props to SANS because my article today is going to discuss a case study authored by Tedi Radichel from radicalsoftware.com and accepted by SANS regarding the 2013 breach of Target retail stores.  To review the full case study, please visit the following URL:

https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

Much of the information in my article is based on this case study, so my goal is to provide a more summarized version of the key elements of the breach, and what we should all learn about critical controls that might have prevented this type of cyberattack.

 

Lesson #1Be very careful what you publish online about your infrastructure

It appears that attackers may have used a Google search that could have revealed a great deal of information about how Target interacts with vendors, the URL for the Target vendor portal, a list of HVAC and refrigeration vendor companies, and a detailed case study on the Microsoft web site that included details of key components of Target’s technical infrastructure, including POS system information.

Recommendation:  Details regarding IT infrastructure should be considered highly confidential and treated accordingly.

 

Lesson #2: You cannot control the security of your vendors

An email containing password stealing malware was sent to a refrigeration vendor which yielded usable credentials to the online vendor portal.

Recommendation: Assume that any one of your vendors can get penetrated.  Setup your vendor access and monitoring accordingly.

Recommendation: Require dual factor authentication (2FA) for access to any publically facing system.  Had 2FA been implemented for access to the vendor portal, the entire breach might have been prevented. 2FA and other identity security can be easily achieved on almost any system using the right Single Sign On (SSO) package.

 

Lesson #3: Spear phishing works.

Recommendation: Contract with a vendor that will run ongoing spear campaigns against your employees that provides feedback and training.  Require your vendors to do the same.

 

Lesson #4: Publically facing systems should be highly restricted when initiating two-way communications to an internal system

Internet facing systems often require some level of communications back to other internal systems.  These can include SQL queries, A/D or radius authentication, etc.  These connections should be very carefully examined and restricted to the maximum extent possible to eliminate pivot points.

Recommendation: Every public facing system should be examined by penetration testing from an administrative account on the external facing system to see where it can lead.

 

Lesson #5: Systems that provide authentication services are an obvious attack point

A vulnerable domain controller can be used in a variety of ways to access other systems, domains, etc.  When acting as a Radius or LDAP server, any unsecured authentication packets can be easily captured from any network connection.

Recommendation: Run recurring penetration testing to confirm that unsecured authentication traffic is not traversing the network, and that your authentication servers are not vulnerable.

 

Lesson #6: If you think Anti-Malware and Anti-Virus software will save you, think again

The malware that was used on the POS systems was custom software, undetectable by virus or malware scanners.

Recommendation: The trick here is detecting that a change was made.  For certain highly sensitive systems, monitoring and alerting should be configured to generate critical alerts based on ANY modification of the system, change of file permissions, etc.

 

Lesson #7: Default usernames and passwords are risky

Reports indicate data was retrieved using the default username and password for a server performance management platform.

Recommendation: Start using service templates for all change management.  This includes the installation of new hardware, software, platforms, etc.  That template should include changing or disabling all default usernames and passwords, a requirement for PCI and most compliance standards.

 

Lesson #8: Monitoring systems that no one pays attention to are useless

While the attack was in progress, monitoring software alerted a vendor that notified Target staff of the incident.  No action was taken by Target.

Recommendation: The team that is responsible for reviewing every security incident should include a staff member who is seriously paranoid and not part of the IT group.

 

Lesson #9: Don’t try to limit the scope of a PCI audit to save money

Because PCI compliance auditing can be expensive, most organizations try to exclude as many systems as possible from PCI scope to reduce the cost of the audit.  Worse than that, PCI compliance is not a risk mitigation strategy.

Recommendation:Organizations should institute risk management activities on a recurring basis, and they should include the entire organization, including staff and infrastructure that would normally not be considered in scope for PCI compliance.

 

Lesson #10: No matter how good you systems are, if IT is understaffed and undertrained, you are at serious risk

Too many organizations still look at IT strictly as a cost center where executives and staff are rewarded for reducing budgets and “saving” money.

Recommendation: IT and security budgets should not be considered fixed costs, but variable costs tied to the revenue and / or size of the organization.  IT budgets should AUTOMATICALLY grow alongside the organization.

There is a lot of additional security information in the case study, and if you have the time and interest, I highly recommend reviewing it in its entirety.  If you don’t, make sure your IT security people do.  Learning from our collective mistakes is the most powerful IT security product that will ever be available, and it’s generally free.

 

Curious as to how your current IT solution stacks up against a potential breach? Check out our free IT Assessment to get a handle on your company's security today.

Mobile? Grab this Article!

Qr Code

Tag Cloud

security Tip of the Week Technology Cloud Privacy Best Practices Microsoft software Internet Business Computing Hackers Backup Productivity Business Management Hosted Solutions Managed Service Provider Google Malware IT Services Business Efficiency IT Support Windows Disaster Recovery Innovation Hardware Business Continuity Workplace Tips VoIP Computer Mobile Devices User Tips Saving Money Miscellaneous Windows 10 Network Security Virtualization Upgrade Mobile Device Management Data Server Email communications Mobile Computing Alert Communication Network Save Money Microsoft Office Small Business Social Media Smartphone Quick Tips Information Technology Smartphones BYOD Managed IT Services Outsourced IT Going Green Mobile Office Apps Health Android Office Browser Gadgets Operating System Application Ransomware Chrome Cybersecurity Tablet Mobility WiFi Holiday Firewall The Internet of Things Avoiding Downtime Productivity Disaster Managed IT Spam Risk Management Data Recovery BDR Best Practice Data Management History Search Cybercrime Data Backup Telephone Systems Passwords Remote Computing Unified Threat Management IT Solutions Hacking Saving Time Remote Monitoring Apple Employer-Employee Relationship VPN Budget Facebook Vendor Management Marketing Automation Hard Drives Law Enforcement Proactive IT iPhone Customer Relationship Management User Error Phishing Password Collaboration Hosted Solution Computers Money Wireless Technology Recovery Phone System Big Data Content Filtering Office Tips Humor Analytics Encryption Administration Vulnerability Gmail Router Work/Life Balance Antivirus Wearable Technology Government Shortcut Office 365 Maintenance Social PowerPoint Intranet Virus Lithium-ion battery Telephony Current Events Bring Your Own Device Printer USB Audit Computer Repair HaaS App Business Intelligence Cost Management Bandwidth Politics Printer Server Personal Information Social Engineering Users Laptop Windows 8 OneNote Data Security Wireless Unsupported Software Private Cloud Education Trending Net Neutrality Cloud Computing Google Drive Save Time Tech Support Point of Sale Data Protection IT COnsultant SaaS Flexibility Outlook Workplace Streaming Media Samsung Data Loss Travel Wi-Fi Uninterrupted Power Supply Artificial Intelligence online currency Emergency Update Customer Service Applications Social Networking Redundancy Biometrics Data Storage Retail Virtual Reality hacker Meetings Transportation Efficency Computer Care Battery Instant Messaging Robot Emails HIPAA Automobile Entertainment Benefits End of Support Computer Accessories DDoS Display Data Breach Mouse Internet Exlporer Compliance Network Congestion Augmented Reality Help Desk Internet of Things Paperless Office Identity Theft Two-factor Authentication IT Support Managing Stress Solid State Drive Excel Sports Windows 10 Fax Server User Regulation PDF Scalability Science Software as a Service Files Virtual Desktop Presentation Text Messaging Best Available Sync Safety Bluetooth IT Technicians How To Chromecast iOS Upgrades Managed IT Service Twitter Adobe Managed IT Services SharePoint Training Google Docs Administrator Computer Fan Consultant Surge Protector Colocation Television Hard Drive Licensing The Blindside Of Teamwork 3D Printing Company Culture Black Market Microsoft Excel Access Busines Continuity Dark Web Touchscreen Networking Near Field Communication Screen Mirroring Images IT Security Uograde Cleaning File Sharing ISP Experience Human Resources IT consulting Cast Avoid Downtime Windows 10s Keyboard Running Cable systems Nanotechnology Programming Blogging Music Reliable Computing Tablets Hard Disk Drive Hiring/Firing Bloatware hack Data storage Root Cause Analysis HBO Website Books Wiring Video Games NFL best practices Smart Technology Information Document Management Cortana CrashOverride IT Management OneDrive Debate Branding Advertising Project Management Legal Word data breach Amazon Distributed Denial of Service Mobile Device Co-managed IT Legislation Touchpad Settings WIndows Server 2008 Managed Security WIndows 7 eWaste MSP Storage Windows Ink Inbound Marketing risk management Scam Lifestyle Regulations Patch Management Ebay Nokia Google Maps Value Computing Employer Employee Relationship Worker Commute Operating Sysytem Cameras Commerce Electronic Medical Records Domains Updates Identities IT Budget Conferencing Tutorial Microsoft Word Gifts Reputation Device Security Buisness Webinar Devices Microblogging Credit Cards Youtube Mobile IT solutions Spyware Shadow IT Sales FAQ Gift Giving Relocation Fraud Professional Services Managed Service Provder Webinar Charger Edge Wireless Charging Ciminal WannaCry Evernote Taxes Comparison IT service Workers Blockchain Supercomputer Specifications