Lessons from the Target Breach

Sue Marquette Poremba
Slide Show

Top Security Priorities for CIOs in 2014

One of the last things I wrote about in 2013 was the Target breach. I suspect that breach is going to linger for a while, not only for customers but for businesses that (I hope) are now thinking a lot more about the security of their credit card systems and their computer networks overall. I know one small business owner is, because she asked me the types of questions she should ask regarding the security of her system. (And those questions may be a blog post for another day.)

Right before I went on holiday break, I had an email conversation with some folks from Guidance Software regarding the Target breach and the forensic investigation into what happened. One of the first things I was told was that we shouldn’t have been surprised that this breach happened because it was inevitable. As Jason Fredrickson, senior director of application development at Guidance Software, told me:

Even security teams can overlook the fact that everything in our lives is now a computer. Point-of-sale solutions are often specialized hardware, running specialized software, and since they’re not “standard” workstations, they don’t have the anti-malware and anti-virus support that ordinary desktops and laptops do. Add that to the fact that they contain valuable information – credit card numbers, driver’s license information, etc. – and they’re an obvious target for large-scale attacks: the reward easily compensates the criminals for their effort.


Anthony Di Bello, director of strategic partnerships at Guidance Software, added that the Target breach was a good reminder that business owners need to worry about all and any device that accepts or broadcasts wireless signals, especially devices where security is generally an afterthought. We get so focused on the security of open Wi-Fi that we forget that all wireless transmissions (Bluetooth, RFID, for example) have risks, and can be used as a vector into a network if misconfigured or not appropriately secured.

When I asked Di Bello what the forensic investigation would reveal, he said:

Ideally, the forensic investigation will reveal the security vulnerability that was taken advantage of so that Target can take the appropriate measures to close it. That being said, it will not make Target immune from a determined attacker’s ability to find another way “in.” For that matter, whatever lesson is learned will not reveal a path for other organizations to prevent this from happening to them. It does reveal two things: 1) the criminal element is highly organized and effective, and 2) a determined attacker with enough motivation will always find a way in.

Finally, Di Bello pointed out that retailers need to extend the same security controls they have around their corporate networks to store networks and point-of-sale (PoS) devices because they are just as vulnerable as any other endpoint. In fact, he said, it might be even more vulnerable as it typically sits in a publicly accessible area. For that reason, retailers should operate under the assumption that they are already compromised and should actively be seeking evidence of compromise on a regular basis.

I think this is only the beginning of the lessons we’re going to take away from this breach.



Add Comment      Leave a comment on this blog post
Jan 10, 2014 6:47 AM Tom Rizzo Tom Rizzo  says:
Most of the businesses I work with (and the businesses they work with) are much, much smaller than Target, but I think this unfortunate episode really demonstrates why the Payment Card Industry (PCI) is so serious about protecting credit card and debit card information. Businesses of any size face serious consequences when they betray their customers’ trust and let their personal payment card information fall into the wrong hands. We don’t know exactly what went wrong at Target but you can be sure of this: If there is any chink in your data security armor, cyber criminals will find their way through it. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data


Thanks for your registration, follow us on our social networks to keep up-to-date