One of the last things I wrote about in 2013 was the Target breach. I suspect that breach is going to linger for a while, not only for customers but for businesses that (I hope) are now thinking a lot more about the security of their credit card systems and their computer networks overall. I know one small business owner is, because she asked me the types of questions she should ask regarding the security of her system. (And those questions may be a blog post for another day.)
Right before I went on holiday break, I had an email conversation with some folks from Guidance Software regarding the Target breach and the forensic investigation into what happened. One of the first things I was told was that we shouldn’t have been surprised that this breach happened because it was inevitable. As Jason Fredrickson, senior director of application development at Guidance Software, told me:
Even security teams can overlook the fact that everything in our lives is now a computer. Point-of-sale solutions are often specialized hardware, running specialized software, and since they’re not “standard” workstations, they don’t have the anti-malware and anti-virus support that ordinary desktops and laptops do. Add that to the fact that they contain valuable information – credit card numbers, driver’s license information, etc. – and they’re an obvious target for large-scale attacks: the reward easily compensates the criminals for their effort.
Anthony Di Bello, director of strategic partnerships at Guidance Software, added that the Target breach was a good reminder that business owners need to worry about all and any device that accepts or broadcasts wireless signals, especially devices where security is generally an afterthought. We get so focused on the security of open Wi-Fi that we forget that all wireless transmissions (Bluetooth, RFID, for example) have risks, and can be used as a vector into a network if misconfigured or not appropriately secured.
When I asked Di Bello what the forensic investigation would reveal, he said:
Ideally, the forensic investigation will reveal the security vulnerability that was taken advantage of so that Target can take the appropriate measures to close it. That being said, it will not make Target immune from a determined attacker’s ability to find another way “in.” For that matter, whatever lesson is learned will not reveal a path for other organizations to prevent this from happening to them. It does reveal two things: 1) the criminal element is highly organized and effective, and 2) a determined attacker with enough motivation will always find a way in.
Finally, Di Bello pointed out that retailers need to extend the same security controls they have around their corporate networks to store networks and point-of-sale (PoS) devices because they are just as vulnerable as any other endpoint. In fact, he said, it might be even more vulnerable as it typically sits in a publicly accessible area. For that reason, retailers should operate under the assumption that they are already compromised and should actively be seeking evidence of compromise on a regular basis.
I think this is only the beginning of the lessons we’re going to take away from this breach.