The Target story
The attack on Target, which occurred during the holidays, has been all over the news, and it still is. I’ve read several articles on the incident, pored over differing opinions and viewpoints. The strange thing is, no one truly knows what happened and I sincerely doubt if anyone ever will. Although, it’d be nice if we could find out how hackers were able to grab data directly from the POS and siphon it out without being detected. It does make you wonder, with all the talk about layered security, internal protection and IDS, SIEM and the likes – wasn’t anyone watching? This went on for several days, mind you, I’m not talking about minutes or even hours – days. If Target does have a SIEM, what on earth were the people managing it doing? And if they don’t, why??
Attacking several hundreds of thousands of POS is not an easy feat even for the best of hackers. It requires stealth and a Trojan that will infest the network almost completely. Given the extent of the damage, it’s very likely that every single POS station was infected.
A POS is a specialized computer, typically running a slim version of Windows. ATM machines, for example, often run Windows ME – not the most secure thing out there. The other key issue is that updating such a platform is an arduous task. Imagine if an update takes down a million POS simultaneously, would you want to be the CIO in that situation? I know I wouldn’t. And even if the update works, updating so many stations just takes a lot of manhours; and you can’t just apply the updates as soon as Microsoft publishes them. You need a test bed wherein you can apply them and see that the application still runs without issues, something which inevitably further adds to the time. I wouldn’t be at all surprised if these POS were a few months behind on updates. In fact, I’d be really shocked if they weren’t.
So, you have a complex network, large, huge, comprised of devices that aren’t easy to update and which are vulnerable from the get go. What do you do? The first two things that come to mind for me are layered security and segmentation. Where Target’s concerned, I can’t know for sure if these were already done and simply didn’t work but that’s where I’d start.
Layered security – scan, scan, rescan and scan again!
Use every single AV out there, add every single technique you can imagine; don’t merely rely on a single solution from a single vendor to do the job. You never know who may be catching something new first. Yes, I’m talking about emails, but I’m also talking about web browsing; and I’d add encrypted traffic to the mix as well. It’s certainly true that you can’t get emails or browse the internet from a POS but don’t forget, it’s also very true that a computer on the same network, when infected, can be a conduit to attacking each and every single POS. And from this, we get to the segmentation. Assume a single computer in a store becomes infected and attacks the local POS – why should this be allowed to crawl throughout the entire network? Every store (as is every branch of a bank) should be considered hostile till proven otherwise, isolated, and only specific and properly authorized, and controlled traffic should be allowed to the rest of the network. Difficult to do? Not really; there’s plenty of technologies to achieve this. It’s only a matter of wanting to spend the money. Or not.
All this brings to the forefront an ‘issue’ I often encounter with my customers – the lack of proper protection at the periphery of their network. The mindset that nothing can attack the periphery, and that everything will only always go to and through the center. This couldn’t be farther from the truth.
The periphery is where you aren’t; it’s where you have the least (or zero) control over human behavior; it’s where a laptop could be brought in and you’d never know until disaster strikes.
Consequently, the periphery deserves and requires as much protection as the center, wouldn’t you agree? I’ve had prospects and existing customers come to me after the fact; when they finally agree to install proper protection. And in these cases, more often than not, we immediately detect that a hacker was using their network undisturbed.
On that same note, it puzzles me greatly when people say “my router sends all traffic through the VPN so I don’t need an IPS or a firewall”. That router sends all traffic originating from inside through the VPN; but what about incoming traffic? What about that public IP you need to use for it? Oh, and you think MPLS is better? MPLS (or similar layer 2 technologies) actually makes matters worse, because now, you’ve a wide area LAN, with all your branches connected on a peer to peer setting, without any limitation whatsoever on what can pass back and forth. So, if one branch is infected, spreading the infection through MPLS is as easy as 1-2-3.
What you need is proper firewall/IPS at every branch, even if you have MPLS or layer 2 routing (even worse), to isolate the local traffic and ensure infections don’t spread like wildfire. You haven’t seen that happen but, trust me, it (can and) does happen. Protect your remote sites as much as you protect your central location, both from the internet and from the rest of the branches. Nothing is ever a guarantee of 100% protection, but an open network is clearly more vulnerable to attacks than one which is properly segmented. And yes, those protection devices should be monitored, to alert you if an infection is caught at one of the remote locations.
Naturally, all these measures aren’t free, they cost money. And when you evaluate the cost against risks and benefits, someone higher up on the food chain might be willing to say “the risk isn’t worth this money”. I say it depends. Unfortunately, current laws don’t come with penalties unless you lose PII data against HIPAA.
In the case of Target, it’s unlikely that they’d have to fork out a single cent. But just for a second, imagine if the data they lost could be recognized as covered by HIPAA, think of those companies who had to pay millions of dollars because they lost hundreds of thousands of records, and then compare that to the 120 million records Target lost and you’ll immediately see that if we applied that same punitive logic, Target would quite likely be out of business (which, in my opinion, wouldn’t be excessive punishment save that their employees would lose their job).
Clearly, the laws of data breach disclosure aren’t quite strong enough; and the scenario is also further complicated by the fact that each state has its own set of laws and there isn’t a federal unified law to serve as a benchmark. Therefore, in a case like Target’s, whose laws apply? Likely those of all the states.
Somehow, these laws need to get to the point wherein the risk analysis forces companies to skew in favor of spending that money I discussed earlier. We can’t continue pretending that we strive for security, only to find out that the security of our companies is beyond pitiful because management doesn’t want to spend more than the absolutely necessary minimum.
Security isn’t about fixing the books and, as risks can never truly be fully calculated, it isn’t about fixing your bottom line either. As we’ve seen in the case of Target, it can cost you your company quite a bit.
Until next time, stay safe.