The storyline that a single point of failure allowed a sophisticated attacker to steal millions of card numbers from Target just doesn’t hold up.
A recent edition of the Computerworld Security Daily Newsletter contained no fewer than four articles discussing the data breach at Target, which was first disclosed way back in December. What exactly happened to Target remains a matter of great interest.
What’s being said about the hack is that it was enabled by a single point of failure. The blame is pinned on unstoppable malware on the point-of-sale (POS) systems or, alternatively, on a compromise of an HVAC contractor’s credentials. Either way, Target wants you to believe that the chain was exactly what its name implies: the target of a highly sophisticated attacker.
But the truth is that systematic failures, and not a single point of failure, led to the Target hack. No single vulnerability was exploited. There were vulnerabilities throughout Target’s security architecture that led to the theft of 110 million payment card numbers, along with the personally identifiable information of most of the affected cardholders.
Let’s assume that Target’s assertion is correct and that its network was compromised because its HVAC vendor was hacked. If that indeed led to the theft of millions of card numbers, then it suggests that Target’s network was not properly segregated to allow the HVAC vendor to have access only to required systems. So that was the first failure.
Once the attackers were on the network, they clearly had to perform reconnaissance for an extensive period of time to find systems that would enable the distribution of their malware. That suggests that Target had inadequate or perhaps even no intrusion detection deployed that could identify extensive probing of the network, especially critical network segments where the POS systems reside. That was the second failure.
It appears that the intruders were able to get the malware on the POS systems via Target’s own software distribution system, through worm-like methods of distribution, or by some combination of both. The attackers are thought to have tested the malicious software in a limited distribution, as a proof of concept, prior to wide-scale distribution. Either method should have been detected. Worm-like activity should have been picked up by network monitors. And if the attackers exploited Target’s internal software distribution system, then Target should have had practices in place to verify any additions to the standard software being pushed out. Failure No. 3.
Most POS systems enable whitelisting, which lets only approved software run on the system. Malware introduced to a POS system with whitelisting enabled would be rendered inoperable, even if it hadn’t been picked up by antivirus software. So not enabling whitelisting was the fourth failure.
The criminals had to exfiltrate the information they had garnered out of Target’s network. That incredibly involved process would require the hacking of multiple systems to both store and forward captured information. Target should have had software and processes in place to look for unusual network traffic. Likewise, the hacking of all of the systems used to exfiltrate the data should have been uncovered. Failures five and six.
These are not the only likely points of failures, but they are the most obvious ones.
Retailers targeted in attacks such as the one that hit Target like to claim that they were the victims of sophisticated attackers, with the implication that the attack was somehow unstoppable. But there was nothing particularly sophisticated about the Target attack. The attackers appeared to be persistent and disciplined more than technologically advanced. That is exactly how most attacks are perpetrated.
I have no reason to believe that Target’s technical employees are anything but well intentioned. But not ensuring that a high-level risk and architecture assessment was in place that could look for exactly those points of failure was in itself a failure. I’m not talking about a penetration test, but a thorough assessment of the overall network architecture to look for security vulnerabilities and the best places to install detection tools.
For example, Target should have reviewed the access architecture to verify that vendors were segregated and monitored. Given widely publicized breaches at other retailers, Target should have looked for covert channels with network monitoring tools. And it certainly should have assured the integrity of the POS systems, looking at best practices such as whitelisting software and verifying the applications that are pushed out to those systems.
A company like Target, with billions in revenue, can certainly allocate the appropriate resources to stop an attacker, sophisticated or otherwise. In fact, companies with considerably less in revenue should do the same, since an attack of this nature puts that revenue at risk. But don’t tell us how you are at the mercy of sophisticated attackers when you haven’t covered the basics. Target’s attackers exploited predictable vulnerabilities. They were tenacious and formidable, but they weren’t unstoppable. These attacks should have been detected and prevented.