You’ve no doubt heard about last year’s Target data breach that exposed millions of credit card numbers and personal records of the retailer’s customers. It’s perhaps the security incident of the decade – at least until the next big one occurs. The Target breach has not only impacted many of us personally, it has also created enormous – and much-needed – visibility for information security among business executives. I can imagine just a few days before the incident was detected, Target Chairman and CEO Gregg Steinhafel had no idea of the firestorm he was about to face. But it happened and now it’s on practically every CEO’s radar.
Here’s a high-level recap of the Target breach based on what’s currently known:
- It started with a phishing attack against Fazio Mechanical Services, Target’s refrigeration contractor – that was apparently using the free Malwarebytes Anti-Malware software that failed to protect it against the ensuing malware.
- Login credentials issued by Target to Fazio Mechanical Services were obtained by the criminal hackers which provided subsequent network access (via a Web portal) into the Target environment.
- Point-of-sale (POS) malware – presumably the BlackPOS available for purchase online – was uploaded to POS systems at Target stores and used to scrape credit card information and related information directly from the memory of the POS computers time right after a payment card is swiped.
Generally speaking, it was a textbook security breach with the small twists of compromising a business associate first and then using memory scraping malware to capture sensitive information where it only exists for a relatively short period of time.
Fazio Mechanical Services’ statement on the Target breach says “Our IT system and security measures are in full compliance with industry practices”. Good to know. Wait, what does that mean? Nothing really. In fact, we hear this in the context of PCI DSS quite a bit: everyone is “compliant” until the point of breach. Target was compliant. Fazio was compliant. Everyone’s compliant until they learn they’re not.
In other words, all’s well in IT until something bad happens. But why? This is a double-edged sword. IT and/or the security team at any given retailer is responsible for the day-to-day protection of sensitive information. They’re also responsible for properly communicating the organization’s security status to management. The executives, in turn, are responsible for translating what they hear and making informed decisions on business risk. Based on what we’re seeing with the Target breach and others, this rarely happens. If this communication/decision-making process were truly effective like so many other aspects of business (i.e. finance and legal), then better decisions would be made and security incidents like this would occur less often.
A recent survey by AccessData and the Ponemon Institute found that 36 percent of IT security pros would tell the CEO and board of directors that a cyberattack had been resolved even if they didn’t know that it had been. I understand the concept of “CYA” but talk about a conflict of interests! It’s as if everyone is doing whatever is best for them and not the business.
Knowing that mega corporations like Target can be hit this hard, it’s a great time to take a clean slate approach to information security. Understanding the Target facts, what would you do more of? Less of? Unless you want to eventually fall victim yourself, here are three critical steps you need to take starting today to not just have a “compliant” network but a resilient network that can weather such storms:
Determine who’s in charge of security and make sure they’re actually in charge.