What can organizations learn from the Target breach?

Adding a bit of complexity to your network structure could prevent critical data from being stolen

Security teams in organizations across the country are asking the question; how can we prevent a breach like the one that occurred at Target? After all, it has been a huge detractor in terms of business and reputation for the company. The only real answer, of course, is to be unconquerable in terms of security and privacy, but this is easier said than done.

We do not have every finite detail of what enabled the Target attack, which would give us the ability to completely prevent it from occurring again. While there are some ideas circulating on the matter and how it happened, it remains an overall mystery.

And this is precisely why it is impossible for a head of a corporation or any CEO to honestly claim that it would never, ever happen to their company. Yet, while we do not have all of the answers, we still learned a lot about security and prevention of breaches. Surprisingly, it isn’t complex. What it comes down to though is quite simply - the basics.

What really happened at Target?

Aside from not knowing every finite detail, the most significant aspect of the attack was most likely the memory scraper malware, which was installed onto the point-of-sale (PoS) equipment. But believe it or not, this is a common tactic the bad guys use to break into a system, and this only gets them halfway to their goal.

Keep in mind that Target is one of many in a long line where criminals were able to take a simple concept – which was a small code fragment – and incorporate it into their method of illegally accessing critical data. It is impossible to completely minimize a company’s vulnerabilities because cyber criminals are too smart, and too strict of protection protocols would seriously limit “business-as-usual”. Every business must continue to operate, especially during a busy season, which is exactly when these PoS devices were working overtime. Removing them, even once Target or any other company becomes aware of them, could be almost as disastrous to the bottom line as the breach itself. 

What is tricky, and what most people don’t realize is that the attackers, or hackers, use these PoS devices because they are in the PCI scope. This simply means that the attackers can get away with this first part of the breach because these PoS devices fall within the regulations set by the PCI – which is the Payment Card Industry. Regarding devices that store credit card information, the PCI rules state that they must never be able to communicate directly with the Internet. And from what we can infer, Target followed these rules. And because of such, the attackers were forced to break into, or otherwise compromise, an additional server within the organization. They basically hoarded the data that streamed from the PoS devices; however, they still needed to retrieve the data.

How do you make the data impossible to remove?

To understand this, consider if you will a labyrinth - this is how you can prevent data from being removed. Since the attackers will always exploit the PoS devices, and companies can’t simply unplug from the networks, there has to be a final layer of protection, which can’t be penetrated or comprised. For example, the malware, which is getting injected into the network code, may not be preventable – but it can become worthless if the attacker is unable to remove the data they want to siphon.

Despite the fact that attackers can get in – if it isn’t profitable or possible for them to “get out” what they want from the system, then it is pointless to attempt it in the first place. This means that the more they can be slowed down or tripped up, the stronger the deterrent.

It's unfortunate for Target and its clients that the breach happened due to a weak labyrinth of security and an easy way to navigate out of. Basic advice for the PCI requirements blocks outbound access from accessing critical data stores, but this only puts one wall between the attacker and the malware they have injected into the system. This is not too hard to get around. All the attacker needs to do is find a server that can talk to the Internet, as well as critical locations.

This content continues onto the next page...