What can organizations learn from the Target breach?

March 13, 2014
Adding a bit of complexity to your network structure could prevent critical data from being stolen

Security teams in organizations across the country are asking the question; how can we prevent a breach like the one that occurred at Target? After all, it has been a huge detractor in terms of business and reputation for the company. The only real answer, of course, is to be unconquerable in terms of security and privacy, but this is easier said than done.

We do not have every finite detail of what enabled the Target attack, which would give us the ability to completely prevent it from occurring again. While there are some ideas circulating on the matter and how it happened, it remains an overall mystery.

And this is precisely why it is impossible for a head of a corporation or any CEO to honestly claim that it would never, ever happen to their company. Yet, while we do not have all of the answers, we still learned a lot about security and prevention of breaches. Surprisingly, it isn’t complex. What it comes down to though is quite simply - the basics.

What really happened at Target?

Aside from not knowing every finite detail, the most significant aspect of the attack was most likely the memory scraper malware, which was installed onto the point-of-sale (PoS) equipment. But believe it or not, this is a common tactic the bad guys use to break into a system, and this only gets them halfway to their goal.

Keep in mind that Target is one of many in a long line where criminals were able to take a simple concept – which was a small code fragment – and incorporate it into their method of illegally accessing critical data. It is impossible to completely minimize a company’s vulnerabilities because cyber criminals are too smart, and too strict of protection protocols would seriously limit “business-as-usual”. Every business must continue to operate, especially during a busy season, which is exactly when these PoS devices were working overtime. Removing them, even once Target or any other company becomes aware of them, could be almost as disastrous to the bottom line as the breach itself. 

What is tricky, and what most people don’t realize is that the attackers, or hackers, use these PoS devices because they are in the PCI scope. This simply means that the attackers can get away with this first part of the breach because these PoS devices fall within the regulations set by the PCI – which is the Payment Card Industry. Regarding devices that store credit card information, the PCI rules state that they must never be able to communicate directly with the Internet. And from what we can infer, Target followed these rules. And because of such, the attackers were forced to break into, or otherwise compromise, an additional server within the organization. They basically hoarded the data that streamed from the PoS devices; however, they still needed to retrieve the data.

How do you make the data impossible to remove?

To understand this, consider if you will a labyrinth - this is how you can prevent data from being removed. Since the attackers will always exploit the PoS devices, and companies can’t simply unplug from the networks, there has to be a final layer of protection, which can’t be penetrated or comprised. For example, the malware, which is getting injected into the network code, may not be preventable – but it can become worthless if the attacker is unable to remove the data they want to siphon.

Despite the fact that attackers can get in – if it isn’t profitable or possible for them to “get out” what they want from the system, then it is pointless to attempt it in the first place. This means that the more they can be slowed down or tripped up, the stronger the deterrent.

It's unfortunate for Target and its clients that the breach happened due to a weak labyrinth of security and an easy way to navigate out of. Basic advice for the PCI requirements blocks outbound access from accessing critical data stores, but this only puts one wall between the attacker and the malware they have injected into the system. This is not too hard to get around. All the attacker needs to do is find a server that can talk to the Internet, as well as critical locations.

It goes without saying that with any security design, mistakes can and usually will occur. But if there are more than three turns in the concept, it becomes stronger. This is where automation can help. You are able to test your security this way and see if anyone can use malware to slip past your security systems. Even though just about any system can be compromised, additional levels of protection costs the attackers more in time, energy and resources. So while extreme complexity is unnecessary, some degree of twisting and turning into your system is. This will help you become a more difficult target.

Keep in mind that perpetrators of cybercrime are generally lazy and this highlights why a security labyrinth is vital.  Avoiding a breach such as the one Target experienced first requires identifying what matters most of all to your business. Consider these your core assets. Then ask if these items can be seen outside the system? If so, why? Keep in mind that databases have no need to surf. If yours can’t, then this is good. And also, which locations of your database can reach them, and how many are able to get out? Keep pursuing these concepts periodically as your business databases and systems grow and change, because the harder you make it for cyber criminals to succeed, the more secure your infrastructure will remain.