6 Failures That Led to Target Hack
The storyline that a single point of failure allowed a sophisticated attacker to steal millions of card numbers from Target just doesn't hold up.
Wed, February 12, 2014
Computerworld — A recent edition of the Computerworld Security Daily Newsletter contained no fewer than four articles discussing the data breach at Target, which was first disclosed way back in December. What exactly happened to Target remains a matter of great interest.
What's being said about the hack is that it was enabled by a single point of failure. The blame is pinned on unstoppable malware on the point-of-sale (POS) systems or, alternatively, on a compromise of an HVAC contractor's credentials. Either way, Target wants you to believe that the chain was exactly what its name implies: the target of a highly sophisticated attacker.
But the truth is that systematic failures, and not a single point of failure, led to the Target hack. No single vulnerability was exploited. There were vulnerabilities throughout Target's security architecture that led to the theft of 110 million payment card numbers, along with the personally identifiable information of most of the affected cardholders.
Let's assume that Target's assertion is correct and that its network was compromised because its HVAC vendor was hacked. If that indeed led to the theft of millions of card numbers, then it suggests that Target's network was not properly segregated to allow the HVAC vendor to have access only to required systems. So that was the first failure.
Once the attackers were on the network, they clearly had to perform reconnaissance for an extensive period of time to find systems that would enable the distribution of their malware. That suggests that Target had inadequate or perhaps even no intrusion detection deployed that could identify extensive probing of the network, especially critical network segments where the POS systems reside. That was the second failure.
It appears that the intruders were able to get the malware on the POS systems via Target's own software distribution system, through worm-like methods of distribution, or by some combination of both. The attackers are thought to have tested the malicious software in a limited distribution, as a proof of concept, prior to wide-scale distribution. Either method should have been detected. Worm-like activity should have been picked up by network monitors. And if the attackers exploited Target's internal software distribution system, then Target should have had practices in place to verify any additions to the standard software being pushed out. Failure No. 3.
Most POS systems enable whitelisting, which lets only approved software run on the system. Malware introduced to a POS system with whitelisting enabled would be rendered inoperable, even if it hadn't been picked up by antivirus software. So not enabling whitelisting was the fourth failure.