Recommendations for Security and Privacy at Target
The 2013 breach of credit cards and customer’s personally
identifiable information (PII) revealed serious deficiencies in the security of
the company’s IT infrastructure and illustrated the inadequacy of having
state-of-the-art security technology without the appropriate people and
processes to respond to threats. The goal of this new security policy is to
build on Target’s existing security infrastructure while improving the people
and processes needed to secure Target’s IT against future attack.
Background:
Target has been audited every year by Trustwave and found to
be compliant with PCI DSS up to the time of the breach.[1]
Several security experts claim that simply complying with PCI DSS would not
have necessarily prevented the breach,[2]
and that security standards take time to develop and do not reflect the newest
threats.[3]
Regulatory compliance with PCI DSS was not enough for Target
to prevent this attack, yet that doesn’t mean there was nothing Target could
have done. In fact, Target had received multiple warnings of suspicious
activity during the early stages of the attack yet their internal security team
chose not to investigate them. This shows that Target, as an organization, did
not make a commitment to security. In this paper, we will focus on aspects of
this policy that are significantly different from Target’s current state. On
the people and processes front, security culture, issue escalation, alert
response, and third party vendor management will be covered. On the technical
front, we will cover network segmentation.
Security Oriented Culture
C-level executives set the “tone at the top” of whether or
not an organization cares about security. The hiring of a CISO is a critical
first step in achieving a healthy security culture, but studies show that
security suffers when the CISO reports to the CIO.[4]
This policy mandates that the CISO reports to the Board of Directors, not the
CIO as in Target’s current structure. This ensures that the voice of security
is heard at the highest levels of the organization.
Issue Escalation
Employees of the security organization must know when to
report security issues to higher command. On November 30th,
FireEye’s security experts sent a high level alert to Target’s security
headquarters after detecting malware that was attempting to exfiltrate data
from Target’s network. Target had two days to act on this warning before the
exfiltration began.[5]
Target’s security team, however, ignored the warnings, perhaps because the head
of the department had quit a month earlier and no one else thought they had the
authority to take action.5 The policy mandates if a chain in command
is missing, the threat will be reported to the next level of command and not
simply ignored.
Alert Response
Target has world class security applications installed on
their networks. In addition to FireEye’s alert, Target also received warnings
from its Symantec Endpoint Protection software to malware on a network server.5
Target’s security team chose to not respond to either of these warnings, even
though they were of high priority.[6]
This policy mandates at all medium to high priority alerts and warnings are
documented and investigated within 24 hours. Furthermore, a high level alert
must be resolved in 48 hours. Possible resolution can include removing malware,
disabling a service, installing a patch, or even determining that the alert was
not a threat. To resolve a high level alert, the CISO must sign off on the
resolution documentation.
Third Party Vendor Management
Third party vendors significantly increase the attack
surface of large organizations, as Target had learned first-hand. To protect
Target’s internal IT infrastructure, the security posture of third party
vendors with access to Target’s network must be carefully vetted, and that 3rd
party access to Target’s system is limited. The level of scrutiny for a
potential vendor should be proportional to the level of access granted to
Target’s internal network.
Network Segmentation
Network segmentation is a defensive measure of isolating
sensitive IT resources the rest of the company’s network. Target did not
separate Point of Sale (POS) machines from the rest of the company’s network,
even though isolation of the card environment is highly recommended by PCI.7
The allowed the attackers to install RAM scraping malware on every POS system
after breaching the general network.[7]
This policy mandates all systems involved in storing or processing PII to be
isolated from Target’s general network, ensuring “defense in depth” even in
event of a surface level breach.
Conclusion
The proposed information security and privacy policy
minimizes risks and maximizes returns on security investment by leveraging
Target’s existing technology and augmenting the people and processes behind its
security infrastructure. The Target breach showed that there are not miracle
applications or compliance certifications that guarantee security. Security can
only be achieved through organizational commitment, effective processes, and
defense in depth.
[1] http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936
[2] http://blogs.gartner.com/avivah-litan/2014/01/20/how-pci-failed-target-and-u-s-consumers/
[3] http://www.technewsworld.com/story/80160.html
[4] http://www.csoonline.com/article/2365827/security-leadership/maybe-it-really-does-matter-who-the-ciso-reports-to.html
[5]
Target Data Breach Case Study
[6] http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
[7] http://blogs.sophos.com/2014/04/02/sophos-at-bsides-austin-credit-card-security-and-pci-dss-compliance-post-target/
