Saturday, December 13, 2014

IT Audit and Security Final Case Study: Target Breach

The prompt for this case study was to develop an updated information security policy for Target in light of its recent card breach. There was a 2 page limit to the response, so instead of outlining every topic in a comprehensive policy, I detailed several individual policies that I would change from existing practices.

Recommendations for Security and Privacy at Target

The 2013 breach of credit cards and customer’s personally identifiable information (PII) revealed serious deficiencies in the security of the company’s IT infrastructure and illustrated the inadequacy of having state-of-the-art security technology without the appropriate people and processes to respond to threats. The goal of this new security policy is to build on Target’s existing security infrastructure while improving the people and processes needed to secure Target’s IT against future attack.

Background:

Target has been audited every year by Trustwave and found to be compliant with PCI DSS up to the time of the breach.[1] Several security experts claim that simply complying with PCI DSS would not have necessarily prevented the breach,[2] and that security standards take time to develop and do not reflect the newest threats.[3]
Regulatory compliance with PCI DSS was not enough for Target to prevent this attack, yet that doesn’t mean there was nothing Target could have done. In fact, Target had received multiple warnings of suspicious activity during the early stages of the attack yet their internal security team chose not to investigate them. This shows that Target, as an organization, did not make a commitment to security. In this paper, we will focus on aspects of this policy that are significantly different from Target’s current state. On the people and processes front, security culture, issue escalation, alert response, and third party vendor management will be covered. On the technical front, we will cover network segmentation.

Security Oriented Culture

C-level executives set the “tone at the top” of whether or not an organization cares about security. The hiring of a CISO is a critical first step in achieving a healthy security culture, but studies show that security suffers when the CISO reports to the CIO.[4] This policy mandates that the CISO reports to the Board of Directors, not the CIO as in Target’s current structure. This ensures that the voice of security is heard at the highest levels of the organization.

Issue Escalation

Employees of the security organization must know when to report security issues to higher command. On November 30th, FireEye’s security experts sent a high level alert to Target’s security headquarters after detecting malware that was attempting to exfiltrate data from Target’s network. Target had two days to act on this warning before the exfiltration began.[5] Target’s security team, however, ignored the warnings, perhaps because the head of the department had quit a month earlier and no one else thought they had the authority to take action.5 The policy mandates if a chain in command is missing, the threat will be reported to the next level of command and not simply ignored.

Alert Response

Target has world class security applications installed on their networks. In addition to FireEye’s alert, Target also received warnings from its Symantec Endpoint Protection software to malware on a network server.5 Target’s security team chose to not respond to either of these warnings, even though they were of high priority.[6] This policy mandates at all medium to high priority alerts and warnings are documented and investigated within 24 hours. Furthermore, a high level alert must be resolved in 48 hours. Possible resolution can include removing malware, disabling a service, installing a patch, or even determining that the alert was not a threat. To resolve a high level alert, the CISO must sign off on the resolution documentation.

Third Party Vendor Management

Third party vendors significantly increase the attack surface of large organizations, as Target had learned first-hand. To protect Target’s internal IT infrastructure, the security posture of third party vendors with access to Target’s network must be carefully vetted, and that 3rd party access to Target’s system is limited. The level of scrutiny for a potential vendor should be proportional to the level of access granted to Target’s internal network.

Network Segmentation

Network segmentation is a defensive measure of isolating sensitive IT resources the rest of the company’s network. Target did not separate Point of Sale (POS) machines from the rest of the company’s network, even though isolation of the card environment is highly recommended by PCI.7 The allowed the attackers to install RAM scraping malware on every POS system after breaching the general network.[7] This policy mandates all systems involved in storing or processing PII to be isolated from Target’s general network, ensuring “defense in depth” even in event of a surface level breach.

Conclusion

The proposed information security and privacy policy minimizes risks and maximizes returns on security investment by leveraging Target’s existing technology and augmenting the people and processes behind its security infrastructure. The Target breach showed that there are not miracle applications or compliance certifications that guarantee security. Security can only be achieved through organizational commitment, effective processes, and defense in depth.


[1] http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936
[2] http://blogs.gartner.com/avivah-litan/2014/01/20/how-pci-failed-target-and-u-s-consumers/
[3] http://www.technewsworld.com/story/80160.html
[4] http://www.csoonline.com/article/2365827/security-leadership/maybe-it-really-does-matter-who-the-ciso-reports-to.html
[5] Target Data Breach Case Study
[6] http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
[7] http://blogs.sophos.com/2014/04/02/sophos-at-bsides-austin-credit-card-security-and-pci-dss-compliance-post-target/