Recently KrebsOnSecurity published the follow-up piece Inside Target Corp., Days After 2013 Breach. It provides some of the details from an internal report from Verizon, the penetration testing vendor that Target engaged from December 21, 2013 to March 1, 2014. Target has not confirmed the authenticity of the report referenced by KrebsOnSecurity but some good ‘lessons learned’ can be taken away from the story regardless.
These lessons while certainly not new involve key areas that I believe most organizations struggle with. Especially organizations that have grown rapidly or grown through many acquisitions.
1. Segmentation
“Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.”
Segmentation beyond typical demilitarized zones (DMZs) was not a common strategy used in the past and large networks that have grown over a long period of time can be difficult to untangle and re-design. Most segmentation efforts I’ve seen have been narrowly focused and involved creating a single “secure zone” within a network where sensitive data and systems were then migrated into. Compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS) have had some effect in motivating companies to segment their environments. Unfortunately because checking compliance boxes is often the driver, organizations move to limit scope and reduce how much of their environment will be assessed instead of reviewing their environment holistically for segmentation. Hopefully this lesson from the Target breach and other breaches will continue to motivate a more risk based approach to segmenting networks and systems. Let’s not focus solely on specific data types like credit card number or social security number, but as suggested, by legitimate user need and job role/responsibilities.
2. Vendor / 3rd Party Assessment
The source of the Target breach according to KrebsOnSecurity was a small heating and air conditioning company Fazio Mechanical. They had suffered a breach of their own where attackers stole valid credentials and leveraged them to access Target remotely through their virtual private network (VPN). As more and more organizations become dependent on 3rd party suppliers, outsourcers, and other partners, a greater emphasis needs to be placed on assessing their security controls and breach notification procedures. It is not enough to mandated security requirements in contracts if companies do not also check periodically to make sure the requirements are in place and operating effectively.
3. Vulnerability Remediation
“Also, establish a system for finding and fixing vulnerabilities on a regular basis, and follow-up to verify the gaps have been closed.”
Given the plethora of security products available today that are designed to search out and find vulnerabilities, it is relatively easy to implement a vulnerability scanning program that will find loads of problems that need to be addressed. So why is vulnerability remediation is so hard? Here are some key elements that are needed but are also difficult at times to do:
- Understanding the risk (likelihood and impact) if the vulnerabilities are exploited
- Knowing other compensating security controls that may be involved
- Defining the priority of what should be fixed first
- Maintaining the support of business leadership to enforce timely remediation
Vulnerability management is a never-ending problem that can be tedious. Pushing directly for support from overburdened system administrators and operations teams is a quick way to burn out any security professional. Garner business leadership support, put in place automated issue escalation systems, and report meaningful metrics/status to leadership on a consistent ongoing basis. Asset owners/custodians should be driving vulnerability remediation with the support of the security team, not the other way around.
4. Multi-factor Authentication
It is painfully obvious now that single credential authentication is not enough to protect our most sensitive data and systems. Not only should strong multi-factor authentication be used for remote access, it should be requiring on critical infrastructure and high risk systems internally as well. While not perfect it definitely raises the bar. Logging in remotely through VPN, as a Domain Administrator, or onto a Domain Controller in a Windows environment, are great examples of where multi-factor authentication would have helped Target. Lets learn and improved from this!
5. Penetration Testing
“Finally, attack your own network regularly to find holes in your security posture — preferably before the bad guys find and exploit the same flaws.”
I agree that organizations should routinely attack their own systems and engage trusted third parties to test the effectiveness of their controls, but only after they are confident that they have defensible security in place. If a company knows that it has thousands of unpatched high severity vulnerabilities in their environment, it doesn’t make sense to do a pen-test yet. It makes much more sense to focus time and resources on getting those vulnerabilities resolved beforehand. There may be times when a pen-test has to be done to check a compliance box, but beyond that I feel it is best to start pen-testing after a good foundation of security controls have been established.
Since there are many different types of penetration tests and because there are a wide variety of testing approaches, carefully plan out what will be most valuable to your organization. Penetration tests vary greatly in quality, so make sure to research potential vendors and individual pen-testers that will be assigned to your engagement. I’ve seen big name companies and popular industry players deliver both great and terrible penetration tests. The quality comes from the individuals actually working the engagement not the name of the company they work for.
What do you think are other key lessons we should learn from the 2013 Target breach? Please let me know in the comment section below.
Photo Attribution: Jay Reed
