What We Can Learn from Target

We can (and should) all learn from the Target breach.
Pity the fool who laughs at the woes of another.
Article by Dave Kearns in Dark Reading; Reuters article by Jim Finkle and Susan Heavey.
Emphasis in red added by me.
Brian Wood, VP Marketing

Target Breach: Where The Weak Points Were

I’ve been fascinated by the information that keeps coming out about the December Target data breach. Recent revelations by some of the people who studied the actual malware code have labeled it as absolutely unsophisticated and uninteresting — almost amateurish. Others noted anti-malware software that easily could have stopped this attack before any damage was done.
Too bad Target didn’t have any. But it did! Six months before the attack, Target had installed and tested software from FireEye (which is also used by the CIA to protect its networks). Twenty-four-hour monitoring of the system was in place to raise an alert flag to the monitoring team who, in turn, would notify Target’s Security Operations Center (SOC) in Minnesota.
So what happened? The alarm was raised, the monitors notified the SOC, and the SOC … did nothing!
The FireEye software also has an option whereby malware can be automatically removed when detected. According to various news reports, Target’s security team turned off that option. Is it any wonder that Target’s CIO fell on her sword and resigned in the aftermath of this debacle?
For those of us not directly affected by the breach, the scenario as it played out is just one more bullet point illustrating what I’ve tried to inculcate in my audiences for more than a decade: The technology is easy — it’s the people who are hard.
Consider some of the major security breaches of the past, including Societe Generale, RSA, Nat Honan, and the many phishing and spear-phishing attacks that seem to be happening almost on a weekly basis. A common thread appears in almost all of them: Technology was either in place, or available, that could have thwarted the attack. In almost all these cases, human actions not only aided the attack, but were the prime factor in the attack’s success! I’m not speaking of deliberate acts to circumvent security (such as Jerome Kerviel’s actions in the Societe Generale), but of inadvertent and/or accidental actions that may or may not have violated policy, but, nevertheless, violated common sense.
At Target, according to spokesperson Molly Snyder, “a small amount of the activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up.”
The FireEye software raised an alert at its highest level multiple times over the course of a few days as the somewhat inept hackers kept modifying the payload they’d installed on Target’s systems, Bloomberg BusinessWeek reported. The technology got it right — the people ignored the warnings.
It should also be noted that the initial introduction of the malware to Target is being attributed to the use of credentials from a Target partner or vendor most likely obtained via a spear-phishing expedition.
It’s necessary to have the right security technology in place; there’s no question about that. But there really is no substitute for education — teaching your people how to recognize potentially hazardous communications or situations and how to handle them.
It’s going to take more than a memo and some “be aware” posters, though. What I’m talking about is a real education campaign with actual teaching, and perhaps some mentoring and periodic testing. The occasional “pop quiz” via a phishing-style email should be part of your proactive anti-malware campaign. Those who fail the quiz should be required to take refresher courses.
Technology can help, but only well trained, fully informed and security-aware employees can keep your organization safe.

Target says it declined to act on early alert of cyber breach

(Reuters) – Target Corp’s security software detected potentially malicious activity during last year’s massive data breach, but its staff decided not to take immediate action, the No. 3. U.S. retailer said on Thursday.
“With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different,” company spokeswoman Molly Snyder said in a statement.
The disclosure came after Bloomberg Businessweek reported on Thursday that Target’s security team in Bangalore had received alerts from a FireEye Inc security system on November 30 after the attack was launched and sent them to Target headquarters in Minneapolis.
The FireEye reports indicated malicious software had appeared in the system, according to a person whom Bloomberg Businessweek had consulted on Target’s investigation but was not authorized to speak publicly on the matter.
The alert from FireEye labeled the threat with the generic name “malware.binary,” according to Bloomberg Businessweek. Two security experts who advise organizations in responding to cyber attacks and both have experience using FireEye technology said that security personnel typically don’t get excited about such generic alerts because FireEye does not provide much information about those threats.
The experts said that they believed it was likely that Target’s security team received hundreds of such alerts on a daily basis, which would have made it tough to have singled out that threat as being particularly malicious.
“They are bombarded with alerts. They get so many that they just don’t respond to everything,” said Shane Shook, an executive with Cylance Inc. “It is completely understandable how this happened.”
John Strand, owner of Black Hills Information Security, said that it was easy to paint Target as being incompetent, given the severity of the breach, but that it was not fair to do so.
“Target is a huge organization. They probably get hundreds of these alerts a day,” he said. “We can always look for someone to blame. Sometimes it just doesn’t work that way.”
Target Chief Financial Officer John Mulligan told a congressional committee in February that the company only began investigating after on December 12, when the U.S. Justice Department warned the company about suspicious activity involving payment cards. Within three days, nearly all the malicious software had been removed from Target’s cash registers, he said.
“Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon,” Snyder said. “Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up.”
Target shares fell 2 percent to $59.86 in late afternoon trading on the New York Stock Exchange after the company released the statement.
Some 40 million payment card records were stolen from the retailer, along with 70 million other records with customer information such as addresses and telephone numbers.
Congress is investigating the breach along with lapses at other retailers, and credit card companies were pushing for better security.
Target also faces dozens of potential class-action lawsuits and action from banks that could seek reimbursement for millions of dollars in losses due to fraud and the cost of card replacements.
A spokesman for FireEye declined to comment. FireEye shares were up 1.8 percent at $79.05 on Nasdaq.
Representatives for the U.S. Secret Service and Verizon Communications Inc, which are investigating Target’s breach, declined to comment.
FireEye has a function that automatically deletes malicious software, but it had been turned off by Target’s security team before the hackers’ attack, the Bloomberg report said, citing two people who audited FireEye’s role after the breach.
Shook and Strand said that the vast majority of FireEye’s customers turn off that functionality because it is known for incorrectly flagging data as malware, which can halt email and Web traffic for business users.
“FireEye … is cutting edge,” Strand said. “But it takes love and care and feeding. You have to watch it and monitor it.”