Although the data breach at retailer Target took place several months ago, new information continues to surface, and the ripples for the IT industry will no doubt continue for a very long time. For instance, Bloomberg Businessweek reported that Target’s security company, FireEye, sent an initial warning to Target’s corporate security team of the malware intrusion on November 30, but for unknown reasons, no action was taken.
The Target breach has been a high-profile news story that’s brought network security concerns to the attention of everyone. Whether your organization handles customer data such as credit cards, or has only limited external interactions, your network is likely to house some sensitive data, even if it’s only your employees’ personal information. As an IT professional, what lessons can you take from Target’s misfortune to harden your environment?
1. Anti-Malware Is Not Enough
Anti-virus and anti-malware measures are critical, but you have only to consider how these products typically work to know they can’t protect your network from all malicious activity. Malware protection is based on known malware definitions and behavior. In other words, they can only catch what is already known, not what’s new.
As soon as a malicious program gets into the malware filters, hackers can modify it so that it no longer matches the existing definition, and therefore allow it to bypass the filters that are looking for it. You can think of it as the virus or Trojan putting on a big fake nose and false mustache—might look funny, but doesn’t trigger the malware alarm.
2. Effective Protection Comes from Broadly Auditing and Monitoring Your Systems
An effective security system should consist of multiple layers of protection. While you still need anti-malware and anti-virus protection, consistently and comprehensively monitoring your internal network is also important. Configuration and change auditing will show you if unauthorized modifications occur in your environment as soon as they happen. Even if the false mustache let something slip through your perimeter, these internal changes should still raise a flag.
The Target breach required sending malware to all the company’s POS stations at retail outlets as well as establishing a server on the internal network to gather and transmit the collected data. That’s a lot of network activity. We now know that FireEye detected that something was wrong, but internal network auditing by Target should have confirmed the intrusion as well.
3. Take All Alerts Seriously
Target is probably going to be skewered over this point. We don’t know why the company’s security and IT team didn’t react to the initial warning from FireEye on November 30, when they could have eliminated the threat and prevented any data loss. A Reuters article, quoting security experts familiar with FireEye, suggests Target might have “received hundreds of such alerts on a daily basis.” If this is true, they could have been getting too many alerts to handle, or alerts that truly weren’t critical so that they stopped paying attention.
However, this one was critical, and it slipped by. The lesson is to take all alerts seriously. If you’re getting too many alerts to handle, you need to fine-tune your monitoring solution so that it does a better job of filtering the data, whether you’re using proactive protection products such as FireEye or change and configuration auditing software such as Netwrix Auditor. Training is also key: All IT staff need to know the appropriate response to a security alert. Inaction is not an option.
4. Monitor Access & Employ “Least Privilege”
The hackers in the Target breach gained access through stolen credentials of a third-party vendor. So, Target did business with a contractor and had provided that company access to its network. The hackers somehow got ahold of that contractor’s credentials, and used them to enter Target’s network “legitimately.” Of course, this scenario raises many questions about access control to your network.
There are going to be times when external entities need access to your network (as much as you might wish they didn’t). The safest way to allow such access is through the “principle of least privilege”: Grant access permissions to the fewest resources, functions, or areas necessary for someone to perform their duties. All the details in the Target case aren’t available, but it’s hard to imagine why an HVAC contractor had permission to upload executables and move data around the Target network. In addition to following least privilege, make sure to monitor activity for unusual behavior during legitimate access, and revoke permissions when they’re no longer needed.
5. Take Ownership of Potential Problems
At this point, we don’t know why the Target security team didn’t act on the FireEye warnings of the initial breach. (In addition to the November 30 alert, FireEye sent another alert on December 2.) Whether the problem was that no one believed the alert was serious, or no one saw it because they were inundated with too many alerts to process, or something else entirely, clearly there was a problem in that team. With the investigation into the breach ongoing, we might eventually learn what happened. What we know is that no one stepped up to fix whatever problem or problems existed that prevented them from responding in a timely manner when the crisis first arose.
This situation highlights how important it is for each member of the team to take ownership of their environment. Whether you’re a manager, a mid-level IT pro, or the newest member of the team, you have a responsibility to raise concerns about potential problems, particularly when network security is at stake. Don’t assume someone else saw that alert or is dealing with a particular problem: Take ownership, and make sure the appropriate measures are employed. If it’s something outside your area, then make sure you get an appropriate hand off to someone who can and will take ownership from you. Again, inaction is not an option. Don’t hide behind your own false mustache and pretend it’s someone else’s problem.
Hackers aren’t going away, and data breaches will continue to be a major concern for both IT pros and consumers. Companies can learn from these stories, however, about effective auditing practices and corporate responsibility. Let’s hope they do!