Avoid Being a Target Like Target

Access Risk Management Blog | Courion

Chris SullivanTarget, the second largest retailer in the United States, recently revealed that it was the target of a data breach between Wednesday November 27 and Sunday December 15 which resulted in unauthorized access to data for 40 million credit and debit cards that included customer name, credit or debit card number, and the card’s expiration date and CVV. Click here to read the Target press release and customer notification and FAQ.

According to a December 19th story by the Wall Street Journal, “There are a variety of methods used to steal credit-card and debit-card numbers. In this case, malicious software, or malware, made its way onto Target's point-of-sale terminals—the red credit-card swiping machines in checkout aisles, according to people familiar with the breach investigation.”

On this note, a New York Times article stated, “Point-of-sale systems have become a major target for cybercriminals in recent years. To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company’s point-of-sale systems.Target website

While there is still work to be done by the third party forensics team hired by Target, we can assume that the data loss was preceded by a compromise of Target networks. There are predictable patterns for these types of breaches. The attacker most likely:

Gained access to the internal networks through spear phishing, compromised web sites, a wireless network, a stolen laptop, or zero-day vulnerabilities.  Even with traditional perimeter controls like firewalls and the modern APT appliances, this is shockingly easy to do.

Worked “low and slow” within the organization to escalate privileges and move laterally across the organization until desired information was discovered. Typically this involves elevating credentials for non-privileged users and using those to evade detection.

Information was quietly removed. This typically involves breaking the data into small chunks and encrypting it to avoid detection by DLP systems on removal.

This all takes time. At least 18 days passed from breach to discovery, though the breach may have begun much earlier, and it is speculated that a company insider may have been involved.

Courion may have helped detect or even prevent the breach. Courion reduces both the risk of breach and, as importantly, the time it takes you to detect and respond to a breach if your company is attacked. To decrease business losses, we recommend that you:

- Use traditional perimeter protections such as firewalls and Intrusion Protection Systems or IPS.

- Reduce your access exposure through Intelligent IAM capabilities

- Employ preventative controls:

- Enforce the principle of least privilege and use an access request solution such as Access Request Manager for approvals

- Require Strong passwords and force changes

- Use detective controls: if you are breached, to better understand the motive of the breach and what information was lost or is still being lost. Take what actions you can through:

- Periodic access reviews by business or data owner (is that one of ‘my’ users? Is that access correct and as expected?)

- Continuous monitoring, analysis and automated notification and remediation:

Identify users with excessive or unnecessary access (High Security Risk)

Identify unused entitlements (High Security Risk)

Identify abandoned accounts (High Security Risk)

Closely track privileged accounts (High Audit Risk)

Identify and manage orphaned or non-mapped accounts (High Risk)

- Define specific IT Segregation of Duties (SOD) rules and set up alerts when the defined access criteria are not met. (High Audit risk)

- Identify nested entitlements to accurately assess access risk

Courion can track privileged accounts if they are elevated by hackers through deeply nested entitlements. Access Insight, Courion’s IAI analytics solution, will discover nested entitlements in hours.

Courion can designate any entitlement as “privileged” and track it accordingly. In the Target case, administrative access to the PoS devices might have been crucial.

- Use forensics: Courion’s solution offers comprehensive and historic views of who has access, what they have access to, how they got that access and what they have accessed. A ‘bird’s eye view’ and “view over time’ can be crucial when unwinding a breach to its origins.

-Share information with others, so they share information with you. The hackers do, so shouldn’t you? For example, Courion works with the Advanced Cyber Security Center, which includes members such as they Federal Reserve Bank, State Street Bank, Biogen, Harvard, and MIT. To share threat intelligence and best practices to prevent, detect and remediate breaches.


Leave a Reply