In December 2013, Target, a large US retailer, was the victim of a severe data breach that left more than 110 million consumer credit card and personal data records exposed to hackers. The cost of the data breach is estimated to be over £150 million, with US financial organisations having to replace 21 million customer credit cards. This is one of the largest data breaches ever seen in the retail sector, but what is most concerning is that the breach could have easily been prevented had the retailer adhered to common security practices of network segmentation.
The attackers were able to gain privileged access to Target’s Point-of-Sale (POS) devices through a third party supplier that had access to Target’s network. The third-party company is a supplier of Heating, Ventilation, and Air Conditioning (HVAC) systems and services, and were given access to Target’s network to carry out tasks such as monitoring energy consumption and temperatures. The attackers obtained the HVAC company’s access credentials to gain access, then move undetected into Target’s network and accessed the company’s entire POS network.
The malware that was used to compromise the POS systems was not a cutting-edge Advanced Persistant Threat (APT), but rather a variation of a well-known piece of code that is easily available on-line for as little as £1,500. All of the details of the attack highlight the fact that despite the continued evolution of security products, many attacks will evade initial detection and prevention. The real issue is that further penetration was wholly preventable.
Preventing the spread of malware through segmentation
Clearly, the access that was granted to the third party supplier should not have been capable of being leveraged to access Target’s entire retail POS network. Many mature processes and practices exist for securing a third-party’s access to a retail network, which prevents them from gaining entry to systems they have no need to access. In fact, the Payment Card Industry Data Security Standard (PCI DSS) specifiesthat any business that stores or proceses payment card data must incorporate network segmentation. By segmenting a network, an organisation limits the opportunity for attackers to gain access to additional systems on the same network.
There is no reason that a malware threat that compromised one of Target’s POS systems, or even a small subset that were linked together for business purposes, should have resulted in a successful compromise of other POS devices and Target’s underlying core systems.
No matter how the campaign was launched, what is clear from this attack that Target’s security controls that should have prevented the malware from propagating across the POS network were not functioning effectively. Without question an organisation of this size would have many different types of network defences such as firewalls, Intrusion Detection Systems, Data Loss Prevention systems, all of which were unable to prevent the data breach from happening.
Security technology alone won’t save you
This should serve as a stark reminder to retailers that investing heavily in security technology does not necessarily mean an organisation will be secure. Security systems and devices are very complex, therefore ensuring that they are installed properly and that they are configured correctly is an important piece of the security puzzle.
Every security and IT risk management professional within the retail sector should be asking if their organisation is vulnerable to an attack similar to the Target data breach. It is important that they examine the effectiveness of their existing network security controls. Security teams should be conducting tactical attack analysis and penetration testing on every device and pathway across their networks, which can identify systems that are vulnerable to attack.