VentureBeat wrote an interesting item pointing out some of the obvious things that Target messed up. Fixing these items won’t stop every attack, but it certainly would slow the attackers down.
According to a lawsuit filed in federal court recently Target missed the ball on a few things. Of course, at this point, these are just claims, but they have been widely reported in the media and not disputed by Target corporate.
- Target did not take written warnings from Visa seriously.
- The attackers got in by compromising the credentials of a vendor. The thieves gained too much information from Google searches.
- The security problem grew due to weak security at that vendor. Target should have required better security procedures of their vendors.
- Target IT staff gave security warnings to their superiors, which were ignored.
- Target’s network was not properly segmented. As a result, access with the vendor’s credentials to the vendor billing application gave the hackers way too much access.
- Target did not use two factor authentication, which did slow down the attackers at JP Morgan Chase. Except they found ONE server that did not have it installed.
- Target used the FireEye security software which alerted Target’s security team to the presence of malware, but the team took no action.
- Target failed to remove unused default accounts, which that attackers took advantage of.
- Target used Symantec Endpoint protection, which also generated alerts that were not acted upon.
- Target did not block traffic to cyber thief havens like Russia, which allowed the hackers to use a command and control attack server in eastern Europe. My guess is that Target has no stores in Russia and probably does not ship clothing there either. This one is hard with multinationals, but it can be done.
The article goes on to talk about Chase, Sony and basic human nature. It provides some interesting food for thought.
So, as I have said for years, you have to take care of the basics before you worry about rocket science.