Krebs On Security has extensive reporting of an investigation by Verizon conducted starting a few days after the Target breach was announced.
Target has refused to confirm or deny the report .
One thing to consider. We do not know how Brian (Krebs) got the report, so all we can do is speculate.
This report, in my opinion, is a wonderful tool for the banks and consumers who are suing Target. It shows all the things that Target was not doing or was doing wrong. This report makes it so much easier to show Target was not treating cyber security consistent with even reasonable industry practices, never mind best industry practices.
What Target should have done is have their outside counsel manage the engagement of Verizon so that this report could have been shielded by attorney-client privilege.
It is certainly possible that they did that, but then, how did the report get out to a reporter? Part of engaging the attorneys to manage this is to control the distribution of the final work product.
Any way you look at it, in my opinion, letting this report out of their control is yet another FAIL! by Target.
While Target spokesperson Molly Snyder said that Target believes that sharing information will make everyone stronger – thereby basically validating that the report is real – it doesn’t make sense to release this kind of detail while there are so many lawsuits pending.
You can go to Brian’s web site (see link below) for the long gory details, but here is the short version:
- Once the Verizon hacking team was inside Target’s core network, there was nothing stopping them from communicating directly with the cash registers – violating every principal of segmentation known to IT. They should never have been able to do that.
- Target had guessable passwords on Microsoft SQL servers and weak passwords for system accounts.
- Target had a password policy, but it was not being followed. Verizon found clear text password files for system accounts on several servers.
- Verizon was able to create domain administrator accounts and dump all of the password hashes.
- Within one week, the consultants were able to crack 472,000 (86%) of the passwords.
- Patches to systems and services were not applied consistently.
- Verizon said that Target, who was using Tenable’s vulnerability scanning system, had a comprehensive scanning program in place but was not acting on the vulnerabilities discovered.
There is more in the report, but you get the idea.
If you are a security person, the report is a fascinating indictment of Target and a roadmap of what not to do.
If you are a CEO, the leak of a report like this falls into the worst nightmare category.
Information for this post came from KrebsOnSecurity.