4 Lessons CIOs Can Learn From the Target Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/news/2014/031714-4-lessons-cios-can-learn-279785.html?source=nww_rss

We're all familiar with the Target payment card breach late last year. Up
to 110 million payment card numbers were stolen through a huge hole in the
company's network, right down to the security of the PIN pads. The breach
cost Target CIO Beth Jacobs her job; it was, and still is, a serious matter.

Target is obviously a public company, so this situation garnered a lot of
attention. As a CIO or member of the executive technical staff, though,
there are some observations about the situation that can apply to your
company.

Here are four key lessons from Target's very public example of a data
breach.

1. It's Vital to Know Which Alarms You Can Safely Ignore

In this connected age, security vulnerabilities are a dime a dozen.
Different software has different risk profiles, and some of the
vulnerabilities that affect certain organizations severely are already
safely mitigated in other organizations simply by the structure of how
components are set up. Performing a thorough threat analysis is crucial,
but knowing how to manage the onslaught of event logs, audit logs, vendor
vulnerability notifications and intrusion prevention messages is just as
critical.

One best practice: Develop a rubric by which a weight is assigned to alerts
about security vulnerabilities and attempted penetration. Depending on what
business you're in, you can score this either by system involved or by the
source of the alert. Some considerations might include the following:

- For a retail business, payment systems alerts should be given clear
priority. Typically, these payment systems are segregated from other
networks, but patching alerts from your vendors, security audit logs and
activity monitoring should be done on a high frequency, with particular
attention paid to anomalies that appear in these results. Internet-facing
businesses should always ensure that fraud prevention measures are in place
and ensure shopping cart and ecommerce software is patched and monitored.
- Alerts from your intrusion detection system or honeypots should also be
given a higher priority than other alerts. However, it may be necessary to
fine-tune thresholds. One-off attempts shouldn't raise alarms, but repeated
attempts that display similar characteristics should be evaluated for their
consistency and then bubbled up to the appropriate levels for technical
review and analysis.
- Other regular software vulnerabilities, like those in file servers and
desktop software, should be cataloged and analyzed but should fall below
other, riskier parts of your technology stack.

Create a judgment structure by which you can evaluate alerts and threat
messages so the signal-to-noise ratio is high as it can be. This way, "red
alert" messages get the attention they deserve immediately, while "yellow
alert" type messages are analyzed at a less urgent pace.

2. Lobby for a CISO to Handle Significant Security, Liability
Responsibilities

As the old saying goes, the buck must stop somewhere. As with most things
technology, the head of the information services organization is likely to
get the blame. But CIOs are burdened with more areas of responsibility than
ever before, from keeping the computers running to creating new
technology-driven lines of business that can actually represent a profit
center to liaising with marketing and the executive suite to unlock secrets
that lie within the massive amounts of data warehoused in the corporate IT
warehouse.

Yes, security is an important part of all this, but creating a security
regimen and implementing it through the organization is really best done by
a dedicated CISO - someone whose sole job is to monitor the security
posture of a business and then carefully and deliberately enhance it over
time. A CIO is simply too rushed and spread too thin, to fully handle this
responsibility.

Target shows why. It took several weeks to get to the bottom of the extent
of the breach. (This is actually better than average; most serious data
breaches take months to spot.) According to multiple reports, it took days
to even discover the breach before the media caught on to it. As we all
saw, it seemed Target discovered more and more about exactly what data was
lost in the attack, judging from the trickled release of information to the
public and to the media.

You can imagine the frenzy within Target of getting to the bottom of what
happened, reacting to it, preventing the situation from deteriorating and
activating response plans. The buck stopped with Jacobs, and her response
was left somewhat wanting. It's a real possibility that she simply had too
much on her plate.

Additionally, hiring a specific security head shows the rest of the
organization that security is serious business. Having such a position
generally gives the CISO the autonomy required to put into place the right
remedial measures to enhance security. Having to work through a chain of
command not dedicated to security can delay or even jeopardize necessary
technical improvements due to a lack of clear communication or an inability
to convince others that some measures are necessary.

3. Incident Response Plans Key to Successful Recovery from Data Breaches

In the hours and initial couple of days after a breach has been discovered,
there is usually only one priority: Fix the breach, at all costs. Stop the
bleeding.

This is a fine approach for the technical team. However, others in your
organization need to at least be activated to begin planning a
communications approach that keeps all stakeholders informed. Witness the
somewhat haphazard way in which Target disclosed the breach. Were PINs
compromised, or just payment card numbers? Were PINs leaked? Were encrypted
PINs leaked? Was anything leaked? The story seemed to change as the
situation developed. That's a symptom of an incomplete crisis
communications plan.

I will note, however, that the PIN pads and (perhaps) other payment and
point-of-sale equipment at my local Target location were replaced within
days of the initial breach announcement. That's a sign of an excellent
technical response plan.

4. The Weakest Point in Your Security Is Something You Haven't Considered

The Target breach began with an HVAC contractor accessing a wireless
network on the vulnerable side of the Target corporate firewall. It all
began because something as innocuous as a thermostat wasn't functioning
correctly.

Hackers and crackers are sophisticated; at this level, they're playing a
long game to nail lucrative, high-value targets. They're looking where they
think you're not looking.

As a CIO, it's your job to direct your teams to batten down all hatches -
procedural, technical and otherwise. Provide the leadership and the ethos
to make this type of watchful, deliberate security a priority.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!