Last updated 3/31/2014 - Author: Felicia

Many valuable network security design improvements can be learned by understanding the Target Breach. In reality, those of us in the know already knew that these network security design elements need to be in place everywhere. But apparently the network engineers at Target need to kaizen their strategy. This article highlights some key elements of network security that should be in place on your network and what you might learn from the Target breach.

Initial publication: 1/28/2014

First, it should be noted that several other retailers were breached right around the same December 2013 - January 2014 time frame. If the hackers were going to get the biggest bang for their attack, Christmas season shopping would be the time to do it.

On 1/28/2014, Corey Nachreiner published an excellent post regarding what he believes you can learn from the Target breach. I highly recommend that you read his article.

I thought I would condense his article down to a few points that IT managers, network engineers, and everyone should be aware of. If your network does not make use of these standard design elements, then please revisit your security strategy and improve it.

Network security strategy improvements

1. You must proxy FTP traffic and restrict egress FTP to your authorized partners based upon your security policy.
2. You must have visibility into what is going on – Install WatchGuard Dimension.
3. You must have highly advanced detection and prevention techniques implemented – see XTM (extensible threat management) technology
4. You must have trusted network segmentation with security policies in between those segments.
   The day of the old flat big trusted network has been LONG over. Anyone still using it should make the change as soon as possible.
5. Eliminate the ability for web browsing or email access from POS systems except to specific pre-approved hosts necessary for remote support (such as TeamViewer, etc.).
6. Use DLP technology at the network perimeter.

Other key takeaways

1. Get rid of Java-based applications as much as possible.
   They continue to be the biggest application breach source due to the fact that Java app developers are constantly way behind in making their apps work with the latest Java patch. You then end up with old versions of Java on your systems that can't be patched or the apps break. Since unpatched Java is the #1 source of infection, this is a massive systems infection vector point.
2. Have an effective patch management strategy in place to roll out security updates within 48 hours of the patch release.
3. Get off of old, dead operating systems like Windows XP.
4. If you are a retailer, switch to EMV technology for your POS systems.

Dell's SecureWorks team and Krebs' update

Dell's SecureWorks team published an excellent analysis of the Target breach and practical things that network and systems engineers can do to prevent such attacks on their systems. Please read their report.

Brian Krebs also just published an article going into deeper detail on the Target breach. It contains some additional insights that the Dell report doesn't have.

The bottom line is that the breach was totally preventable. I have written many articles on this website that spell out in quite a bit of detail what is needed for network security and network design. Yet, I continue to see organizations continue to FAIL on even basic levels of security.

Realize that when you shop from the small, local vendor that handles credit card payments, the likelihood that they have adequate security for their PCI transactions is very small. The same applies at medical offices that are not hospitals. Really, any small to medium-sized vendor that takes credit cards has doubtful security practices. Despite having the money to put the correct security systems in place, 99.9% of the time, these smaller vendors do not put adequate security controls in place. So despite the fact that I believe in supporting your local businesses and that you will nearly always get better service and value from local businesses, the fact remains that I have yet to see any of them, except perhaps information technology security firms, take security adequately seriously.

The biggest problem is the point-of-sale application vendors themselves. They claim that their systems are PCI-compliant, but my first-hand experience working with the systems from various POS vendors tells a completely opposite story.

• I find passwords that lack adequate complexity being setup by the POS vendors.
  They also post the passwords on pieces of paper that are taped to the monitors of the POS systems. The passwords are not required to change every 30-90 days. They also refuse to use Active Directory-integrated systems in many cases. I feel this is because they don't have an adequate understanding of systems security.
• I have yet to see a POS vendor that adequately understands network and systems security engineering practices. It seems that the POS companies hire application developers, not security engineers.
• Egress filtering is not enabled on the network.
• The POS applications are poorly written garbage based upon Java. This causes two problems.
  1. Those systems will always run insecure, unpatched versions of Java.
  2. Their crappy apps usually don't function with a proper advanced-state host-based firewall enabled. If you turn on a real host-based firewall, their apps break. I spent 10 gathering detailed technical information for a well-known POS application vendor. Then I followed up my email to them with a phone call detailing the information. And one year later, they have STILL NOT FIXED ANYTHING security-related in their application.
  This is the sad state of affairs you, the consumer, need to realize you are dealing with out there.
• I find no serious attitude about data loss prevention technologies.
• They have no patch management strategy in place.
• They believe that Microsoft Security Essentials freeware is an adequate host-based security client.
  Not hardly. I have seen several machines that used that client and got breached by low-grade (easy to defeat) malware.

What really frustrates me is that despite informing business owners and POS application vendors about what needs to be done to correct the deficiencies, I rarely see any actions or improvements.

Target Breached Due to HVAC Contractor

2/6/2014

On 2/5/2014, it came to light that Target was breached due to credentials used by Target's HVAC contractor. This issue hits home for me as I was recently having heated discussion with an HVAC contrator that services a client. That contractor has repeatedly emailed passwords and credentials in plain text. Working with that HVAC contractor has been nothing short of a nightmare over the last two years.

The HVAC software is very poorly written and lacking in secure design. The HVAC contractor company lacks staff that have adequate training in systems administration, systems management, network architecture, or any level of security understanding. They are, in short, unqualified to be deploying, integrating, or managing these computerized systems. The big problem is that these HVAC companies neglect to hire even one competent systems and network engineer with adequate security knowledge to train the HVAC techs. Without at least one person internal to their company that has adequate training, no one is there at their company to train the HVAC techs, write standards, or to do the things that HVAC techs have no understanding of with regards to computers and technology.

Who loses in this transaction? The customers of the HVAC companies.

In all the cases I have seen, the HVAC contractor wants to bring into the customer network an ancient, unsecured piece of compuer equipment. And then they want the facilities people to have full internet access on that device with administrator privileges. It's a recipe for having a horrifically compromised computer sitting on the inside of your network able to sit there and hack away constantly at whatever it can get to. They even threaten that if you put antivirus or firewall software on their "appliance" that it will break their software. Of course, this is completely false. Anyone who cares to figure out what ports the software needs to communcate on in order to function can quite easily figure out how host-based security software can be installed while still allowing the software to work.

Clearly, isolation is required. In my experience, HVAC contractors don't want to work within the realm of network isolation security strategies. They want to just plug into your network and have unfettered access. This is not what I would characterize as having any understanding of security implications of systems or network design. I have heard them threaten many times that if you don't setup their software exactly as they have specified with the unfettered network access, then they won't support you, and if it doesn't work, it's all your fault. Why is this attitude tolerated in today's age?

So let's get back to the Target case.

You need to be aware of the security at your vendor's locations. If you give them remote access to systems in any way, and due to the insecurity of their systems their credentials are compromised, then your network has just been compromised. This is one of the reasons why I am not a fan of doing business with people that don't take security seriously, which seems to be just about every convenience-focused person out there.

They seem to think that their two-second convenience is more important than having adequate security controls and practices in place to prevent breaches that cost upwards of $240 million, in Target's case.

Contracts with your vendors should specify what level of security measures they must have in place in order to ensure that not only their systems don't get compromised, but the location they store the information about how to access your systems is not compromised.

I was highly pleased to hear that CliftonLarsenAllen is now using full two-factor authentication. I won't tell you what method they use out of respect for their security practices, but I do give them big kudos for implementing necessary security to protect their systems, and thereby their clients' information.

Two Breakfast Bytes podcasts on the Target breach are available here.

3/13/2014 - Bloomberg exposes how Target breach alarms were missed and other failures

Bloomberg journalists published an interesting piece regarding how Target had a malware detection system called FireEye that was monitored 24/7. Additionally, FireEye generated alarms regarding the presence of problems, but staff at Target HQ failed to take action.

Below are some excertps from the article. Download a highlighted version of the article here .

Target's CEO stated that they are accelerating their transition to the more secure chip-enabled card system.

The authors state, "A three-year study by Verizon Enterprise Solutions (VZ) found that companies discover breaches through their own monitoring in only 31 percent of cases. For retailers, it’s 5 percent."

Analysts currently estimate that the breach could cost Target billions.

And here's the part that will just make your head pop off. "The breach could have been stopped there without human intervention. The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off."

"Even the company’s antivirus system, Symantec Endpoint Protection (SYMC), identified suspicious behavior over several days around Thanksgiving—pointing to the same server identified by the FireEye alerts."

"If Target had had a firm grasp on its network security environment, he adds, “they absolutely would have observed this behavior occurring on its network."

"If Target’s security team had followed up on the earliest FireEye alerts, it could have been right behind the hackers on their escape path. The malware had user names and passwords for the thieves’ staging servers embedded in the code, according to Jaime Blasco, a researcher for the security firm AlienVault Labs. Target security could have signed in to the servers themselves—located in Ashburn, Va., Provo, Utah, and Los Angeles—and seen the stolen data sitting there waiting for the hackers’ daily pickup. But by the time company investigators figured that out, the data were long gone."

3/31/2014 - Banks Sue Trustwave as Target Losses Continue to Increase

Reuters has reported that several banks are suing Trustwave because Trustwave certifed Target as PCI compliant.

Here is the full article: Banks Sue Trustwave

There are two main points to note regarding this latest development.

First, whatever you think it will cost you to implement security is nothing compared to the cost of a breach.

Second, there is a chasm the size of the Grand Canyon that marks the difference between "compliance" and "security". Frankly, I think that PCI compliance is a joke. It's not consistent with security standards and best practices. Trustwave doesn't really audit the vast majority of POS users. The POS users are required to self-report and self-evaluate to Trustwave. Further, Trustwave does not perform any active audits any internal controls at the vast majority of POS users.

I have been through several of these Trustwave self-reporter surveys with clients. If the defects in this process are to be corrected, then PCI standards must be brought more into alignment with SANS CSC, and auditors like Trustwave must actually audit internal controls. While this will undoubtedly increase costs for businesses, what I personally witness is that many business owners will not take the necessary actions to implement proper levels of security without external pressure. The same thing holds for POS system vendors. PCI standards must be improved, and POS system vendors must actually be held accountable.

There is a gigantic problem in the industry where POS vendors say that their systems are PCI compliant, but they really aren't. Then businesses buy their systems and become unknowing participants in the fraud.