Issue link: https://securitytechnologyexecutive.epubxp.com/i/282968
www.SecurityInfoWatch.com ou've no doubt heard about last year's Target data breach that exposed millions of credit card numbers and personal records of the retailer's customers. It's perhaps the security incident of the decade – at least until the next big one occurs. The Target breach has not only impacted many of us personally, it has also created enormous – and much-needed – visibility for information security among business executives. I can imagine just a few days before the incident was detected, Target Chairman and CEO Gregg Steinhafel had no idea of the firestorm he was about to face. But it happened and now it's on practi- cally every CEO's radar. Here's a high-level recap of the Target breach based on what's currently known: • It started with a phishing attack against Fazio Mechanical Services, Target's refrig- eration contractor – that was apparently using the free Malwarebytes Anti-Malware software that failed to protect it against the ensuing malware. • Login credentials issued by Target to Fazio Mechanical Services were obtained by the criminal hackers which provided subse- quent network access (via a Web portal) into the Target environment. • Point-of-sale (POS) malware – presumably the BlackPOS available for purchase online – was uploaded to POS systems at Target stores and used to scrape credit card infor- mation and related information directly from the memory of the POS computers time right after a payment card is swiped. Generally speaking, it was a textbook security breach with the small twists of compromising a business associate first and then using memory scraping malware to capture sensitive informa- tion where it only exists for a relatively short period of time. Fazio Mechanical Services' statement on the Target breach says "Our IT system and security measures are in full compliance with industry practices". Good to know. Wait, what does that mean? Nothing really. In fact, we hear this in the context of PCI DSS quite a bit: everyone is "compliant" until the point of breach. Target was compliant. Fazio was compliant. Everyone's com- pliant until they learn they're not. In other words, all's well in IT until some- thing bad happens. But why? This is a double- edged sword. IT and/or the security team at any given retailer is responsible for the day-to-day protection of sensitive information. They 're also responsible for properly communicating the organization's security status to manage- ment. The executives, in turn, are responsible for translating what they hear and making informed decisions on business risk. Based on what we're seeing with the Target breach and others, this rarely happens. If this communication/decision- making process were truly effective like so many other aspects of business (i.e. finance and legal), then better decisions would be made and security incidents like this would occur less often. A recent sur vey by AccessData and the Ponemon Institute found that 36 percent of IT security pros would tell the CEO and board of directors that a cyberattack had been resolved even if they didn't know that it had been. I understand the concept of "CYA" but talk about a conflict of interests! It's as if everyone is doing whatever is best for them and not the business. Knowing that mega corporations like Target can be hit this hard, it's a great time to take a clean slate approach to information security. Understanding the Target facts, what would you do more of? Less of? Unless you want to even- tually fall victim yourself, here are three critical steps you need to take starting today to not just have a "compliant" network but a resilient net- work that can weather such storms: Determine who's in charge of security and make sure they're actually in charge. This may be several people, including your CEO, CIO, CISO, IT director, security manager, legal counsel, compliance officer, and HR direc- tor. The concept of bystander apathy – where everyone assumes the other guy is going to do something – is rampant in business today. Many people are afraid to take responsibility for infor- mation security because their heads are on the chopping block. Look for people who are willing to step up, give them the resources they need, and let them do what they're good at – which should be communicating what's at stake in "Knowing that mega corporations like Target can be hit this hard, it's a great time to take a clean slate approach to information security." GET WITH IT By Kevin Beaver, CISSP The Target Breach – Can It Be Prevented? 12 SECURITY TECHNOLOGY EXECUTIVE • February/March 2014 Y Understanding your risk and having a contingency plan to deal with an incident are crucial steps (continued on page 50) STE_12-13,50-52_0314 Beaver.indd 12 3/14/14 11:09 AM