During Build IT Together in May of 2015, Chris Czub gave a keynote on information security. In this final installment of a 3 part series, here’s a recap based on Chris’ presentation, calling out the 5 lessons to be learned from Target’s massive 2013 data breach.
Target’s breach in 2013 was huge in the media, and it’s notable and applicable because 95% of security incidents involve credential theft, AKA personal login info. The root cause for Target was the theft of credentials belonging to HVAC representatives in Target’s vendor management system. From there, Target ultimately lost 70 million customer records and 40 million credit card numbers. It caused over $1 billion in damages and restitution to Target. Here are 5 lessons that last year’s Target’s breach taught us:
Risk assessment FTW
You need to understand what’s going on in your organization, and you need to analyze it and own it. Third party access really needs to be controlled and understood, which is all the more reason to have a clearly worded information security policy in place.
Fully segregated networks
Network segregation can be hard, and the same goes for access control. There is evidence that Target took length to segregate, using firewalls and access controls, but it was still bypassed by proxying through other hosts. Fully segregated networks with strongly defined access controls barriers are ideal. “One active directory to rule them all” introduces risk.
Monitoring is crucial
Target could have recognized their attackers at several points during their setup and reconnaissance if monitoring had alerted them. With some combination of monitoring and any of these steps along the way, Target’s scenario could have been stopped long before it became a serious issue. Your monitoring strategy should basically be this: “if you see something, say something.” Tell the security team according to your security policy.
Don’t confuse compliance with security
Security standards like PCI-DSS and HIPAA make decent security recommendations, such as two-factor authentication, but they don’t require other strong defenses like network segregation. Don’t become complacent just because you know you’ve met the base standard requirement.
Human error is the biggest threat you face
Even though Target was attacked with advanced malware, the attackers didn’t use a hidden, sophisticated point of entry—human error was responsible for “leaving the door open,” so to speak. Human error counts for a lot – 64% of healthcare record leaks in 2014 were attributed to employee endpoint compromise.
How does your organization handle these 5 fundamentals? You can find the rest of Chris’ slides from the event here. Check out the next recap to see one simple step your organization can take towards becoming more secure.