Early this morning, Target Corp. announced that PCI data for more than 40 million customers had been stolen from their retail network: Target & Secret Service Investigating Credit/Debit Card Breach. It appears that the majority of this information was taken from the point-of-sale (POS) machines themselves, which were infected by malware that intercepted the data itself during the magstripe swipe. Details are still coming together around the incident, and the US Secret Service is leading the investigation, according to sources.
While the media coverage over the coming weeks will likely focus on the malware itself, there are three important lessons here that any security professional responsible for handling sensitive information should be aware of and implementing today, especially if that information is residing in (ormight be residing in!) publicly accessible systems:
Lesson 1: You cannot rely on system vendors for the security of your data.
Organizations need to raise the bar when planning for and securing the systems responsible for handling regulated or high-value data, such as PCI, PHI, and PII. Due diligence for any system vendor responsible for implementing a system that touches this kind of information is required — in this case, the POS machine and software companies — but ultimately the responsibility for organizational data lies with the organization itself.
In other words, the organization that gets hacked is the one that leaves an easy access route available. In Target’s case, this appears to have been because there was poor monitoring around what was happening with their POS software; we’ve seen similar breaches (such as TJ Maxx’s similar PCI data loss) where the weak point was around database security and patch management.
Looking towards the future, as companies move their data into the cloud, the risk vector that most often receive little attention from internal security is around data and account security for the platforms in use (e.g., Google Apps, Salesforce, Box, and so on.) There is a misconception that because the systems themselves are managed by the cloud vendor, security is a given; in the same way that Target should have been watching who had access to their POS terminals and what third-party apps were installed on it, organizations need to implement monitoring and control systems in their cloud environment.
Know where your high-value data lives, and employ a defense-in-depth strategy whereby all access routes to that data are monitored automatically, ensuring that accidental or intentional exposure can be quickly detected and remediated.
Lesson 2: Security means balancing convenience and control.
Target’s POS machines were most likely designed to be fast, convenient, and easy for store employees and customers to use and maintain. However, they were responsible for moving and managing a tremendous amount of high-value information, and it is clear that the security and monitoring systems in place were inadequately designed and managed.
Often, the same mentality that allowed this incident to occur is reflected across many systems. While many data breaches are accidental non-sensitive information from the sensitive data. A data classification system should be in place that can automatically distinguish between the two, and ensure that governance and policy enforcement mechanisms are in place to prevent accidental cross-pollination between the relatively accessible non-sensitive data storage systems and the high-security PCI/PII storage systems (likely on-premise encrypted data storage environments that comply with PCI-DSS 3.0 or similar standards).
In the cloud, this means having a deep context-aware security solution that can find and apply intelligent tagging to sensitive or regulated assets, and then building policy and governance models that secure that information, without becoming burdensome for that systems users. In the same way that Target could have still allowed people to use their cards while limiting what could run or touch the POS terminals, organizations can secure their critically sensitive information without impeding the business or its users.
Lesson 3: Employ a behavioral awareness tool, and track who, what, and when your data is being touched.
As evidenced by the Target breach, malware is one of the most insidious data protection-related risks, and it will continue to grow in sophistication and pervasiveness. Organizations that handle high-value target data need to be monitoring both what applications are running on their public-facing systems (increasingly, public cloud systems) and also correlating that information to the kind of “real world” behavior and access statistics that can highlight suspicious activity.
Consider the non-retail equivalent of what just happened to Target: an employee’s mobile device is compromised, keylogging software is installed, and their credentials are shipped off to hackers (often to the former Soviet bloc) where a criminal either sells or uses them to gain access to supposedly secured systems. A system that provides geographic awareness (e.g., CloudLock’s free GeoFence tool) can quickly highlight this access along geographic and temporal axes, helping the organization see that someone was trying to use those credentials from an unusual place and at an unusual time, and respond in real-time, mitigating the potential damage from the malicious access.
In other words, effective security requires a defense-in-depth approach, and there are no magic bullets. As companies begin to place an increasingly large amount of information into cloud and mobile-accessible environment, susceptibility to malware, accidental data exposure, and compromised credentials will provide new challenges that mandate good governance and a deep understanding of how and where to focus IT attention.
If your organization either has or is in the process of moving data into public cloud systems, CloudLock can help you ensure regulatory, operational, and security compliance, and put these lessons into practice. Drop us a line at firstname.lastname@example.org!