2013 was not a good year in terms of cyber security. Despite companies spending an increasingly significant percent of revenue on security technology – systems designed to thwart, detect and prevent hackers from gaining access to their networks and sensitive data – attacks continue to succeed.
Recently, the trend has shifted to attacking point of sale (POS) systems. While Target is the largest example, similar attacks have occurred in industries ranging from department stores to hospitals to hotel chains. Basically anywhere large scale financial transactions take place. The focus on POS systems doesn’t come as a surprise. Cybercriminals have always been after money. What is surprising, however, is how long it takes for the attacked to realize they’ve been compromised – and that’s what I’ll discuss in this blog.
I’ve chosen to use Target as an example for two reasons. First, the size and sophistication of the compromise is interesting and ideal for analysis, and the second being that Target’s example is very common to other similar attacks in the scope of realizing an attack has occurred.
So let’s start by reviewing a few facts we now know about the Target breach. While the attack began collecting credit card transaction data on November 27th, precisely timed with Black Friday to capture as much data as possible, it wasn’t discovered until December 15th – and it wasn’t Target who made the discovery, rather US law enforcement connected the dots and Target was informed. This is very concerning and, unfortunately, is very much the norm for most compromises. The 2013 Verizon Risk report found that in 62% of breaches, the attack went unnoticed for months or years!
Looking again at Target, we know when the collection of data began, but the initial compromise of their network happened nearly two weeks prior on November 15th. Apparently, an employee for a HVAC service company fell for a phishing attack which ultimately infected his computer with a password stealing trojan. Target eventually used this company to assess their power and AC consumption and had provided a few employees with credentials to access their network. Once the employee with the infected PC connected to Target’s network, his credentials were stolen and later used in the attack. The big lesson here is that you are only as secure as those you trust with access to your network. In this case, a few clicks by an unsuspecting HVAC employee led to one of the largest credit card data breaches on record.
So how could all this have happened, especially to the #2 US retailer? Why was Target unable to detect the initial compromise of their network, and then unable to identify the attack once it was underway?
To answers to these questions, we first need to understand the Data Security Standards (DSS) which are provided by the Payment Card Industry (PCI) Security Standards Council or more commonly known as PCI DSS 3.0. These standards, of which Target was certified as compliant (though details of the attack show they were clearly not followed), detail 12 specific requirements to protect cardholder data, build and maintain secure networks and systems, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks and provide an information security policy. The document is very comprehensive, and PCI DSS 3.0 does a good job of providing a framework to protect against compromise – but compromises still occur.
Some might say that PCI DSS 3.0 is to blame, and that their recommendations are not sufficient to defend against today’s sophisticated attacks – and they might be right – but I think the problem goes beyond that. While I cannot say which specific vendor security solutions were in use at Target, I know they were in place because it is required to be PCI DSS 3.0 compliant. PCI DSS 3.0 does not tell you which vendors to use, just that you must use software to protect systems from malware, or similarly, a firewall to protect your network. Here in lies the real issue – not all vendor security solutions provide the same capability or level of functionality. When considering the fact that most attacks go unnoticed for months if not longer, it seems the focus should be on technology and processes designed to frequently confirm the integrity of all involved systems. This is actually spelled out in PCI DSS 3.0 under sections 10 and 11 but the trouble is that the burden of awareness falls back to the security solution in place. And unfortunately, many endpoint solutions today are not capable of reacting to a missed infection.
So back to my original questions – how could this have happened and why did it take so long to detect?
The answer is twofold. First, Target failed to strictly follow PCI DSS 3.0 standards, especially with respect to tracking and monitoring all access to network resources and systems – and they are not alone. This is one of the more challenging standards to follow, especially for larger retailers with hundreds if not thousands of locations. But the blame isn’t solely on PCI DSS 3.0 or retailers who attempt apply their standards. The second factor is the underlying technology which is trusted and relied upon by retailers. This is a more complex issue. Retailers lack information about the metrics which matter in defending against complex and targeted attacks. Upfront detection rates are meaningless as malware for these attacks is always custom built and specific to the targeted environment. With this fact in mind, what becomes much more important is understanding a solutions ability to react to a missed threat – to understand the reaction time from first observation to identification and notification.
The attack on Target, and analysis from hundreds of other compromises, exposes there is a real weakness with awareness. Companies spend millions on security technology, trusting their investment will prevent a compromise, but the majority of today’s solutions are unable to provided what is needed – the ability to react to something new – something never encountered before.
Webroot is a pioneer in this space and the SecureAnywhere line of products were designed around improving awareness and being able to rapidly identify and instantly protect against emerging and targeted threats. This is accomplished within the Webroot Intelligence Network by focusing on what our users encounter. This approach ensures we have the necessary visibility to identify even the most targeted of attacks and applies to our endpoint, mobile and Web solutions. For more information, feel free to shoot me an email at gmilbourne@webroot.com or visit our website at http://www.webroot.com/.