Target Hacked – 40 Million Credit Cards Compromised
Hacking the point of sale systems of a major retail chain is a major coup. Successfully targeting the second largest retailer in the US during the most furious shopping days of the year, that’s like hitting the hacker Powerball jackpot – tons of international notoriety and really big money. On the heels of Target’s announcement this week that the credit and debit card information of up to 40 million customers shopping at its stores over a 19 day stretch, starting on Black Friday, may have been fully compromised, Joe Caruso, the founder of Global Digital Forensics, a premiere provider of cyber security solutions and data breach emergency response, gives some industry insight into the aftermath of mega breaches like these and what organizations can do to better protect themselves.
What’s the Impact of a Mega-Breach?
“There are two major fronts organizations have to contend with when it comes to a large-scale data breach. First there is the immediate need to identify and stop the attack, because the longer it takes, the costlier it will become. Then comes the long game, dealing with the aftermath. From our perspective, the first part is easiest, it’s cut and dry. As soon as we’re called, we start analyzing the environment, often possible even remotely, using tools like our Data Breach Response Toolkit (DBRT). It’s unlike other malware scanners because it doesn’t rely on signatures of previously discovered and documented threats, which is important since the most damaging attacks and APTs (Advanced Persistent Threats) are either too new, or too sophisticated for those types of solutions to catch. DBRT identifies suspicious behavior and system functions, so we find even the stealthiest threats. Once identified, we use it to eradicate the threat(s) from the system(s) and inoculate them from reinfection, all from one command and control console, enterprise-wide. But the aftermath, that’s a lot trickier and more nuanced, and every misstep an organization makes in this phase normally proves very costly on a variety of fronts. There are regulatory compliance issues to deal with, notification nightmares, the effect on perceived businesses integrity, and regaining the trust of nervous customers and investors. We’ve helped clients from all kinds of industries, like financial institutions, retailers, and healthcare, negotiate these dangers many times, so we know the pitfalls and how to help our clients avoid them. But for the uninitiated, the mistakes made here can sink the ship for good.”
How Can These Types of Breaches Happen?
“In the case of the Target breach, they’ve been very tight-lipped about what they know so far and there simply isn’t enough information publicly available yet to make that determination. The Secret Service is investigating, and Target has hired a third party forensics firm to investigate, but without being privy to the details of the analysis, I have no definitive answers to give. However, the magnitude of the attack and the types of systems reportedly affected would lead me to believe it was either an inside job, or an APT employing some kind of RAT (Remote Access Trojan) technology. Either scenario could give hackers the escalated privileges and access that would be needed for a sophisticated heist of this nature, while making detection very difficult. But there are things which organizations can do to give a significant boost to their cyber security posture against both these types of attacks.”
Testing and Awareness
“I can’t overstate how important regular cyber vulnerability assessments and penetration testing are. With a constantly evolving threat landscape, it’s essential to stay current. Security policies and procedures devised in the past may very well not stack up to today’s threats. For instance, I can’t tell you how many times we are called in to an organization that feels confident in their security posture only to find out mobile devices like smartphones and tablets aren’t even part of the equation, even though BYOD (Bring Your Own Device) practices are being allowed since the last overhaul of their security practices. This alone is a big hole which lends to the possibilities of cross-platform attacks. We go through it all with a fine tooth comb during our vulnerability assessments to make sure they are up-to-date by identifying any deficiencies and helping to remediate them. Regular penetration testing is also critical because it not only identifies real weaknesses by us assuming the role of real-world hackers and attempting to infiltrate the organizational network using the same trade-craft tricks they would, but it is a great tool to build awareness. When we craft customized spear phishing campaigns or assume false identities to penetrate a perimeter so we can deliver a payload via a USB stick, among many other tricks we employ, those “fool me once” lessons really stick and build awareness like nothing else.”
Control and Response
“We also have solutions that help control insider threats, like our C-All User Activity Monitor|Recorder. It’s like a video surveillance system for networks. It allows security personnel to not only monitor activity in real time, but also record activity which can be investigated after the fact. All kinds of customized triggers can be set, like when certain files are accessed, certain keywords are typed, or certain sites are visited, for instance, and C-All will capture the session, store it and allow for easy playback in indisputable video form. When a trigger is tripped, C-All can even send a notification via email so security, managers and/or owners can deal with it in real time if necessary. But no matter how much time, resources and energy is invested in improving cyber security, there simply is no such thing as perfect protection. So if the unthinkable happens, it all comes down to response. We have emergency incident responders strategically positioned nationally and worldwide so we can offer response times unrivaled in the industry, often being able to start the process immediately via our remote capabilities. Time is the biggest enemy when a breach has occurred, so surviving the initial onslaught and the aftermath will often hinge on an organizations first steps in responding to an attack. We’ll also have responders on call throughout the holiday season as well, because as the attack on Target showed, hackers don’t stop for the holidays, they thrive in the chaos.”