Even more than five years later, the Target breach is still one of the top 10 data breaches of the 21st century. It was also a watershed moment for cybersecurity. Not only did it shine a spotlight on payment card security, it also brought to light the idea that third-party vendors are a potential cybersecurity risk that organizations need to consider.
Unfortunately the attack scenario on Target remains the most common example of insider threat from a third-party today. The good news though is the lessons learned are still relevant.
Recap: The Target Breach
In September of 2013, Fazio Mechanical Services, an HVAC and refrigeration third-party vendor for Target was compromised by a phishing attack. The malware used could have been detected by any enterprise anti-malware at the time. Unfortunately, Fazio was using a free version of anti-malware software that couldn’t.
Once the threat actors had full access to Fazio’s network, they performed further reconnaissance and identified that Fazio had credentials they could use to access Target’s network. It is still not known exactly how, but it is suspected that they were able to gain access to Target through weaknesses in a web portal. Several attack scenarios, such as SQL injection, cross-site scripting (XSS), or even a zero-day could have been used.
Target’s malware detection tool was implemented 6 months prior to the incident and was sending alerts. Unfortunately no one within Target investigated.
Target’s network was not segmented, so the perpetrator(s) were able to move around without much restriction. By late November, they had completely infected the point of sale (POS) systems and were collecting credit card information. This information was stored locally on corrupted machines internal to Target’s network using compromised FTP servers configured to use default usernames and passwords.
In early December, they began exfiltrating the data to drop sites in Miami and Brazil daily between the hours of 10 am and 5 pm. Target’s malware detection tool continued sending alerts throughout the entire incident.
The stolen information totaling 11 GB was aggregated on a server in Russia. As the compromised data began appearing on black-market forums on the Dark Web for sale, investigators were able to piece together the clues to identify Target as the source of the credit card data. On December 12, the Department of Justice notified Target. By December 15, Target had removed the malware.
Target was PCI compliant. Fazio Mechanical was compliant with industry-standard information security regulations. But clearly, compliance does not equate to being secure.
In the end, 40 million credit / debit card numbers and 70 million customer and employee records were collected and exfiltrated. The credit card information was sold for an estimated $53.7 million. The banks paid an estimated $200 million to refund money stolen from customers and to reissue 21.8 million cards. Ouch!
Lessons Learned from the Target Breach
First let’s look at some of Fazio Mechanical’s weaknesses that enabled the attack to occur:
- Lack of security training. If Fazio Mechanical’s employees had been required to complete cybersecurity awareness training, the employee might have been able to spot the phishing email and not click the link.
- Lack of investment in security controls. The free anti-malware tool they were using did not have the signature needed to identify the malware that was used. The enterprise (paid) version of the same software did.
- Weak security controls, in general.
Now here are some of Target’s weaknesses that allowed the attack to persist undetected:
- Did not utilize the security controls in place. Not only did they not investigate security warnings from their malware detection systems, they had turned off these systems’ malware auto-removal functions.
- No network segmentation. Their POS systems were not separated from other network functional areas.
- POS terminals were not hardened. The terminals allowed unauthorized software installation.
- Used default credentials on FTP servers.
- Access controls were not adequately applied on third-party accounts and security groups. Fazio had administrative network credentials on Target’s network.
- Internal web application security was likely not tested.
Finally, some of the takeaways from the Target breach that we can all learn from include:
- Know the systems used as security controls on your network. Ensure staff understand how to install, configure, administrate, and interpret outputs of these systems. Ensure response procedures are specific to the systems in use on your network.
- Only allow trusted applications to run on POS systems, using digital signatures and Public Key Infrastructure (PKI) certificates.
- Disallow local administrative rights.
- Investigate and respond to alerts.
- Build a baseline of expected network activity, and put a process in place to detect anomalies.
- Ensure automatic removal of malware is in place.
- Use network segmentation with access control lists (ACL) to control the flow of information.
One of the best ways to mitigate cybersecurity risk posed by third-party vendors is to implement a Vendor Risk Management Program. Learn how to build an effective program in our blog post, Seven Steps to a Successful Vendor Risk Management Program.