April 1, 2014 – Much has been written and heard about the ”great Target breach,” but most of it is targeted (sorry!) at those involved in the event and much less is aimed at the lessons that all businesses can learn from this. Here areas:
Target spent over $1.5M on a security monitoring and tracking system developed with help from the CIA, yet ignored two system warnings early in the breach.
Investing large (or even small) amounts of money in technology tools won’t protect you and your business unless they are properly configured and monitored. Businesses should start with a clear strategy that identifies what they are trying to protect and why; and what policies, processes and tools will be used to accomplish the strategy.
Target’s Chief Information Officer had no IT training, background or experience, she came from Sales.
Not every organization needs to have a large IT staff with years of experience, but in the 21st Century Information Age, every business model has IT and the Internet as an integral part. Trying to manage and control this without knowledge is foolish. Hire or contract with someone to provide technical guidance. Having said that, having someone who knows the ins and outs of the business model (like someone from Sales) can be key to insuring that the technology is in alignment with the overall business strategy.
The source of the breach came through one of Target’s vendors, a refrigeration contractor in Pennsylvania who had access to Target’s network for purposes of electronic billing.
Businesses need to carefully document and monitor what access levels and privileges it gives to vendors and other third parties. Whether these are IT consultants, “cloud computing services,” custodial staff or refrigeration vendors, a business must consider what risks these third-parties pose, document requirements and expectations of the relationship in contractual agreements, and monitor or audit the outsider’s compliance with the agreements.
The malware that Target got was a fairly common strain, which was recognized by their protection system, but they had turned off the automatic capture and kill feature.
A business needs to understand and carefully consider the features of the tools and processes it deploys. A defense might be selected for a key protection it offers, but in the configuration, testing, training and deployment, that protection doesn’t get properly turned on. Buying the protection is only the first step in a process that requires careful monitoring and documentation.
Target was fully compliant with PCI-DSS, the credit card security standard.
Compliance is to information security as standardized testing is to education. At any moment in time, a business might be able to “pass the test” or comply with an audit of its processes and policies against a standard (PCI, HIPAA, FERPA, etc.), but this is not proof of protection. True information security is the result of an analysis of business risks, formulated through corporate governance and senior executive management, and translated into policies, procedures, guidelines and everyday habits that are ingrained into an organization’s culture, and work constantly to identify and prevent or mitigate that risk of loss. If this exists, an organization willscore very well on a compliance test.
About the Author
William Prohn CISSP, CISA, CGEIT, CRISC, CMMC-AB RP
Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.