We're all familiar with the Target payment card breach late last year. Up to 110 million payment card numbers were stolen through a huge hole in the company's network, right down to the security of the PIN pads. The breach cost Target CIO Beth Jacobs her job; it was, and still is, a serious matter.
Target is obviously a public company, so this situation garnered a lot of attention. As a CIO or member of the executive technical staff, though, there are some observations about the situation that can apply to your company.
Here are four key lessons from Target's very public example of a data breach.
1. It's vital to know which alarms you can safely ignore
In this connected age, security vulnerabilities are a dime a dozen. Different software has different risk profiles, and some of the vulnerabilities that affect certain organisations severely are already safely mitigated in other organisations simply by the structure of how components are set up. Performing a thorough threat analysis is crucial, but knowing how to manage the onslaught of event logs, audit logs, vendor vulnerability notifications and intrusion prevention messages is just as critical.
One best practice: Develop a rubric by which a weight is assigned to alerts about security vulnerabilities and attempted penetration. Depending on what business you're in, you can score this either by system involved or by the source of the alert. Some considerations might include the following:
- For a retail business, payment systems alerts should be given clear priority. Typically, these payment systems are segregated from other networks, but patching alerts from your vendors, security audit logs and activity monitoring should be done on a high frequency, with particular attention paid to anomalies that appear in these results. Internet-facing businesses should always ensure that fraud prevention measures are in place and ensure shopping cart and ecommerce software is patched and monitored.
- Alerts from your intrusion detection system or honeypots should also be given a higher priority than other alerts. However, it may be necessary to fine-tune thresholds. One-off attempts shouldn't raise alarms, but repeated attempts that display similar characteristics should be evaluated for their consistency and then bubbled up to the appropriate levels for technical review and analysis.
- Other regular software vulnerabilities, like those in file servers and desktop software, should be cataloged and analysed but should fall below other, riskier parts of your technology stack.
Create a judgment structure by which you can evaluate alerts and threat messages so the signal-to-noise ratio is high as it can be. This way, "red alert" messages get the attention they deserve immediately, while "yellow alert" type messages are analysed at a less urgent pace.
2. Lobby for a CISO to handle significant security, liability responsibilities
As the old saying goes, the buck must stop somewhere. As with most things technology, the head of the information services organization is likely to get the blame. But CIOs are burdened with more areas of responsibility than ever before, from keeping the computers running to creating new technology-driven lines of business that can actually represent a profit center to liaising with marketing and the executive suite to unlock secrets that lie within the massive amounts of data warehoused in the corporate IT warehouse.
Yes, security is an important part of all this, but creating a security regimen and implementing it through the organisation is really best done by a dedicated CISO - someone whose sole job is to monitor the security posture of a business and then carefully and deliberately enhance it over time. A CIO is simply too rushed and spread too thin, to fully handle this responsibility.
Target shows why. It took several weeks to get to the bottom of the extent of the breach. (This is actually better than average; most serious data breaches take months to spot.) According to multiple reports, it took days to even discover the breach before the media caught on to it. As we all saw, it seemed Target discovered more and more about exactly what data was lost in the attack, judging from the trickled release of information to the public and to the media.
You can imagine the frenzy within Target of getting to the bottom of what happened, reacting to it, preventing the situation from deteriorating and activating response plans. The buck stopped with Jacobs, and her response was left somewhat wanting. It's a real possibility that she simply had too much on her plate.
Additionally, hiring a specific security head shows the rest of the organization that security is serious business. Having such a position generally gives the CISO the autonomy required to put into place the right remedial measures to enhance security. Having to work through a chain of command not dedicated to security can delay or even jeopardise necessary technical improvements due to a lack of clear communication or an inability to convince others that some measures are necessary.
3. Incident response plans key to successful recovery from data breaches
In the hours and initial couple of days after a breach has been discovered, there is usually only one priority: Fix the breach, at all costs. Stop the bleeding.
This is a fine approach for the technical team. However, others in your organization need to at least be activated to begin planning a communications approach that keeps all stakeholders informed. Witness the somewhat haphazard way in which Target disclosed the breach. Were PINs compromised, or just payment card numbers? Were PINs leaked? Were encrypted PINs leaked? Was anything leaked? The story seemed to change as the situation developed. That's a symptom of an incomplete crisis communications plan.
I will note, however, that the PIN pads and (perhaps) other payment and point-of-sale equipment at my local Target location were replaced within days of the initial breach announcement. That's a sign of an excellent technical response plan.
4. The weakest point in your security is something you haven't considered
The Target breach began with an HVAC contractor accessing a wireless network on the vulnerable side of the Target corporate firewall. It all began because something as innocuous as a thermostat wasn't functioning correctly.
Hackers and crackers are sophisticated; at this level, they're playing a long game to nail lucrative, high-value targets. They're looking where they think you're not looking.
As a CIO, it's your job to direct your teams to batten down all hatches - procedural, technical and otherwise. Provide the leadership and the ethos to make this type of watchful, deliberate security a priority.