The 2013 Target hack was the largest in U.S. retail history
(Riley et al., 2014). This resulted in
the theft of over 40 million credit card numbers and personal information from
nearly 70 million customers (Committee on Commerce, Science, and
Transportation, 2014). Interestingly,
the breach was not because of a lack of understanding of the importance of
security, or adequate systems, it was purely poor execution. Despite installing high tech systems and
putting in numerous plans, Target did not adequately address the most critical
element in security – the human element.
Below we will outline the nature of the breach and how using McCumber’s
Cube, Target could have avoided the breach.
The Attack
The attack started months before anything actually occurred
on Target servers when hackers stole security credentials of Target contractor
Fazio Mechanical Services (Committee on Commerce, Science, and Transportation,
2014). Fazio had access to Target’s
systems for the purposes of electronic billing, contract submission, and
project management purposes (Committee on Commerce, Science, and
Transportation, 2014). The hackers
initially infected Fazio machines using emails with embedded malware (Committee
on Commerce, Science, and Transportation, 2014).
Once hackers gained access to Target servers, they began to
move from the peripheral applications to servers that contained credit card
information. Once inside servers that
contained sensitive information, the hackers began to execute what is known as
a “RAM scraping” attack purposes (Committee on Commerce, Science, and
Transportation, 2014). This attacks data
at a point in which it is not encrypted and is in plaintext format purposes
(Committee on Commerce, Science, and Transportation, 2014). The point where this occurs is when the point
of sale (POS) stores the credit card information in its memory just prior to transfer
to the company’s payment processing provider (Committee on Commerce, Science,
and Transportation, 2014). Given this, the
hackers infected the POS machines with a customized version of commonly
available malware called “BlackPOS” (Committee on Commerce, Science, and
Transportation, 2014). This is available
on the black market for between $1,800 and $2,300 (Committee on Commerce,
Science, and Transportation, 2014).
In addition to infecting the POS machines to collect the
card data, hackers also infected Target servers in order to move the collected
data through Target’s networks and firewalls.
The hackers’ used the name BladeLogic in order to disguise their malware
on the servers (Riley et al., 2014).
This naming was to mimic a legitimate software component that already
existed on the servers for data center management (Riley et al., 2014). The stolen data was then moved through Target
servers and then via FTP transfers onto infected servers worldwide. Eventually the data landed on the Russian
black market where the cards data was sold.
The Security Measures
Target had limited access to it’s networks that contained
confidential information. Additionally,
months before the breach, Target “began installing a $1.6 million malware
detection tool made by the computer security firm FireEye, whose customers also
include the CIA and the Pentagon” (Riley et al., 2014). The FireEye system works by using virtual
machines to creating a parallel computer network. This fools hackers into
thinking that they are on real servers and when they attempt to hack, software
detects the activity and notifies monitors.
Additionally, this installation provided Target with 24 hour monitoring
of its computers by security specialists in Bangalore (Riley et al., 2014). Furthermore, on top of the FireEye
installation, Target also has an internal security operations center in the
U.S. Although this is common in many
other industries, it is not common in the retail segment. Whereas other industries self-detect breaches
approximately 31% of the time, the retail segment does so only 5% of the time (Riley
et al., 2014). Target was attempting to
be ahead of the curve. However, this may
have led to some sense of complacency.
When the hackers installed the malware to move the data out
of the Target network, the FireEye system detected the activity and notified
the security operations center (SOC) in the U.S. When the hackers upgraded that same
exfiltration software days later, the FireEye team again notified the U.S. However, nothing happened in either case. It wasn’t until weeks later when the
Department of Justice notified Target of unusual activity that investigators
took action. A timeline of events can be
seen in the video below.
(Bloomberg News, 2014)
Where Did Target Fail
Based on all the evidence available, Target’s most egregious
error was not adequately preparing the U.S. SOC team of how to respond in the
case of an identified breach. As stated,
teams in the U.S. were notified but did not respond.
Additionally, Target did not secure the data in all of the
information states. As shown, the credit
card data was both unencrypted and in plaintext format while in the memory of
the POS device. This created a
vulnerability that could be exploited by anyone that could gain access to the
POS device.
McCumber’s Cube
If Target had used McCumber’s model (depicted as a cube
below) to evaluate their security systems, these flaws would have been evident.
McCumber’s model serves as a comprehensive framework by
which to evaluate and establish information systems security programs. The cube is meant to reflect the interaction
between desired goals, information states, and security safeguards. McCumber defined three desired goals:
confidentiality, integrity, and availability (1991). Second, McCumber defined three information
states: transmission, storage, and processing.
Last, McCumber defined three types of securities/safeguards: technology;
policy and practice; and education, training and awareness (human factors)
(McCumber, 1991).
Looking at the Target breach, the confidentiality (goal) of
credit card data when it was in storage (information state) in the POS machine
had nothing
in the way of human factors (security/safeguard), policies and procedures (security/safeguard),
or technology (security/safeguard) to protect it. Had target used McCumber’s cube, they would
have identified this threat.
Second, the confidentiality (goal) of credit card data when
it was in transmission (information state) had technology (security/safeguard) in
place to protect it – the FireEye solution.
However, they were obviously lacking it the human factors and policy and
procedure safeguards. This highlights a
valuable lesson about McCumber’s cube: one security measure in place for a
given goal and information state combination is often insufficient. This is the intent of the cube – to be sure
each combination is evaluated for controls in each of the three
security/safeguard areas.
The Impact – Target
Analysts estimate the total financial system cost for this
breach run into the billions (Riley et al., 2014). As many as 1 out of every three U.S. online
consumers was impacted in some way (Riley et al., 2014). More than 90 lawsuits have been filed (Riley
et al., 2014). The direct costs to
Target were estimated to be $61 million according to its 2013 fourth quarter
report to investors (Riley et al., 2014).
However, the biggest cost to Target was in lost sales. “Target’s profit for the holiday shopping
period fell 46 percent from the same quarter the year before; the number of
transactions suffered its biggest decline since the retailer began reporting the
statistic in 2008” (Riley et al., 2014). Because of losses sustained and the reputation damage, Target's CEO has stepped down after 35 years of service and stock prices continue to slip (video below).
(The Street, 2014)
Additionally, Target has begun to implement new “chip and
pin” technology for its credit card transactions. While this sounds good in assuaging consumer
fears, security experts contend that this will not stop the type of hack that
caused the breach. That is because
during this type of transaction, the data can still be transmitted from the POS
device unencrypted and in plaintext (Daly, 2014). Given this, Target does not seem to have
learned it’s lesson on the overreliance on technology based solutions. Instead, they should employee an analysis
using McCumber’s model and ensure their other controls are adequate.
The Impact – FireEye
Despite the losses by the U.S. consumer and by Target, there
was one winner from the breach – FireEye.
After it was revealed that FireEye detected the breach and they had
automation that could have automatically prevented the breach (which Target had
chosen to turn off); their name was in the clear from a competence
standpoint. Additionally, the breach
yielded a large amount of publicity on the topic of cybersecurity and the
FireEye solution. This resulted in the
stock increasing 40% by March of 2014 (Sheridan, 2014). Additionally, “spending on cybersecurity
software is expected to grow 15% annually over the next several years”
(Sheridan, 2014). That could translate
into significant revenue growth for FireEye in the next several years.
Conclusion
Despite the fact the McCumber’s model was created over 20
years ago, we can see that it remains relevant today. Using the example of Target, it is easily
shown that McCumber’s model, if used, would have allowed the vulnerabilities to
be detected. Although Target made
significant investments in security, their lack of a comprehensive approach
created vulnerabilities which could be exploited. As with many implementations of technology,
it is important to consider the policies and procedures that dictate behavior
and also the human factors that allow them to be executed.
References
Bloomberg News (2014, March 14). Hacking Timeline: What Did
Target Know and When?. Retrieved on July 14, 2014 from http://www.youtube.com/watch?v=M5tl4Yf92Nk
Committee on Commerce, Science, and Transportation. (2014,
March 26). A “Kill Chain” Analysis of
the 2013 Target Data Breach. Majority Staff Report for Chairman Rockefeller.
Retrieved on July 20, 2014 from http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883
Daly, J. (2014, January 14). Experts Differ on Whether EMV
Chip Cards Provide Data-Breach Immunity. Retrieved on July 14, 2014 from http://digitaltransactions.net/news/story/Experts-Differ-on-Whether-EMV-Chip-Cards-Pro
McCumber, J. (1991, October). 14th National Computer
Security Conference.
Riley, M., Elgin, B., Lawrence, D. and Matlack, C. (2014,
March 13). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target
Blew It. Businessweek. Retrieved on July 14, 2014 from http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
Sheridan, P. (2014, March 27). FireEye: Winner
from Target data breach?. CNN Money. Retrieved on July 14, 2014 from http://buzz.money.cnn.com/2014/03/27/fireeye-cybersecurity-after-target-breach/The Street. (2014, May 5). Target CEO Gregg Steinhafel Resigns Post-Customer Data Breach. Youtube. Retrieved on July 23, 2014 from http://youtu.be/bKxyETHsdvc
