Unit 5: Russian Hackers - Target Acquired

The 2013 Target hack was the largest in U.S. retail history (Riley et al., 2014).  This resulted in the theft of over 40 million credit card numbers and personal information from nearly 70 million customers (Committee on Commerce, Science, and Transportation, 2014).  Interestingly, the breach was not because of a lack of understanding of the importance of security, or adequate systems, it was purely poor execution.  Despite installing high tech systems and putting in numerous plans, Target did not adequately address the most critical element in security – the human element.  Below we will outline the nature of the breach and how using McCumber’s Cube, Target could have avoided the breach.

The Attack

The attack started months before anything actually occurred on Target servers when hackers stole security credentials of Target contractor Fazio Mechanical Services (Committee on Commerce, Science, and Transportation, 2014).  Fazio had access to Target’s systems for the purposes of electronic billing, contract submission, and project management purposes (Committee on Commerce, Science, and Transportation, 2014).  The hackers initially infected Fazio machines using emails with embedded malware (Committee on Commerce, Science, and Transportation, 2014). 

Once hackers gained access to Target servers, they began to move from the peripheral applications to servers that contained credit card information.  Once inside servers that contained sensitive information, the hackers began to execute what is known as a “RAM scraping” attack purposes (Committee on Commerce, Science, and Transportation, 2014).  This attacks data at a point in which it is not encrypted and is in plaintext format purposes (Committee on Commerce, Science, and Transportation, 2014).  The point where this occurs is when the point of sale (POS) stores the credit card information in its memory just prior to transfer to the company’s payment processing provider (Committee on Commerce, Science, and Transportation, 2014).  Given this, the hackers infected the POS machines with a customized version of commonly available malware called “BlackPOS” (Committee on Commerce, Science, and Transportation, 2014).  This is available on the black market for between $1,800 and $2,300 (Committee on Commerce, Science, and Transportation, 2014). 

In addition to infecting the POS machines to collect the card data, hackers also infected Target servers in order to move the collected data through Target’s networks and firewalls.  The hackers’ used the name BladeLogic in order to disguise their malware on the servers (Riley et al., 2014).  This naming was to mimic a legitimate software component that already existed on the servers for data center management (Riley et al., 2014).  The stolen data was then moved through Target servers and then via FTP transfers onto infected servers worldwide.  Eventually the data landed on the Russian black market where the cards data was sold.

The Security Measures

Target had limited access to it’s networks that contained confidential information.  Additionally, months before the breach, Target “began installing a $1.6 million malware detection tool made by the computer security firm FireEye, whose customers also include the CIA and the Pentagon” (Riley et al., 2014).  The FireEye system works by using virtual machines to creating a parallel computer network. This fools hackers into thinking that they are on real servers and when they attempt to hack, software detects the activity and notifies monitors.  Additionally, this installation provided Target with 24 hour monitoring of its computers by security specialists in Bangalore (Riley et al., 2014).  Furthermore, on top of the FireEye installation, Target also has an internal security operations center in the U.S.  Although this is common in many other industries, it is not common in the retail segment.  Whereas other industries self-detect breaches approximately 31% of the time, the retail segment does so only 5% of the time (Riley et al., 2014).  Target was attempting to be ahead of the curve.  However, this may have led to some sense of complacency.  

When the hackers installed the malware to move the data out of the Target network, the FireEye system detected the activity and notified the security operations center (SOC) in the U.S.  When the hackers upgraded that same exfiltration software days later, the FireEye team again notified the U.S.  However, nothing happened in either case.  It wasn’t until weeks later when the Department of Justice notified Target of unusual activity that investigators took action.  A timeline of events can be seen in the video below.

(Bloomberg News, 2014)

Where Did Target Fail

Based on all the evidence available, Target’s most egregious error was not adequately preparing the U.S. SOC team of how to respond in the case of an identified breach.  As stated, teams in the U.S. were notified but did not respond.    

Additionally, Target did not secure the data in all of the information states.  As shown, the credit card data was both unencrypted and in plaintext format while in the memory of the POS device.  This created a vulnerability that could be exploited by anyone that could gain access to the POS device.   

McCumber’s Cube

If Target had used McCumber’s model (depicted as a cube below) to evaluate their security systems, these flaws would have been evident.

McCumber’s model serves as a comprehensive framework by which to evaluate and establish information systems security programs.  The cube is meant to reflect the interaction between desired goals, information states, and security safeguards.  McCumber defined three desired goals: confidentiality, integrity, and availability (1991).  Second, McCumber defined three information states: transmission, storage, and processing.  Last, McCumber defined three types of securities/safeguards: technology; policy and practice; and education, training and awareness (human factors) (McCumber, 1991). 

Looking at the Target breach, the confidentiality (goal) of credit card data when it was in storage (information state) in the POS machine had nothing in the way of human factors (security/safeguard), policies and procedures (security/safeguard), or technology (security/safeguard) to protect it.  Had target used McCumber’s cube, they would have identified this threat.

Second, the confidentiality (goal) of credit card data when it was in transmission (information state) had technology (security/safeguard) in place to protect it – the FireEye solution.  However, they were obviously lacking it the human factors and policy and procedure safeguards.  This highlights a valuable lesson about McCumber’s cube: one security measure in place for a given goal and information state combination is often insufficient.  This is the intent of the cube – to be sure each combination is evaluated for controls in each of the three security/safeguard areas.

The Impact – Target

Analysts estimate the total financial system cost for this breach run into the billions (Riley et al., 2014).  As many as 1 out of every three U.S. online consumers was impacted in some way (Riley et al., 2014).  More than 90 lawsuits have been filed (Riley et al., 2014).  The direct costs to Target were estimated to be $61 million according to its 2013 fourth quarter report to investors (Riley et al., 2014).  However, the biggest cost to Target was in lost sales.  “Target’s profit for the holiday shopping period fell 46 percent from the same quarter the year before; the number of transactions suffered its biggest decline since the retailer began reporting the statistic in 2008” (Riley et al., 2014).  Because of losses sustained and the reputation damage, Target's CEO has stepped down after 35 years of service and stock prices continue to slip (video below).

 (The Street, 2014)

Additionally, Target has begun to implement new “chip and pin” technology for its credit card transactions.  While this sounds good in assuaging consumer fears, security experts contend that this will not stop the type of hack that caused the breach.  That is because during this type of transaction, the data can still be transmitted from the POS device unencrypted and in plaintext (Daly, 2014).  Given this, Target does not seem to have learned it’s lesson on the overreliance on technology based solutions.  Instead, they should employee an analysis using McCumber’s model and ensure their other controls are adequate.

The Impact – FireEye

Despite the losses by the U.S. consumer and by Target, there was one winner from the breach – FireEye.  After it was revealed that FireEye detected the breach and they had automation that could have automatically prevented the breach (which Target had chosen to turn off); their name was in the clear from a competence standpoint.  Additionally, the breach yielded a large amount of publicity on the topic of cybersecurity and the FireEye solution.  This resulted in the stock increasing 40% by March of 2014 (Sheridan, 2014).  Additionally, “spending on cybersecurity software is expected to grow 15% annually over the next several years” (Sheridan, 2014).  That could translate into significant revenue growth for FireEye in the next several years.

Conclusion

Despite the fact the McCumber’s model was created over 20 years ago, we can see that it remains relevant today.  Using the example of Target, it is easily shown that McCumber’s model, if used, would have allowed the vulnerabilities to be detected.  Although Target made significant investments in security, their lack of a comprehensive approach created vulnerabilities which could be exploited.  As with many implementations of technology, it is important to consider the policies and procedures that dictate behavior and also the human factors that allow them to be executed.

References

Bloomberg News (2014, March 14). Hacking Timeline: What Did Target Know and When?. Retrieved on July 14, 2014 from http://www.youtube.com/watch?v=M5tl4Yf92Nk  

Committee on Commerce, Science, and Transportation. (2014, March 26).  A “Kill Chain” Analysis of the 2013 Target Data Breach. Majority Staff Report for Chairman Rockefeller. Retrieved on July 20, 2014 from http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883

Daly, J. (2014, January 14). Experts Differ on Whether EMV Chip Cards Provide Data-Breach Immunity. Retrieved on July 14, 2014 from http://digitaltransactions.net/news/story/Experts-Differ-on-Whether-EMV-Chip-Cards-Pro

McCumber, J. (1991, October). 14th National Computer Security Conference.

Riley, M., Elgin, B., Lawrence, D. and Matlack, C. (2014, March 13). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Businessweek. Retrieved on July 14, 2014 from http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

Sheridan, P. (2014, March 27). FireEye: Winner from Target data breach?. CNN Money. Retrieved on July 14, 2014 from http://buzz.money.cnn.com/2014/03/27/fireeye-cybersecurity-after-target-breach/

The Street. (2014, May 5). Target CEO Gregg Steinhafel Resigns Post-Customer Data Breach. Youtube. Retrieved on July 23, 2014 from http://youtu.be/bKxyETHsdvc