Target Attack: Vigilance Remains Vital

Tuesday, February 4, 2014 @ 10:02 AM gHale

While the result of the attack on Target is well known and the residual collateral damage still remains murky for the most part, but just now some of the intricate details of the attack are starting to emerge.

After undergoing forensic investigation, Target Corp. said the theft of a vendor’s credentials helped the attackers pull off the massive theft of customer data over the holiday shopping season.

NIST Cybersecurity Framework: What it Means
Preliminary Cybersecurity Framework Released
DDoS Attacks: Smarter, Faster, Severe
Stronger Voice Needed with Security Policies

The breach resulted in the theft of 40 million credit and debit card records and 70 million other records with customer information such as addresses and telephone numbers.

“The ongoing forensic investigation has indicated that the intruder stole a vendor’s credentials, which were used to access our system,” said Target spokeswoman Molly Snyder. She declined to elaborate on what type of credentials were taken, who the vendor was, or to provide other details.

This is another indication that companies, whether retailers like Target, or manufacturers, need to have a security plan, and need to be aware of their vendors’ approach. While they will not stop a targeted attack, if they remain vigilant, they will recognize when something is awry on their systems.

There are U.S. cyber security officials saying while states have created a hodgepodge of local rules requiring businesses to report breaches of consumer data to authorities and the public, there are no similar federal requirements.

Congress has been wrestling for years with proposals for legislation on data security but has been unable to reach agreement. There is no national standard to govern how and when businesses that suffer consumer data breaches must advise their customers and federal agencies.

While Congress remains stifled by what to do with cyber security on many fronts, on the critical infrastructure environment, President Barack Obama issued Executive Order 13636,

Because of the growing concerns over continued cyber attacks on U.S. national infrastructure – such as the electric grid, water systems, transportation networks, banks/financial institutions, critical manufacturing – the Executive Order, entitled, “Improving Critical Infrastructure Cybersecurity,” came out February 12, 2013.

The EO called for development of a voluntary Cybersecurity Framework to provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for critical infrastructure services to thus manage cybersecurity risk.

Critical infrastructure is defined in the EO as “systems and assets – whether physical or virtual – so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

The National Institute of Standards and Technology (NIST) is in the process of developing the Framework in collaboration with industry feedback. The Framework should provide guidance to an organization on managing cyber security risk. A key objective of the Framework is to encourage organizations to consider cyber security risk as a priority similar to financial, safety and operational risk, while factoring in larger systemic risks inherent to critical infrastructure.

Meanwhile, as a result of the Target attack and the aftermath, U.S. Attorney General Eric Holder said the Department of Justice was investigating the hack.

Holder, testifying at a Senate Judiciary Committee hearing, said the Justice Department would seek the perpetrators of the Target breach as well as “any individuals and groups who exploit that data via credit card fraud.”

“While we generally do not discuss specific matters under investigation, I can confirm the department is investigating the breach involving the U.S. retailer, Target,” Holder said.

The Secret Service has taken the lead investigating the breaches at Target and other retailers, including Neiman Marcus and Michaels, the largest U.S. arts and crafts retailer.

Leave a Reply

You must be logged in to post a comment.