Information Security Strategy: A Lesson from the Target Breach

Over the past few weeks, new revelations have provided greater insight into the breach of Target Corp. over the holiday shopping season.  Notable among the recent news is the assertion that the cybercriminals behind the Target breach initiated their infiltration through HVAC vendor Fazio Mechanical (http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/).  It is believed that the cybercriminals staged a phishing attack against Fazio Mechanical in order to steal credentials to access Target’s network remotely (http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/).  Allegedly, these access credentials were used to infiltrate systems used to perform electronic billing, contract submission, and project management for Target vendors.  From these systems, the attackers may have been able to gain access to the information systems used for processing payment card information, resulting in the reported theft of cardholder data.  While many details about the Target breach remain to be uncovered, important lessons may be learned at this point.

The recent assertions have triggered some controversy whether Target had safeguards in place to properly mitigate risks to cardholder data arising from vendors.  Questions raised have included the following.

• Were vendors such as Fazio required to use two-factor authentication?
• What steps should be taken to supervise vendor activity within a company’s network?
• How should companies assess the security program of vendors and ensure that appropriate security controls remain in place throughout the vendor relationship?

These are all important issues to be addressed by companies when dealing with the risks introduced by vendor relationships.  Moreover, these are issues commonly covered by government regulations (such as the Massachusetts security regulations, 201 CMR 17.00) and industry self-regulatory standards (such as PCI-DSS).

Addressing these issues can be quite burdensome for large enterprises that have a wide array of vendors, many of which have no particular reason to access sensitive information.  Conducting assessments and managing safeguards for vendors that have no compelling reason to access sensitive information could be very costly.  Therefore, it is easy to understand how such a vendor could be missed in a large enterprise security program.

It may be common to think of technological tools and organizational policies and procedures when dealing with information security.  However, a strategy for enterprise security should be developed first.  This strategy should be based upon a thorough analysis of the threats faced by the enterprise, the potential impact (legal, financial, and reputational) of those threats, and all the resources available to address the threats.  Such a strategic approach to security should help enterprises find the most efficient ways to mitigate security risks.  An enterprise may find that issues that appear to be vendor and workforce management problems at first glance can be better mitigated through access management.

Accordingly, the costs of maintaining a security program can be substantially mitigated by limiting the scope of systems that handle sensitive information.  Users (both internal and external) that have no legitimate business need to access sensitive information should be excluded from systems handling sensitive information.  Isolating systems that handle sensitive information from the rest of the corporate network can allow enterprises to focus their security and compliance efforts where they are needed most.  Therefore, a company that handles payment card transactions need not implement all the requirements of PCI-DSS across their entire network, workforce, and vendor community. PCI-DSS compliance may be focused upon the subset of systems, workforce members, and vendors that must be involved in payment card transactions.

One way to implement this approach would be to segregate all systems handling sensitive information into a subnetwork, separated from other network assets by firewalls.  (Perhaps the most common use of such “network segmentation” is the creation of subnetworks that handle direct communication between a corporate network and the Internet often called demilitarized zones or DMZs).  Access to the sensitive subnet may be denied by default.  User accounts granting access to the subnet may be provided only with prior approval of appropriate managers.  Even system administrators may be required to use a separate user account for managing systems within the subnet so that compromise of the account used to manage non-sensitive systems does not immediately compromise the sensitive subnet.  In addition, security professionals could aggressively police the subnet because the universe of acceptable ordinary behavior would be quite limited.

The appropriateness of network segmentation depends greatly upon the unique circumstances of an enterprise.  It certainly does not redress all security risks.  Nevertheless, this is an example of how a strategic view can help enterprises maximize the efficiency and effectiveness of their security programs and mitigate the likelihood and impact of incidents.