User Account

All Pages

Missed opportunities and lessons learned

Assignment Help Basic Computer Science
Reference no: EM131939635

Question: After reading the article below give your opinion on the following:

How did Target run its POS system?

How could this be prevented?

Anatomy of the Target data breach: Missed opportunities and lessons learned

Target hasn't publicly released all the details of its 2013 data breach, but enough information exists to piece together what likely happened and understand how the company could have prevented the hack.

By Michael Kassner 

Target's infamous data breach happened just over a year ago. Are we any the wiser? Have lessons been learned? Although not every detail has been made public, experts have developed an unofficial attack timelinethat exposes critical junctures in the attack and highlights several points at which it could have been stopped.

The attack started on November 27, 2013. Target personnel discovered the breach and notified the U.S. Justice Department by December 13th. As of December 15th, Target had a third-party forensic team in place and the attack mitigated. On December 18th, security blogger Brian Krebs broke the story in this post. "Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records," mentioned Krebs. "The sources said the breach appears to have begun on or around Black Friday 2013 -- by far the busiest shopping day the year."

Then things became interesting. Target informed about 110 million credit/debit-card wielding shoppers, who made purchases at one of the company's stores during the attack, that their personal and financial information had been compromised. To put that in perspective, the attackers pilfered 11 gigabytes of data.

Anatomy of the attack

Now let's look at the sequence of events that precipitated the data breach. Had any of these steps been noticed and countered, the attack would likely have fallen apart.

ADVERTISING

1. Preliminary survey We don't know for certain if or how the attackers performed reconnaissance on Target's network prior to the attack, but it wouldn't have required much more than a simple internet search.

Teri Radichel in this GIAC (GSEC) dissertation explains how the attackers may have gleaned information about Target's infrastructure. "Reconnaissance would have revealed a detailed case study on the Microsoft website describing how Target uses Microsoft virtualization software, centralized name resolution, and Microsoft System Center Configuration Manager to deploy security patches and system updates," writes Radichel. "The case study also describes Target's technical infrastructure, including POS system information."

Advances in deep learning are picking up tremendous momentum-from the development of specialized software to major breakthroughs in hardware capabilities. This ebook looks at what deep learning has accomplished so far and where it's likely to go...

eBooks provided by Tech Pro Research

The internet provides additional clues. "A simple Google search turns up Target's Supplier Portal, which includes a wealth of information for new and existing vendors and suppliers about how to interact with the company, submit invoices, etc.," adds Krebs in this blog post. After drilling down, Krebs found a page listing HVAC and refrigeration companies.

2. Compromise third-party vendor The attackers backed their way into Target's corporate network by compromising a third-party vendor. The number of vendors targeted is unknown. However, it only took one. That happened to be Fazio Mechanical, a refrigeration contractor.

A phishing email duped at least one Fazio employee, allowing Citadel, a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for -- Fazio Mechanical's login credentials.

At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection being an on-demand scanner. (Note: Malwarebytes anti-malware is highly regarded by experts when used in the correct manner.)

Chris Poulin, a research strategist for IBM, in this paper offers some suggestions. Target should demand that vendors accessing their systems use appropriate anti-malware software. Poulin adds. "Or at least mandate two-factor authentication to contractors who have internal access to sensitive information."

3. Leveraging Target's vendor-portal access Most likely Citadel also gleaned login credentials for the portals used by Fazio Mechanical. With that in hand, the attackers got to work figuring out which portal to subvert and use as a staging point into Target's internal network. Target hasn't officially said which system was the entry point, but Ariba portal was a prime candidate.

Brian Krebs interviewed a former member of Target's security team regarding the Ariba portal, "Most, if not all, internal applications at Target used Active Directory (AD) credentials and I'm sure the Ariba system was no exception," the administrator told Krebs. "I wouldn't say the vendor had AD credentials, but internal administrators would use their AD logins to access the system from inside. This would mean the server had access to the rest of the corporate network in some form or another."

Poulin suggests several attack scenarios, "It's possible that attackers abused a vulnerability in the web application, such as SQL injection, XSS, or possibly a 0-day, to gain a point of presence, escalate privileges, then attack internal systems."

Not knowing the details, makes it difficult to offer a remediation for this portion of the attack. However, Poulin opines that IPS/IDS systems, if in place, would have sensed the inappropriate attack traffic, notifying Target staff of the unusual behavior. According to thisBloomberg Business article, a malware detection tool made by the computer security firm FireEye was in place and sent an alarm, but the warning went unheeded.

4. Gain control of Target servers Again, Target hasn't said publicly how the attackers undermined several of their internal Windows servers, but there are several possibilities.

Radichel in the SANS dissertation offers one theory. "We can speculate the criminals used the attack cycle described in Mandiant's APT1 report to find vulnerabilities," mentions Radichel. "Then move laterally through the network... using other vulnerable systems."

Gary Warner, founder of Malcovery Security, feels servers fell to SQL-injection attacks. He bases that on the many similarities between the Target breach and those perpetrated by theDrinkman and Gonzalez data-breach gang which also used SQL injection.

5. Next stop, Target's point of sale (POS) systems This iSIGHT Partners report provides details about the malware, code-named Trojan.POSRAM, used to infect Target's POS system. The "RAM-scraping" portion of the POS malware grabs credit/debit card information from the memory of POS-devices as cards are swiped. "Every seven hours the Trojan checks to see if the local time is between the hours of 10 AM and 5 PM," mentions the iSIGHT Partners report. "If so, the Trojan attempts to send winxml.dll over a temporary NetBIOS share to an internal host (dump server) inside the compromised network over TCP port 139, 443 or 80."

This technique allowed attackers to steal data from POS terminals that lacked internet access.

Once the credit/debit card information was secure on the dump server, the POS malware sent a special ICMP (ping) packet to a remote server. The packet indicated that data resided on the dump server. The attackers then moved the stolen data to off-site FTP servers and sold their booty on the digital black market.

Lessons learned

As a result of the breach, Target has tried to improve security. A corporate webpage describes changes made by the company regarding their security posture, including the following:

  • Improved monitoring and logging of system activity
  • Installed application whitelisting POS systems and
  • Implemented POS management tools
  • Improved firewall rules and policies
  • Limited or disabled vendor access to their network
  • Disabled, reset, or reduced privileges on over 445,000 Target personnel and contractor accounts
  • Expanded the use of two-factor authentication and password vaults
  • Trained individuals on password rotation

If these changes have been implemented as Target describes, they would help address the weaknesses exploited during the attack.

However, the attackers demonstrated extraordinary capabilities by exfiltrating data from a complex retail network as noted in this paper (courtesy of Brian Krebs) by Keith Jarvis and Jason Milletary of Dell SecureWorks Counter Threat Unit, which makes their conclusion all that more poignant. "This level of resourcefulness points to the current value for credit-card data in the criminal marketplace," mentions the paper. "And similar breaches will be common until fundamental changes are made to the technology behind payment cards."

Reference no: EM131939635

Questions Cloud

Describe exception reports versus special analysis reports : Describe exception reports versus special analysis reports, including why these reports are important and an example of when these reports are useful.
The purpose of holding orientation and training sessions : The purpose of holding orientation and training sessions is to provide new employees with the skills they need to perform their jobs successfully.
What are some challenges in big data with regards : How much does human error come into play with big enterprise security breaches? What are some challenges in Big Data with regards to security?
Design a selection procedure for the position : Design a selection procedure for the position taking into consideration the mini-lecture and the material.
Missed opportunities and lessons learned : Anatomy of the Target data breach: Missed opportunities and lessons learned
Determine which operator to assign to each machine : The Reliance manufacturing Company produces an aircraft part. The company can produce the part entirely at a flexible work center.
Is sql a scripting language : Is SQL a scripting language? If possible could I get a full detailed explenation as well as any support for the answer?
Please discuss characteristics of a good project metric : Please discuss characteristics of a good project metric. Please provide some examples, if possible.
What are the converges afforded under this program : Why is there a big push to replace Obama care? What are the issues with Obama care? What changes would you recommend to help change the program?

Reviews

Write a Review

Basic Computer Science Questions & Answers

  Type of change process

General Electric established its Work-Out process in the early 1990s. It continues to be a mainstay in GE's efforts to initiate change. In the interim years, the Work-Out process has also been adopted by such diverse organizations as General Motor..

  Change and patch management

Analyze IT change management and patch management processes needed within organizations. Identify three (3) challenges organizations face when implementing change and patch management processes for the first time. Make suggestions to address these..

  Standard patterns in software design

What is meant by using standard patterns in software design? What is meant by interpreting design documents? How do design patterns and modeling notations impact software development?

  Find the transfer function of the system

This problem is intended to give you more insight into controllability and observability. Consider the circuit in Fig. 7.92, with an input voltage source u(t) and an output current y(t).

  Minimize the risk of fraudulent use

How would you advise Gray's clients to manage their passwords and usernames for the account to minimize the risk of fraudulent use?

  Standardize programming between many processor platforms

Do you think the java virtual machine is a good way to standardize programming between many processor platforms? Explain your view with details.

  What is network attached storage or nas

What is Network Attached Storage or NAS? How can this be a useful data storage device?

  Develop an online shopping application to run

For this assignment, you are a project manager. Your management has asked you to plan a project to develop an online shopping application to run on the newest model of the Blackberry smartphone. You know Blackberry has had its challenges in the ma..

  Describe five additional relationships that might be useful

Describe five additional relationships that might be useful in the context of an SCM repository

  Heuristic strategy balance between accuracy and complexity

The median is one of the most important holistic measures in data analysis. Propose several methods for median approximation.

  Describe two disadvantages of surrogate keys

What is the difference between an alternate key and a candidate key?

  Compare the hardware of the two devices

Compare their user interfaces and discuss major advantages and/or disadvantages of one over the other.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd