Lessons learned from Target’s data breachBy Lynn Greiner
Unless you’ve been living in a cave, you’ve heard about the Target data breach. But in case you missed it, over about three weeks, from Thanksgiving to mid-December last year, approximately 40 million credit and debit card accounts used in US Target stores were compromised. A fraud analyst with Gartner estimates Target’s loss from the fiasco at up to $420 million in customer service costs, possible fines from card issuers, and reimbursement to banks for their costs – re-issuing 40 million cards isn’t cheap!
That’s scary enough, but the reason for the breach is even scarier. According to security blogger Brian Krebs, the hackers were able to do their damage because of a basic network segmentation error. He reported that the crooks broke in to Target’s network with credentials stolen from a third party supplier. That’s bad enough. But the reason they got as far as they did was worse: Krebs suggests that the network was not segmented to isolate the payment systems. And because the payment systems were accessible, the hackers were able to install malware on them that scooped the card numbers and PINs from that unfortunate 40 million customers.
We may never know the entire story, but I’ll bet there are some very unhappy network admins at Target (assuming whoever architected the network is even still employed there). And while the whole mess is bad for them, the lessons it teaches can save others from a similar fate.
The first lesson is, don’t skimp on design. Target could have been spared a lot of grief had it built a properly segmented network and had a better authentication scheme (there’s a lot to be said for multi-factor authentication). Hindsight is 20/20; the trick is to think of potential flaws and remedy them before a single wire is pulled, or a single router is installed.
The second lesson is, don’t skimp on staff training. Even if you understand the risks, if you don’t know the right way to set up the network to mitigate them, you’re still in trouble. Consider how many outages are traced to misconfigured network equipment, and how much those outages cost; it’ll make the price of a class seem trivial in comparison. And the same goes for servers, and Active Directory, and all of the other plumbing involved in IT infrastructure – you’ve got to know what you’re doing, understand best practices, and be able to implement them properly. Even if it doesn’t save you $420 million, it could save your job!
About the Author
Lynn Greiner is a freelance journalist specializing in information technology and business topics. She is also an IT professional, giving her real-world experience that allows her to cut through the hype and address topics that are relevant in the business world. Her articles have been published in both print and online publications, including itWorld Canada, Computer Dealer News, CIO.com, DevSource, Canadian Security, ACM netWorker, Security Matters, GlobeTechnology.com, Canadian Technology and Business, InformIT, Computing Canada, and many others. Find her @LynnGr.
Author's Website: http://itwriter.com/