Target Security Breach and the Value of Pentesting

Being that it’s Black Friday, I thought it only fitting to revisit the infamous Target Security Breach of holiday shopping seasons past. For Cybrarians, there’s a lot to take from the case, particularly in the area of pentesting and fundamental network security best practices. And finally, there are the painful lessons of the high cost of being lax and basically clueless when it comes to protecting your organization’s most valuable assets: money and the public trust.The breach occurred between November 27 and December 15 of 2013, commencing two days prior to Black Friday of that year. Target was relatively quick to publicly announce the breach on December 15, 2013, but a full accounting of the attack in terms of total number of compromised cards and details of how the caper was pulled off took several more months and even years to reveal. Some details of the breach remain a mystery to this day such as who was behind it.First, we should examine what was stolen and the numbers involved. Initial reports indicated that 40 million credit and debit card numbers were stolen. Things got worse for both Target and their victimized customers when it was revealed that another 70 million customers also had their personal info compromised in the form of name, address, phone number, and even SSN. This potentially set up these unfortunate folks for full-on identity theft in addition to fraudulent charges to their credit cards.The specifics of the actual breach play out like the Allied preparations prior to D-Day. In actuality, the hacker(s) didn’t set out to target Target. The big box retailer became caught up in the broad net cast by a phishing attack initiated several weeks earlier. A virus that has since been identified as Citadel - a password-stealing bot - was sent out to multiple recipients. One of those hapless recipients was Fazio Mechanical, an HVAC vendor contracted by none other than Target, Corp. Citadel acquired Fazio Mechanical’s credentials for a backend system (since identified Target’s Ariba vendor portal) and from there the hackers were off to the races. They spent the next two weeks scraping customer card data, which they in turn sold on the black market.A full analysis of the specifics of the Target security breach was laid out by the most awesome Brian Krebs on his equally awesome cybersecurity blog. In essence, Target committed the cardinal network security sin of failing to segment their network. SMH! Once on Target’s corporate network, the hackers had unfettered access to essentially everything, including the Point of Sale (POS) terminals at every Target store. At this point, another piece of malware later identified as BlackPOS, was injected into Target’s POS terminals which allowed them to exfiltrate customer credit card info. The subsequent pentesting report prepared by Verizon (more about this activity in a moment) revealed that the hacker was able to communicate directly with cash registers in checkout lanes in one store after compromising a deli meat scale located in a different store. Let that sink in for a moment!As the dust was just beginning to settle on the largest customer credit card data breach in history, Target enlisted the services of Verizon to conduct pentesting on their network and systems. What they found was an appalling lack of basic security measures, which was all the more glaring for a company of Target’s size and stature within the retailing industry. The security assessment was conducted between December 21, 2013 and March 1, 2014. A key finding of the analysis was, “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.” As bad as it was for the hackers to gain elevated privileges on the Ariba server, things could potentially have been contained at that point if network access had been physically limited via segmentation. Verizon’s pentesting also found many instances where default security settings in the form of default passwords were configured on critical networking devices. Any of the many network security certification training courses here on Cybrary.it will have a module underscoring the importance of not leaving devices configured to their default state. Doing so just makes things way too easy for attackers.Three years hence, Target as almost fully recovered from the data breach of 2013, but at what cost? The drop in Target’s share price at the end of 2013 essentially wiped out profits during the 2013 holiday shopping season. It’s called Black Friday for a reason: the one time during the year that a retailer is “in the black” financially. Several class action suits arose in the wake of the breach eventually costing Target $10 million. Their CEO, Greg Steinhafel, was forced to step down in May 2014. It was a case of a symbolic sacrifice, but the captain usually goes down with the ship in such cases, albeit in corporate without a golden life preserver.Victimized customers in most cases were absolved of fraudulent charges that results from the breach and were also offered one year of free credit and identity theft monitoring. Other big losers were the banks and financial institutions that were forced to incur the cost of issuing new cards, which is not insignificant. At least Target has since beefed up their IT security management team and network security defenses and have fully rolled out EMV (Europay, MasterCard, Visa) POS terminals with credit card chip readers.And who was behind this massive data breach? Since the breach, a 17 year old Russian teenager has been identified as the creator of the BlackPOS malware used to infect the POS terminals at target, but the perpetrators of the attack continue to elude discovery. The exfiltrated card data has been traced to servers in Russia, other countries in Eastern Europe, and Brazil.The Target Security Breach of 2013 is a textbook example of the essential aspects of network security and the importance of continuous pentesting. Target’s IT and InfoSec teams dropped the ball in a myriad of ways. Sure, the executives and board did an admirable job in cleaning up the resulting mess, but Target’s image is forever tarnished as a result. It’s a dubious distinction to be held up as a case study for how to leave your network wide open and your guests’ PII served up on a silver platter for the taking. This Black Friday – despite the trend of declining in-store holiday shopping – I wish Target only the best. I like Target. I shop there regularly. The final lesson businesses and Cybrarians can take away from Target’s misfortune of 2013 is “you can pay me now, or put it on lay away.”