Security Zoning and It’s Role in the Target Breach

More information is coming out on the Target breach and a key takeaway is to reexamine the importance of security zoning. It is being reported that origin of the unauthorized access was through a third party and from there, the cyber-criminals moved their way through Target’s network to the Point of Sale (POS) systems, where malware was placed to collect unencrypted card data. What’s come out is that these cyber-criminals stole the login credentials of the third party vendor, an HVAC company, which may have opened up access to a lot more in the network than should have been allowed, including access to an external billing system and a contract submissions portal.

One major takeaway is that it appears that security best practices were not followed in terms of network segmentation. Let’s look at what went wrong from a security zoning and PCI DSS perspective and what organizations should do to not fall into this trap:

1. PCI DSS specifically calls out the following on network segmentation:“Network segmentation of, or isolating (segmenting), the cardholder data environment (CDE) from the remainder of an entity’s network is not a PCI DSS requirement. However, it is strongly recommended as a method that may reduce:
   • The scope of the PCI DSS assessment
   • The cost of the PCI DSS assessment
   • The cost and difficulty of implementing and maintaining PCI DSS controls
   • The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations

   Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment… To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”

   Clearly, it is a best practice to separate networks and servers that perform credit card transactions and store this information from any other network or server not involved in that process. In the case of the Target breach, the POS systems and databases should have been completely separated from the HVAC company’s servers where the attackers initially gained unauthorized entry. A good and common practice is to put stringent constraints around the “PCI Zone”, allowing connectivity for as few servers and networks as possible, since the security requirements for the “PCI Zone” are much greater than the rest of the network. Firewall policies and VLANs provide a route to achieve this segregation, either for physical or virtual servers and then of course you need to have security policies that enforce this separation.

2. A sound security policy entails segmenting the network into multiple zones with varying security requirements and enforcing a rigorous policy of what is allowed to move from zone to zone, aka a “Zoning policy”. Anything designated in the PCI zone should be isolated from the rest of the network as much as within reason. The challenge here is that building a large matrix with many semi-segregated zones, setting a policy for allowed traffic between zones, and enforcing it is not trivial because if this is even done, it is performed manually and requires a ton of effort. Organizations can’t overlook the importance of enforcing zoning policies as security changes can impact a defined policy over time as an unintended consequence. Implementing automation into the security change process around security zoning policies can enable a security architect to define the policy, and then have it continuously enforced and validated continuously for every networking change.

Separate from the improper security zoning issue, another noteworthy item related to this breach is that it doesn’t look like proper security controls were protecting the POS. It’s reported that a free anti-malware tool was the primary defense mechanism used in as the primary defense on Target’s POS systems. This actually raises two issues: 1) From a licensing perspective, this is not supposed to be used in an enterprise environment; 2) From a security perspective, a consumer-based, freeware tool is not designed to address the risks that a POS system for example faces from targeted and sophisticated attacks.

To put this breach in business terms, so far I’ve seen estimates for the cost to Target at over $500M right now with that number expected to grow. The most recent news on the breach has  cost banks and credit unions more than $200 million – which does not factor in costs to financial institutions beyond credit unions or members of the Consumer Bankers Association and which does not include any fraudulent activity – based on estimates from industry trade groups. This is an opportunity to learn from security mistakes and improve, because cyber-criminals have too much to gain from their continued efforts and organizations have too much to lose.