More information is coming out on the Target breach and a key takeaway is to reexamine the importance of security zoning. It is being reported that origin of the unauthorized access was through a third party and from there, the cyber-criminals moved their way through Target’s network to the Point of Sale (POS) systems, where malware was placed to collect unencrypted card data. What’s come out is that these cyber-criminals stole the login credentials of the third party vendor, an HVAC company, which may have opened up access to a lot more in the network than should have been allowed, including access to an external billing system and a contract submissions portal.
One major takeaway is that it appears that security best practices were not followed in terms of network segmentation. Let’s look at what went wrong from a security zoning and PCI DSS perspective and what organizations should do to not fall into this trap:
Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment… To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”
Clearly, it is a best practice to separate networks and servers that perform credit card transactions and store this information from any other network or server not involved in that process. In the case of the Target breach, the POS systems and databases should have been completely separated from the HVAC company’s servers where the attackers initially gained unauthorized entry. A good and common practice is to put stringent constraints around the “PCI Zone”, allowing connectivity for as few servers and networks as possible, since the security requirements for the “PCI Zone” are much greater than the rest of the network. Firewall policies and VLANs provide a route to achieve this segregation, either for physical or virtual servers and then of course you need to have security policies that enforce this separation.
Separate from the improper security zoning issue, another noteworthy item related to this breach is that it doesn’t look like proper security controls were protecting the POS. It’s reported that a free anti-malware tool was the primary defense mechanism used in as the primary defense on Target’s POS systems. This actually raises two issues: 1) From a licensing perspective, this is not supposed to be used in an enterprise environment; 2) From a security perspective, a consumer-based, freeware tool is not designed to address the risks that a POS system for example faces from targeted and sophisticated attacks.
To put this breach in business terms, so far I’ve seen estimates for the cost to Target at over $500M right now with that number expected to grow. The most recent news on the breach has cost banks and credit unions more than $200 million – which does not factor in costs to financial institutions beyond credit unions or members of the Consumer Bankers Association and which does not include any fraudulent activity – based on estimates from industry trade groups. This is an opportunity to learn from security mistakes and improve, because cyber-criminals have too much to gain from their continued efforts and organizations have too much to lose.
Receive notifications of new posts by email.