I just had the fine experience of participating in Secure360 in the Twin Cities. I've been making the rounds talking to InfoSec leaders about their challenges and worries. I have yet to have a conversation where Target doesn't come up. The Target breach has raised awareness around the need for better cybersecurity across the country. The interest has produced some very good commentary and ideas on how we improve business and InfoSec procedures. It has also produced some unhealthy and inflammatory discussions that have the ability to hinder effective improvements. My conversations since the breach have prompted me to address some "low thinking" that is opportunistic and dangerous.
1. The Breach was Target's Fault
The fingers have been squarely pointed at Target since the breach was disclosed over the holiday season. The CEO and CIO have since been discharged. They have been called in front of Congress to give an account. Public opinion has damned them nearly as much as every cybersecurity nerd with a blog. Lawsuits and accusations fly. The consensus is clear: It's Target's Fault.
In the short history of cybersecurity, mankind has found it needful to separate the realities of physical security from computer security. The accusations we are slinging at Target would make absolutely no sense if the robberies would have been physical instead of digital. If on Black Friday, masked gunman across the nation simultaneously busted into Target stores, broke open cash registers and ran away with the cash who would we be outraged with? Would we ask why Target didn't have armored security patrols with automatic weapons protecting the stores and patrons? Absolutely not. We would be demanding justice come to the criminals that carried out the attack. We may be disappointed in law enforcement as well but we certainly wouldn't be asking Target's CEO to resign. We would rally behind him.
Maybe we think they were asking for it. Was Target showing too much ledger? Were they giving the criminals the 0wn me eyes?
It's disgusting to turn the victim of a crime into the criminal even when the victim is a corporation. It is not just and it is not right. Target was responsible for applying due diligence to protecting data. They did that and they got robbed. Their people and customers got hurt. Criminals did that, not Target.
2. Credit Card Data Should Have Been Encrypted Before Entering PoS Memory
This one drives me insane. Every knucklehead pundit that thinks starting encryption a few nanoseconds earlier to prevent RAM Scraping from being effective is misapplying their energy. I walk around town all day long with my credit and debit cards unencrypted in my pocket. Everyday several people see and walk away with 16 integers that can be used to extract money from my accounts. 24 hours a day we are ok with them being unencrypted but for the 50 nanoseconds it takes for Target to encrypt it we are pissed? The only time my credit card is encrypted is when I swipe it.
This is another reason we can't fault Target in this. Americans insist on the convience of being able to give away money by knowing 16 digits and an expiration date. Target didn't create this system. They are accepting the forms of payment we want to use in their stores. We want to use unencrypted cards that are radically easily to steal and replicate. Almost the entire rest of the world uses chip and PIN to keep credentials secure. So let's add ourselves to the list of folks to blame. #1 - Criminals for being evil #2 - Law Enforcement for not stopping them #3 - Us for carrying our money in a ridiculously easy to exploit method and #4 - Target for not spending more of their hard earned profits to mitigate the previous three failures.
3. Existing Security Tools Alerted Target to the Breach
FireEye, among others, found it necessary to tell the world that their security product was deployed during the breach and notified Target security operations of the breach. This takes some gall. If a vendor promises that their product will alert or stop breaches and a purchase happens because of this promise, it better deliver on that promise. If the customer doesn't effectively merge the product into incident response processes, it was never really deployed. It is the responsibility of the vendor to enable the customer. Further, if an alarming system is making too much noise, it is worse than the Boy Who Cried Wolf. With that in mind, let's put Vendor Enablement Failures to #4 to the blame list pushing Target to #5 but adding the need for them to spend even more of their money to enable themselves when vendors fail to deliver on promises.
This dogpiling of vendors has had such a debilitating effect on security managers. InfoSec decision makers are now worried that if they don't spend the time investigating every sound coming out of a security device, they will be called out by the vendors they had trusted just months prior. This argument cannot stand. It is the most dangerous of the three. If an alarm is not connected to a process that is being audited, it is not really an alarm (see When an Alarm Isn't.) Security professionals need to do everything they are able to improve security. Vendor fear must not stymie the long needed progress in information security.
Wrap Up
There were several good lessons from the Target breach. My favorites include the need to move to chip and PIN credit cards, improving monitoring of the network, creating documented processes for handling alerts and response and the increased awareness of the reality and severity of cybercrime. Let's purge these unhealthy "lessons" from our thinking so we can make meaningful change in safeguarding our data, networks and people.
