Ira Winkler: 6 failures that led to Target hack

The storyline that a single point of failure allowed a sophisticated attacker to steal millions of card numbers from Target just doesn't hold up

A recent edition of the Computerworld Security Daily Newsletter contained no fewer than four articles discussing the data breach at Target, which was first disclosed way back in December. What exactly happened to Target remains a matter of great interest.

What's being said about the hack is that it was enabled by a single point of failure. The blame is pinned on unstoppable malware on the point-of-sale (POS) systems or, alternatively, on a compromise of an HVAC contractor's credentials. Either way, Target wants you to believe that the chain was exactly what its name implies: the target of a highly sophisticated attacker.

But the truth is that systematic failures, and not a single point of failure, led to the Target hack. No single vulnerability was exploited. There were vulnerabilities throughout Target's security architecture that led to the theft of 110 million payment card numbers, along with the personally identifiable information of most of the affected cardholders.

Let's assume that Target's assertion is correct and that its network was compromised because its HVAC vendor was hacked. If that indeed led to the theft of millions of card numbers, then it suggests that Target's network was not properly segregated to allow the HVAC vendor to have access only to required systems. So that was the first failure.

Once the attackers were on the network, they clearly had to perform reconnaissance for an extensive period of time to find systems that would enable the distribution of their malware. That suggests that Target had inadequate or perhaps even no intrusion detection deployed that could identify extensive probing of the network, especially critical network segments where the POS systems reside. That was the second failure.

It appears that the intruders were able to get the malware on the POS systems via Target's own software distribution system, through worm-like methods of distribution, or by some combination of both. The attackers are thought to have tested the malicious software in a limited distribution, as a proof of concept, prior to wide-scale distribution. Either method should have been detected. Worm-like activity should have been picked up by network monitors. And if the attackers exploited Target's internal software distribution system, then Target should have had practices in place to verify any additions to the standard software being pushed out. Failure No. 3.

Most POS systems enable whitelisting, which lets only approved software run on the system. Malware introduced to a POS system with whitelisting enabled would be rendered inoperable, even if it hadn't been picked up by antivirus software. So not enabling whitelisting was the fourth failure.

The criminals had to exfiltrate the information they had garnered out of Target's network. That incredibly involved process would require the hacking of multiple systems to both store and forward captured information. Target should have had software and processes in place to look for unusual network traffic. Likewise, the hacking of all of the systems used to exfiltrate the data should have been uncovered. Failures five and six.

These are not the only likely points of failures, but they are the most obvious ones.

Retailers targeted in attacks such as the one that hit Target like to claim that they were the victims of sophisticated attackers, with the implication that the attack was somehow unstoppable. But there was nothing particularly sophisticated about the Target attack. The attackers appeared to be persistent and disciplined more than technologically advanced. That is exactly how most attacks are perpetrated.

I have no reason to believe that Target's technical employees are anything but well intentioned. But not ensuring that a high-level risk and architecture assessment was in place that could look for exactly those points of failure was in itself a failure. I'm not talking about a penetration test, but a thorough assessment of the overall network architecture to look for security vulnerabilities and the best places to install detection tools.

For example, Target should have reviewed the access architecture to verify that vendors were segregated and monitored. Given widely publicized breaches at other retailers, Target should have looked for covert channels with network monitoring tools. And it certainly should have assured the integrity of the POS systems, looking at best practices such as whitelisting software and verifying the applications that are pushed out to those systems.

A company like Target, with billions in revenue, can certainly allocate the appropriate resources to stop an attacker, sophisticated or otherwise. In fact, companies with considerably less in revenue should do the same, since an attack of this nature puts that revenue at risk. But don't tell us how you are at the mercy of sophisticated attackers when you haven't covered the basics. Target's attackers exploited predictable vulnerabilities. They were tenacious and formidable, but they weren't unstoppable. These attacks should have been detected and prevented.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site,

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingTargetsecurityMalware and Vulnerabilities

More about indeedInternet Security Advisors GroupTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place