Major companies, like Target, often fail to act on malware alerts

Target paid the price for its apparent failure; other big firms follow the same pattern and could face the same fate, analyst say

Companies that suffer major data breaches almost always portray themselves as victims of cutting edge attack techniques and tools. The reality, though, is often much more mundane.

Case in point: Target, which last year was hit with a major data breach that exposed to hackers data on some 40 million credit and debit cards and personal data on another 70 million customers.

The retailer on on Thursday acknowledged that it could have mitigated or even avoided the breach had it paid closer attention to alerts generated by a security monitoring tools.

Target spokeswoman Molly Snyder said the company investigated but ultimately dismissed early signs of a data breach. "Based on their interpretation and evaluation of that activity, the [Target security] team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different," she said.

Target isn't alone in making such mistakes, says Joe Schumacher, a security consultant for Neohapsis, a security and risk consulting company.

"I have seen enterprises roll out very expensive systems to handle security monitoring, yet there is no subject matter expert for this technology or risks within the enterprise," he said.

Often, companies deploy security technologies with default alerts, resulting in many false positive warnings, Schumacher added.

"Any organization looking to implement security technologies should make the same investment in their people to help configure the technology," he said.

Eric Chiu, president and co-founder of HyTrust, a cloud security company, added that companies often ignore security alarms because they are numb to them, they get too many false warnings or because they are understaffed.

"You can have all the alarms you want, but unless you put security in a prominent position in the company and have enough staff to review them, those alarms don't mean anything," he said.

While alarms are great at signaling that something bad may be happening, they're just a means to monitor for inappropriate actions, he said.

In Target's case, a newly installed a network monitoring tool from security vendor FireEye alerted Target security personnel of malware on its networks on two separate occasions before it was hit by hackers, according to a Bloomberg BusinessWeek report. The installation of the tool cost Target around $1.6 million, according to Bloomberg, which interviewed several former Target employees, law enforcement officials and security researchers familiar with the case.

According to the report, a team of security specialists in Bangalore, India, spotted the alerts and relayed the information to counterparts at Target's headquarters in Minneapolis, who apparently failed to follow up.

The retailer's security pros should have been able to shut down the attack relatively easily had officials acted on the warnings, sources told Bloomberg. Target's Symantec Endpoint protection software also detected the "absolutely unsophisticated and uninteresting" malware early on and pointed to the same server identified by the FireEye alerts, the report said.

The FireEye system could have been configured to automatically remove the threat, but apparently because the software was new and untested at Target, the feature wasn't activated.

Such incidents show why IT operations can't depend on technology alone to secure business networks, said Gartner analyst Avivah Litan. Companies also need strong security polices and processes for managing systems -- and for dealing with alerts, she said.


"In this case, Target apparently fell short on process and policies -- they had the technology piece down," Litan noted.

She added Target's response is typical for large organizations. "In fact, I have heard several times and from several sources that in the case of each large breach over the past few years, the alarms and alerts went off but no one paid attention to them."

Jeremy Kirk of the IDG News Service contributed to this story.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingTargetsecurityMalware and Vulnerabilities

More about BloombergFireEyeGartnerIDGNeohapsisSymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place