4 lessons CIOs can learn from the Target breach

We're all familiar with the Target payment card breach late last year. Up to 110 million payment card numbers were stolen through a huge hole in the company's network, right down to the security of the PIN pads. The breach cost Target CIO Beth Jacobs her job; it was, and still is, a serious matter.

Target is obviously a public company, so this situation garnered a lot of attention. As a CIO or member of the executive technical staff, though, there are some observations about the situation that can apply to your company.

Here are four key lessons from Target's very public example of a data breach.

1. It's vital to know which alarms you can safely ignore

In this connected age, security vulnerabilities are a dime a dozen. Different software has different risk profiles, and some of the vulnerabilities that affect certain organizations severely are already safely mitigated in other organizations simply by the structure of how components are set up. Performing a thorough threat analysis is crucial, but knowing how to manage the onslaught of event logs, audit logs, vendor vulnerability notifications and intrusion prevention messages is just as critical.

One best practice: Develop a rubric by which a weight is assigned to alerts about security vulnerabilities and attempted penetration. Depending on what business you're in, you can score this either by system involved or by the source of the alert. Some considerations might include the following:

  • For a retail business, payment systems alerts should be given clear priority. Typically, these payment systems are segregated from other networks, but patching alerts from your vendors, security audit logs and activity monitoring should be done on a high frequency, with particular attention paid to anomalies that appear in these results. Internet-facing businesses should always ensure that fraud prevention measures are in place and ensure shopping cart and ecommerce software is patched and monitored.
  • Alerts from your intrusion detection system or honeypots should also be given a higher priority than other alerts. However, it may be necessary to fine-tune thresholds. One-off attempts shouldn't raise alarms, but repeated attempts that display similar characteristics should be evaluated for their consistency and then bubbled up to the appropriate levels for technical review and analysis.
  • Other regular software vulnerabilities, like those in file servers and desktop software, should be cataloged and analyzed but should fall below other, riskier parts of your technology stack.

Create a judgment structure by which you can evaluate alerts and threat messages so the signal-to-noise ratio is high as it can be. This way, "red alert" messages get the attention they deserve immediately, while "yellow alert" type messages are analyzed at a less urgent pace.

2. Lobby for a CISO to handle significant security, liability responsibilities

As the old saying goes, the buck must stop somewhere. As with most things technology, the head of the information services organization is likely to get the blame. But CIOs are burdened with more areas of responsibility than ever before, from keeping the computers running to creating new technology-driven lines of business that can actually represent a profit center to liaising with marketing and the executive suite to unlock secrets that lie within the massive amounts of data warehoused in the corporate IT warehouse.

Yes, security is an important part of all this, but creating a security regimen and implementing it through the organization is really best done by a dedicated CISO - someone whose sole job is to monitor the security posture of a business and then carefully and deliberately enhance it over time. A CIO is simply too rushed and spread too thin, to fully handle this responsibility.

Target shows why. It took several weeks to get to the bottom of the extent of the breach. (This is actually better than average; most serious data breaches take months to spot.) According to multiple reports, it took days to even discover the breach before the media caught on to it. As we all saw, it seemed Target discovered more and more about exactly what data was lost in the attack, judging from the trickled release of information to the public and to the media.

You can imagine the frenzy within Target of getting to the bottom of what happened, reacting to it, preventing the situation from deteriorating and activating response plans. The buck stopped with Jacobs, and her response was left somewhat wanting. It's a real possibility that she simply had too much on her plate.

Additionally, hiring a specific security head shows the rest of the organization that security is serious business. Having such a position generally gives the CISO the autonomy required to put into place the right remedial measures to enhance security. Having to work through a chain of command not dedicated to security can delay or even jeopardize necessary technical improvements due to a lack of clear communication or an inability to convince others that some measures are necessary.

3. Incident response plans key to successful recovery from data breaches

In the hours and initial couple of days after a breach has been discovered, there is usually only one priority: Fix the breach, at all costs. Stop the bleeding.

This is a fine approach for the technical team. However, others in your organization need to at least be activated to begin planning a communications approach that keeps all stakeholders informed. Witness the somewhat haphazard way in which Target disclosed the breach. Were PINs compromised, or just payment card numbers? Were PINs leaked? Were encrypted PINs leaked? Was anything leaked? The story seemed to change as the situation developed. That's a symptom of an incomplete crisis communications plan.

[ News: Target, Neiman Marcus Executives Defend Security Practices ]

I will note, however, that the PIN pads and (perhaps) other payment and point-of-sale equipment at my local Target location were replaced within days of the initial breach announcement. That's a sign of an excellent technical response plan.

4. The weakest point in your security is something you haven't considered

The Target breach began with an HVAC contractor accessing a wireless network on the vulnerable side of the Target corporate firewall. It all began because something as innocuous as a thermostat wasn't functioning correctly.

Hackers and crackers are sophisticated; at this level, they're playing a long game to nail lucrative, high-value targets. They're looking where they think you're not looking.

As a CIO, it's your job to direct your teams to batten down all hatches - procedural, technical and otherwise. Provide the leadership and the ethos to make this type of watchful, deliberate security a priority.

Jonathan Hassell runs 82 Ventures, a consulting firm based out of Charlotte. He's also an editor with Apress Media LLC. Reach him via email and on Twitter. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetinformation security. Target hackerssecuritysecurity vulnerabilitiesdata breachSecurity | Data breachTarget breach

More about FacebookGoogleMcAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jonathan Hassell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts