While most of the mass media news about Target’s card data breach has focused on the direct effects on consumers, the forensics of the breach are starting to trickle out through specialists like Brian Krebs, and they’re really fascinating. At the highest level, it appears the attackers seem to have been able to enter the network via a third-party vendors’ network and establish a command-and-control server inside Target’s network. Further speculation is that the c-and-c server was installed using an administrative user account for monitoring software that may have had an installation-default password set. Surely Target didn’t set out to neglect the PCI Control Objectives for network monitoring and security, but the gaps revealed are large enough for millions of records to fall through.
Are we insulated from this kind of attack in the financial services sector? Absolutely not. Our networks once consisted of devices under our physical control, such as branch terminals and ATMs. Today the edges of our networks reach into the very pockets of our customers through browsers and mobile apps. We interact not only with processors, but other third party networks and vendors.
As the available attack surface expands, our networks become a more lucrative target. The PCI Control Objectives provide the framework for protecting our data and our customers records, but both operations and information security have to be actively involved daily in understanding that there’s a difference between merely being compliant, and actually securing our networks. Armchair quarterbacking only goes so far, and in our industry we’d be well served to quickly take stock of how to fortify our compliance efforts against increasingly sophisticated attackers.
Where are networks truly isolated and do we truly know where data is coming from and going to? Are we taking physical security for granted? Where might there be opportunity for social engineering? Are all MD5 hashes for application updates being validated each time? Are we white-listing those things that should be active in our servers?
If the reports are true, the Target breach has cost U.S. banks more than $172 million in re-issued cards. Whether we’re ready to acknowledge it or not, financial services’ networks are closer than ever to retailer’s, and we owe it to ourselves to think that a compliance certification means we’re doing all we can to secure ourselves. The data breach is a chance for banks and retailers to work together. Whether it’s the card industry migrating to EMV chip-and-PIN cards, tokenization, or better systems monitoring, both parties have a vested interest in consumer fraud protection.