The multistate settlement over the 2013 Target data breach outlines the kind of security measures enterprises should have in order to not be found negligent with customer data. The problem is, the settlement doesn’t go far enough to improve organizational security. For the pro-active CSO, the settlement should indicate the bare minimum and not what they should aspire to.
Tom Kellermann, CEO of Strategic Cyber Ventures and the former CSO of Trend Micro, called the terms a “slap on the wrist” for Target and said they were insufficient as they focused on keeping attackers out and not on improving response. Modern security needs to focus on reducing the amount of time between a compromise when detection, and making it harder for attackers to carry out their operations. While network segmentation and two-factor authentication will slow down attackers, the bulk of the terms are still defensive in nature.
“They [settlement terms] represent yesterday's security paradigm,” Kellermann said.
To briefly recap, criminals stole credentials from a third-party HVAC vendor and gained access to Target’s network, and then proceeded to infect payment systems with data-stealing malware just before the beginning of the holiday shopping season back in 2013. The malware skimmed credit and debit card information belonging to about 40 million consumers, along with personally identifiable information (PII) for 70 million people. While Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach.
To its credit, Target since then has toughened its security posture and made significant improvements, and many in the industry tout the retailer as a good example of how to recover from a data breach. The settlement gives Target 180 days to “develop, implement, and maintain a comprehensive information security program,” but most of the terms refers to the changes the retailer has already adopted.
"[The] settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers," Illinois Attorney General Lisa Madigan said in a statement.
The reference to industry standards suggest that future breach-related lawsuits may use the Target settlement to try to prove the organization did not go far enough in protecting personal information and other sensitive data. The settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network and implementing stricter access control policies to sensitive networks and data.
“All organizations that store valuable data need to implement a comprehensive security program that includes continuous risk assessments and a responsible executive that is accountable and actively involved in the program,” said Steven Grossman, vice-president of strategy at Bay Dynamics.
Laundry list of what to do
Target agreed to tighten its digital security, which includes:
- Develop and maintain a comprehensive information security program
- Maintain software and encryption programs to safeguard people’s personal information
- Separate its cardholder data from the rest of its computer network
- Rigorously control who has access to the network
- Regularly bring in an independent and well-qualified third party to conduct regular, comprehensive security assessments of its security measures.
- Hire an executive officer to run its new security program and serve as a security advisor to the CEO and the board of directors.
Other must-have safeguards are specific to the payment systems and “cardholder data environment”:
- Whitelisting to detect and block unauthorized applications from executing on payment systems and servers
- File integrity monitoring
- Change management to detect unauthorized changes to applications and operating systems
- Logging and monitoring all security-relation information and devices attempting to connect to the sensitive network.
None of this sounds particularly advanced. In fact, network segmentation is an IT best practice and something companies should already be doing. It is nice to finally see a mandate that calls for two-factor authentication on individual, administrator and vendor accounts. The fact that card information has to be encrypted is a basic part of the Payment Card Industry-Data Security Standard (PCI-DSS) requirements, and just reiterates that encryption needs to be at the center of any comprehensive security program. The settlement also reminds Target that it has to keep up with patching and software updates.
"Target shall make reasonable efforts to maintain and support the software on its networks, taking into consideration the impact an update will have on data security in the context of Target's overall network and its ongoing business and network operations, and the scope of resources required to address an end-of-life software issue," according to the settlement.
What’s missing
Considering the initial breach came from the third-party vendor, the settlement is vague on what enterprises should be doing regarding their partners and contractors beyond “develop, implement and revise as necessary written, risk-based policies and procedures for auditing vendor compliance” against existing security policies. Requiring two-factor authentication for contractors and vendors will make a difference, but enterprises need to have a clearer idea of what other risks the third-party poses to their environment.
“It is essential that outsources know what services third-parties are performing, what controls they have in place, and verify that these controls are operational,” said Charlie Miller, a senior vice president with the Santa Fe Group’s Shared Assessments Program. Enterprises need to have processes that determine what kind of restricted access and security controls are appropriate when bringing a third-party onboard.
The settlement also talks about penetration tests and other ways to assess security measures, but it stopped short of asking for continuous assessments. “The recommendations on assessing risks using penetration testing are not enough,” Guy Bejerano, CEO and co-founder of SafeBreach says. Enterprises can’t rely on once-a-year, or periodic penetration tests to stay abreast of all the threats, because new vulnerabilities are always being found and new attack tools being developed.
The CSO needs to oversee and run the security program and advise the CEO and the board of directors, but the settlement did not mandate the individual report directly to the CEO and the board, which is a miss. In many enterprises, the CSO, despite being a C-level executive, doesn’t report directly to the CEO, and is shuffled under the CIO, the CTO or even legal. The CISO/CSO should report directly to the CEO and receive a separate budget from that of IT.
Industry standards are still a low bar
As part of settling with the states, Target has to pay $18.5 million. While New York Attorney General Eric T. Schneiderman touted this agreement as the largest multistate data breach settlement to date, it is pocket change for a company that reported over $20 billion in profits last year and has already paid $202 million in legal fees and other post-breach costs over the past four years. This isn’t even the first settlement, as Target settled for $39 million with the financial institutions affected by the breach and allocated $10 million for the consolidated class action lawsuit (along with the $6.75 million for plaintiffs’ attorneys fees and expenses).
There have been concerns that companies might deprioritize security activities and risks because it is cheaper to just pay the fine after something goes wrong—instead of putting in the time and effort to do it right. The settlement doesn’t do anything to change that viewpoint, but the fact that some of the basics are now codified as “industry standards” may at least raise the bar to the bare minimum. For many organizations, segmenting the networks and adding more security layers around sensitive data environments can make a huge difference in how easily criminals can move around or steal information.