Another Target Security Leak

Target Security Leak

Almost two years after 40 million credit card numbers were compromised in the biggest retail hack in U.S. history, information about the retailers response to the breach has now been leaked.

Note: Target has not confirmed or denied the authenticity of the report.

According to a recently published article, days after the 2013 breach Target hired a firm to perform comprehensive security tests on their site. The leaked internal corporate report listed many weaknesses in their environment including;

1. No controls to prevent movement between systems

According to the report there were no controls that limited access once inside the network. Once the consultants had access to the core network they had free reign, in one case allowing them to communicate with cash registers after compromising a deli meat scale in another store.

2. Poor access controls and user account management

The report explains that even though Target had a stringent password policy in place, it was not being followed. Weak or default passwords meant that the consultants were able to crack 86% of their systems passwords within a week.

3. Out-dated or non-existent patch management

The team found many systems missing critical patches or running outdated web server software. According to the report, the consultants were able to gain access to some Target systems without any credentials.

The report also advised that while Target did have a vulnerability scanning program in place, their remediation process did not address issues quick enough (or in some cases, at all).

What we should learn from the security leak

Retailers can learn a lot from the newly discovered insight into Targets environment and security systems, particularly around vulnerability resolution and remediation.

Most merchants are required to perform quarterly vulnerability scans and an annual penetration test to comply with PCI security standards. We’ve learned from Target that doing these scans is only the first step. It is critical that merchants address any issues or vulnerabilities, which can be a difficult task.

To help merchants complete this process (and avoid what happened to Target), Tenzing has recently partnered with Lyrical Security to develop an ecommerce specific vulnerability management program. Our program includes the required vulnerability scans and penetration tests as well as expert advice on remediation and integration into Tenzings support network to ensure resolution.

With our service, merchants can ensure that the scans they are (most likely) already doing are translated into action and improvements to their systems.

By working with one of the world’ leading sources of security services and intelligence, Tenzing can integrate Lyricals security expertise into our support services team. We already have standard operating procedures that allow us to triage service requests and ensure resolution, and are excited to offer this level of service to our customers for vulnerability management.

Want to know more? Let's Talk

Aisling McCaffrey

Demand Marketing Specialist at Thinkwrap
Aisling is our Demand Marketing Specialist at Thinkwrap, and loves working with both technology and humans. She studied International Business (concentrating in Marketing) and has spent several years living and working in China, mostly in Shanghai, where she became passionate about global innovation and how the use of social media changes in different cultures. Aisling likes to keep up on internet trends - from business to memes - and is always looking for new ways to learn or entertain herself.