Another Target Security Leak
Almost two years after 40 million credit card numbers were compromised in the biggest retail hack in U.S. history, information about the retailers response to the breach has now been leaked.
Note: Target has not confirmed or denied the authenticity of the report.
According to a recently published article, days after the 2013 breach Target hired a firm to perform comprehensive security tests on their site. The leaked internal corporate report listed many weaknesses in their environment including;
1. No controls to prevent movement between systems
According to the report there were no controls that limited access once inside the network. Once the consultants had access to the core network they had free reign, in one case allowing them to communicate with cash registers after compromising a deli meat scale in another store.
2. Poor access controls and user account management
The report explains that even though Target had a stringent password policy in place, it was not being followed. Weak or default passwords meant that the consultants were able to crack 86% of their systems passwords within a week.
3. Out-dated or non-existent patch management
The team found many systems missing critical patches or running outdated web server software. According to the report, the consultants were able to gain access to some Target systems without any credentials.
The report also advised that while Target did have a vulnerability scanning program in place, their remediation process did not address issues quick enough (or in some cases, at all).
What we should learn from the security leak
Retailers can learn a lot from the newly discovered insight into Targets environment and security systems, particularly around vulnerability resolution and remediation.
Most merchants are required to perform quarterly vulnerability scans and an annual penetration test to comply with PCI security standards. We’ve learned from Target that doing these scans is only the first step. It is critical that merchants address any issues or vulnerabilities, which can be a difficult task.
To help merchants complete this process (and avoid what happened to Target), Tenzing has recently partnered with Lyrical Security to develop an ecommerce specific vulnerability management program. Our program includes the required vulnerability scans and penetration tests as well as expert advice on remediation and integration into Tenzings support network to ensure resolution.
With our service, merchants can ensure that the scans they are (most likely) already doing are translated into action and improvements to their systems.
By working with one of the world’ leading sources of security services and intelligence, Tenzing can integrate Lyricals security expertise into our support services team. We already have standard operating procedures that allow us to triage service requests and ensure resolution, and are excited to offer this level of service to our customers for vulnerability management.