The most disturbing aspect of the Target data breach over this past holiday-shopping season is that we aren’t celebrating it.
Never mind that the international thieves pulled off an incredibly sophisticated dodge of cybersecurity. Forget that they were able to gain access to the network of one of the United States’ biggest retailers. And don’t even think about the financial and personal information that was obtained on as many as 110 million Target customers and removed to a server somewhere in eastern Europe.
We should celebrate that no one died and that we’re now aware of the vulnerabilities in our networks. And, while we’re at it, let’s throw a party to remind us that we have the ability to protect against these types of attacks.
Consider all of it a warning shot across the bow — we’ve been served noticed the gigabyte is the new gold bullion, and data require the same level of security that’s employed at the U.S. Bullion Depository located near Fort Knox, Kentucky.
Thar’s gold in them thar’ data, and we have the ability to keep things safe. The trick is in executing the plan and making cybersecurity a functional strategy as the Internet of Things moves to turn every machine into a glowing entryway to fortune. Or terror.
The Target breach has been traced back to Fazio Mechanical Services, a small HVAC/R company based in Sharpsburg, Pennsylvania, that allegedly didn’t follow the same security practices that most companies do. Using malware-infected emails, the cyber attackers were reportedly able to steal credentials from Fazio, which primarily provides refrigeration services for supermarkets on the eastern U.S. seaboard. As a contracted vendor, it had access to less sensitive areas of Target’s network, such as project management and contract submission, and this gave them the opportunity to infiltrate more sensitive areas containing customer data.
|Mike Bacidore is chief editor of Plant Services and has been an integral part of the Putman Media editorial team since 2007, when he was managing editor of Control Design magazine. Previously, he was editorial director at Hughes Communications and a portfolio manager of the human resources and labor law areas at Wolters Kluwer. Bacidore holds a BA from the University of Illinois and an MBA from Lake Forest Graduate School of Management. He is an award-winning columnist, earning a Gold Regional Award and a Silver National Award from the American Society of Business Publication Editors. He may be reached at 630-467-1300 ext. 444 or email@example.com or check out his Google+ profile.
|Subscribe to the From the Editor RSS feed|
It’s still unclear how the cyber thieves were able to move to point-of-sale terminals, but it’s likely they were not properly isolated.
In addition, the U.S. Senate Committee on Commerce, Science, and Transportation released its initial report, “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach,” in late March. The report explained that Target also ignored more than one automated alert from its own anti-intrusion software that malware was present. It apparently even identified the attackers’ data-exfiltration escape routes. But all of this was ignored.
The Senate report is definitely worth a read (www.plantservices.com/targetdata). Its analysis of what’s known to have occurred so far uses the “intrusion kill chain,” a cybersecurity tool developed a few years ago by Lockheed Martin researchers. You can find the white paper at www.plantservices.com/killchain.
Target missed several significant opportunities to thwart the attack and quell the breach, according to the Senate report. That’s good news, as long as we heed that initial warning shot and pay attention to the warnings and reinforce the defenses we have.
The Internet of Things offers the promise of machine utopia, but only as long as the walls are properly patrolled.