During the Christmas holiday shopping season in 2013, Target Corporation reveale

Question

During the Christmas holiday shopping season in 2013, Target Corporation revealed that it had been the victim of a massive data breach, which compromised the identities of millions of their customers. While Target had the misfortune of being the first to reveal the breach, it was later discovered, in a much less public way, that other retailers had been victims of the same attack.

Engage in research on this particular data breach and learn as much as you can about the circumstances, sources, and methods that were used in this attack. When you have completed that research and the study activities related to security principles, apply those principles to what you have learned about the attack. Write a 2–3 page paper discussing the areas of vulnerability that were exploited and what security principles failed, providing a gateway into the information assets of Target Corporation and other retailers. As part of your discussion:

Analyze the approach taken by the attackers to gain access to this data.

Analyze the failures in the security principles that made the organization vulnerable to this attack.

Explain how this attack could have been prevented without impacting user productivity or customer satisfaction.

Explain how the security principles can be applied in order to enforce policy and prevent a future breach.

Assignment Requirements

Written communication: Written communication is free of errors that detract from the overall message.

APA formatting: Resources and citations are formatted according to APA (6th edition) style and formatting.

Length of paper: 2–3 pages, excluding the references page.

Font and font size: Times New Roman, 12 point.

Resources

Explanation / Answer

Premise:

During the infamous Target Corporation’s data breach, the personal and financial information of approximately 110 million people, comprising 11 GB of data, was stolen in a successful compromise during the Christmas shopping season of 2013. The attackers persisted undetected for almost 2 weeks. The attack was attributed to a cyber criminal in the Ukraine.

The attacker first compromised a 3rd party contractor, who provides HVAC services to Target. The attacker probably used Target’s contractor portal as a point of presence to penetrate the internal network and compromise an internal Windows file server. Although the publicly disclosed forensics don’t include full details, it’s likely that the attacker first compromised the Windows server and used it to find and compromise the point-of-sale (POS) systems, where a Trojan that finds clear-text copies of credit card magnetic stripe information was installed. The data was consolidated back on the Windows server, where it was sent to three (3) FTP servers at regular intervals.

At the time of the attack, none of the anti-virus solutions on the market would have or did detect the malware, dubbed Trojan.POSRAM, a variant of BlackPOS. In fact, even as of a couple of weeks into the forensics investigation, signature-based anti-virus was ineffective in detecting the POS trojan.

Approach taken by the attackers:

1. Compromising 3rd party Contractor

A Target HVAC contractor fell victim to a phishing attack in which Citadel malware, a variant of the Zeus banking Trojan, was installed. Citadel captures keystrokes and takes screen grabs, and targets login credentials. While many anti-malware solutions will identify Zeus and Citadel, the 3rd party had deployed Malwarebytes free edition, which doesn’t offer real-time protection.

This can be avoided by:

2. Compromising Web Server

There are a few potential targets the attackers gained access to with the contractor’s credentials: the Ariba contractor purchase management portal, Target’s Partners Online portal, and Target’s Property Development Portal. It appears as though Ariba is a cloud service and not directly connected to any of Target’s networks, which leaves the other two as likely avenues of attack. It’s possible that attackers abused a vulnerability in the web application, such as SQL injection, XSS, or possibly a zero-day, to gain a point of presence and escalate privileges, then attack internal systems.

However this can be avoided by the following

3. Compromising Windows File Server and POS Systems

The internal system may have been compromised through the same latent vulnerabilities as the web server or a default password was left unchanged. All the mitigation strategies for the web server apply here (see #1). In addition this can be avoided by:

Also we can assume that the contractor mentioned earlier may have had direct access into Target’s network to remotely monitor and manage HVAC equipment. This is pure speculation and the contractor claims that their access was solely to external systems; however, many organizations do allow contractors internal access to monitor and maintain facilities equipment as well as IT systems. Providing direct access to 3rd parties demands strong security controls and governance over the systems they use to access customer systems.

New details have come to light about the credentials used by the malware: the username, “Best1_user”, and password, “BackupU$r”, appear to be related to BMC Software’s Performance Assurance for Microsoft Servers. In addition, a service was installed called “bladelogic.exe”, implying BMC’s BladeLogic software. BMC has claimed that none of their executables are so named, and that the password is not one generated by any of their software systems. If true, then the attackers were simply hiding their malware by making it appear to be legitimate system utilities used by Target. It does show the sophistication of the campaign: the attackers gathered enough intelligence and modified their software to blend in with the native target environment.

4. Installation and Execution of POS Trojan

The malware installed on the POS systems scans memory for clear-text copies of credit card data, known as RAM scraping, which is a decidedly uncommon activity for an application.

This can be avoided by

5. Sending Stolen Data to the Internal Rally Point

The malware creates a temporary Windows share, moves the stolen credit card data to the central repository, then removes the share. After a load of data is moved, the malware on the POS sends a custom crafted ICMP (i.e., network ping) packet containing a notification string that malware on the file server listens for.

This can be avoided by

6. Exfiltration of Stolen Data to External FTP Servers

Data was exfiltrated on a regular basis to FTP servers in Russia.

This can be detected

Protecting Against Future, Sophisticated Attacks

There are many measures we can implement with the benefit of hindsight; yet, they’re all reactive and specific to this threat, much like why we have to take off our shoes when going through airport security. The nature of APTs is they are unique and unpredictable. I’ve tried to make the steps above as generic as possible so they apply to not just the Target breach. Other steps retailers can take with the Target breach as an example in the rear view mirror are:

Prepare for the Worst, Hope for the Best

In the final analysis, there is no perfect or foolproof detection and prevention technology; however, with appropriate architecture, policies, and technology as mentioned above, one can at least be prepared.

Optimally, our plan should include detection, response and escalation, engaging law enforcement as appropriate, preservation of evidence, compliance with regulations and contractual agreements, customer and press notification, and public relations. Finally, testing our process regularly can save the day.

Related Questions

Navigate

• Browse (All)
• Browse D
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.