Sergei Grits/AP

What the Target Breach and Edward Snowden Tell Us About Network Controls

Giant data leaks from retailers to national security show that cyber security is more than an IT issue. It's about who has access -- and control. By Eric Chiu

Target. Even the brand name lends itself to hacking. It’s like painting a bright red bull’s-eye on a big, juicy company with lots of money and information, just waiting to be stolen. And it was.

While such breaches are sadly common now, the high-profile attack on retail giant Target stands out for several reasons. First, there’s the sheer scope of the theft. By some accounts, it’s the single largest corporate hack in history. Next, it targeted (there’s no way avoid the pun) the retail industry, the repository of vast amounts of data on millions of consumers. Third, rather than a single announcement regarding the breach, there’s been a slow and constant drip of bad news. As far as we know (and we still don’t know much) the hacking began on Nov. 27 and went on through Dec. 15. The first word of it came from a cybersecurity blogger, and Target subsequently confirmed that financial information on 40 million consumers had been compromised. That’s a scary prospect by any measure, but on Jan. 10 the company reported that personal information (home addresses, phone numbers, etc.) on 70 million customers had been exposed.

Does that overlap with the 40 million whose financial data was compromised, or does it mean a third of the entire U.S. population? We don’t know. Could the numbers change again? We don’t know. Most importantly, how did this happen? You guessed it: We don’t know.

Target still hasn’t said much, but initial thinking held that hackers had accessed point-of-sale data by inserting malware into a central software distribution database used to update software in customer-facing terminals. This is because the victims were believed to be only consumers who swiped debit or credit cards at terminals in U.S. stores. The stolen data included names, credit and debit card numbers, expiration dates and three-digit security codes. However, the news regarding the 70 million victims goes further; more than just financial data, it likely meant marketing databases were compromised. This will have a huge impact on consumers for years to come, from unauthorized transactions, to phishing attacks, to the theft of even more information, and, ultimately, identity theft.

(Read more Defense One coverage on cyber-security here) 

If the Target fiasco is one extreme, then the other breach that dominates the news—Edward Snowden’s hacking of National Security Administration data—is surely another. The Snowden saga involves a lone operative authorized to access at least some of the data he released, in pursuit of a political agenda; the Target breach is the work of sophisticated cybercriminals chasing financial gains. Yet both episodes clearly demonstrate that every organization relying on sensitive information from financial services and healthcare corporations to government agencies, is in its own way a target (there’s that word again).

What’s particularly maddening is that despite saturation coverage of many high-profile breaches, each taking its toll on brand reputation, data security is still rarely a top priority. Companies do the minimum they believe they need to do in order to comply with government mandates and industry guidelines, but the initiatives are typically tactical rather than strategic. More to the point, positioning it exclusively as an information technology issue, as a lot of the media tend to do, continues this short-sighted approach. And of course, the ongoing mass migration to consolidated, virtualized infrastructures and a cloud model presents even greater potential for security problems.

The benefits of such a move are clearly undeniable—it cuts costs, boosts flexibility and helps streamline the entire infrastructure—and it’s why most organizations store huge amounts of data and resources in virtualized infrastructures and the cloud this way. However, this model also introduces a host of fresh vulnerabilities.

For a start, it gives even low-level systems engineers and administrators unprecedented levels of access. This is exactly how Snowden, for example, got the keys to the kingdom. The kind of privileged access taken for granted in virtualized environments also allows an unprecedented level of attack escalation. Given that there’s a much greater concentration of risk, it’s much harder to contain the damage once an assault commences.

Too many organizations see IT security as exclusively an IT issue, and it categorically is not. Given the brand and customer damage Target has suffered, I’m sure company officials there would agree. This is fundamentally about control—deciding who has what kind of access to the network, how specific roles are monitored, ensuring that usage records can be retrieved for compliance, troubleshooting, and forensic analysis, etc.

Moving forward, organizations need to take a far more strategic approach to security than they ever have before. We all want advances in the network infrastructure, since each technological breakthrough enables greater productivity. However, innovation without adequate security defeats the very purpose of progress. With the right strategy, technology and enforcement, we can have both.

Eric Chiu is co-founder of HyTrust, a cloud security automation company. He previously served in executive roles at Cemaphore Systems and MailFrontier, and was a venture capitalist at Brentwood (now Redpoint) and Pinnacle Ventures. He is a published author and speaks frequently at industry forums internationally. He can be reached at echiu@hytrust.com. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.