Security Ain't Easy

Reading about the Target hack, it's hard for me not to empathize with the situation.

Summarizing (and knowingly oversimplifying) the situation per Brian Krebs reports: the credentials of a third-party contractor with access to the corporate network was compromised and used to deploy purpose built malware on Target's POS devices that copied and exfiltrated cardholder data for sale on the underground market.

Based on these events, you would assume that Target doesn't prioritize Information Security and does 'just enough' to be PCI compliant. However, I've been told that Target has a mature InfoSec program and are PCI compliant. So what went wrong? Was Target's spend on InfoSec up through 2013 a waste of effort? 

Before answering my own questions, I want to throw in some context and perspective. Target is a LARGE enterprise with 361,000 employees across 1,921 stores in the US and Canada. During the third quarter of 2013, Target reported $17B in Sales*. Considering the environmental landscape of the stores, their e-commerce capability, the Corporate environment, and the third-party environments supporting the operations, it is unrealistic to expect Target InfoSec to have every single avenue of attack covered. And speaking from my own industry experience, no for profit enterprise is 'locked down' - they can't be if they want to hit their revenue targets and meet market expectations. Business is risk after all. 

So what went wrong? Only Target InfoSec will truly know the root cause of the failure, but it would be safe to assume user account management and provisioning will be a core focus, alongside change control procedures. Which are not typically InfoSec owned processes and not easily solved with a technology solution. 

Was Target's spend on InfoSec up through 2013 a waste of effort? Of course not. All indicators are that Target has a solid foundation to build on - defined InfoSec policies and standards, network security policies, system security policies, threat and vulnerability management, incident response, and a compliance program. Without these at a Level 3 Defined state, they surely wouldn't be able to document this attack model or build subsequent threat models to monitor future against; or, update and improve monitoring of sensitive data access to restricted sets of users; or, implement more stringent data protection policies across the enterprise.

Of course, this is all a supposition based on my own experience in large enterprise environments. Regardless, I wish the best of luck to the Target InfoSec team.

* Data pulled from their 10-Q released 27-Nov-13, days before the malware was reported to be deployed.