After the Target data breach last November, we posted an update to our LinkedIn page, asking "What's the lesson from Target's data breach?" We received 52 responses from IT professionals in what turned out to be a really insightful discussion.
Here is what the LinkedIn community had to say about the lessons-learned from the Target data breach …
InfoSec Needs Money and PeopleA common lament in the thread was the lack of attention from upper management. Retailers devote just 4 percent of their IT budgets to security, compared with 5.6 percent for healthcare companies and 5.5 percent for banks, according to Gartner.
But money alone isn't enough. "The biggest lesson from Target is that you can have all the toys in the security world, but unless everyone in the company makes security their job, it won't work," wrote one respondent. Another person put it more eloquently: "That even the most state of the art software needs human interpretation; we are the weakest link of all."
Egress Monitoring, Egress Monitoring!Bryan Brake, CISSP and host of the "Brake"ing Down Security podcast, wrote: "I've been telling our organization that monitoring egress filtering is as important, if not more so, than what's coming into your network. Egress can show exfiltration, botnet activity (out to command-and-control servers), as well bandwidth usage."
For ExtraHop's solution to this problem, read John Smith's blog post, especially the section "Outsiders Infiltrate at Megabit Speeds and Steal at Gigabit Speeds."
Penetration Testing Is Often NeglectedSeveral commenters pointed out that white-hat penetration testing is required to truly understand how well an environment is secured.
One person chalked it up to politics: "The reluctance of companies to pay for third-party, white-hat pen-testing will continue to result in issues like Target, Nieman Marcus, and probably dozens of others that we don't know about. CIOs and IT managers do not want to look bad on a third-party report."
Another respondent pointed out that off-the-shelf applications can lend a false sense of security: "Far too many companies think that everything is secure if the applications are provided by a vendor. NOT SO! Penetration testing must be done on every unique infrastructure—not all vulnerabilities are introduced through the application."
The Role of PCI ComplianceThere was some debate about the effectiveness of PCI compliance. One security architect pointed out that PCI compliance—while well intended—can leave companies complacent. What InfoSec really needs is to adopt risk-based security methodologies, he wrote. A CISSP replied that PCI actually does require a risk assessment of the entire enterprise, but that few Qualified Security Assessors (QSAs) actually ask for more than lip-service for this requirement. He continued, "I'd love to see more retail orgs leverage that risk requirement as an excuse to move their security program from 'bare minimum' affairs concerned largely with meeting compliance to a true risk-based security program as you've described."
No System Is ImpenetrableOne respondent took issue with claims that the Target breach could have been avoided: "It [the breach] most certainly would [have happened] just not to the degree of this particular breach. You sound as if you think that some sort of actual secure system has been created somewhere. It exists, but it can't communicate." Another CISSP-ISSEP added, "There are two kinds of companies out there, one that has been hacked, and the one that doesn't know they have been hacked."
Want to join in the discussion? Visit the discussion thread on LinkedIn.
Interested in what wire data analytics can do for InfoSec? Read more about ExtraHop's solutions for security and compliance.