What the Target Breach Teaches Us About Standards, Regulations, and Critical Infrastructure

Posted on by Gib Sorebo

The recently disclosed security breach of Target’s® point of sale terminals and related infrastructure is likely a lesson on the limitations of standards and regulations to adequately protect sensitive information and critical systems despite the political piling on that traditionally visits a high-profile data breach.  However, absent some newly discovered evidence of incompetence, the Target breach may go down as one of many examples of a successful cybersecurity attack despite the company’s best efforts to comply with relevant standards and best practices.  While hindsight will inevitably point to actions that Target could have taken to prevent the breach, it is highly likely that any government law or regulation currently being considered would not have done much good.  That’s not because government is clueless.  Instead, it is simply the nature of regulations and standards.  They cannot hope to keep up with the evolution of attacks.  Those under attack must constantly adjust the controls they implement.  While some high-level guidance around segmentation, minimization of attack surfaces, and regular monitoring can be useful, the tactical measures needed to combat changing attacks must be dynamic.  For example, it is doubtful that any standard or regulation anticipated the memory-scraping, firewall-evading malware known as BlackPOS, which is rumored to be behind the Target breach.  And even though Visa® issued an advisory last August on “memory-parsing malware,” it is unlikely that the malware signatures and malicious Internet Protocol (IP) addresses provided would have prevented the breach, particularly when hackers can easily tweak the code to avoid detection.  Moreover, while Visa’s guidance about using application whitelisting or performing binary checksums could have proved effective if used, technological limitations could have proven such actions unfeasible. 

However, what the Visa guidance does show, and other court cases have reinforced, is the need to require those defending against cybersecurity attacks to be in a constant state of innovation.  That means that instead of pushing out cybersecurity frameworks meant for an entire industry, the goal should be to constantly highlight new technologies, best practices, and innovative business processes that show promise.  Individual organizations could instead be judged on their ability to select the innovations (i.e., specific products, procedures, and techniques rather than high-level controls) that best apply to them and would be judged on their ability to do so, with consequences for those who choose not to evolve when they have the option to do so.  This is very much the challenge faced by critical infrastructures that are deluged by control requirements that don’t make sense or are simply not feasible on the legacy systems they use.  Instead, requiring them to innovate where it is possible is a much better approach.  For example, rather than requiring patches for vulnerabilities on legacy systems that cannot be patched, perhaps we could require application whitelisting.  Similarly, where monitoring introduces another attack surface into an otherwise isolated environment, perhaps a data diode might be a valid option.

But beyond innovation in protection, organizations desperately need innovation in detection of and response to attacks.  Based on the evidence available, it appears that the Target breach was discovered not by monitoring tools within its enterprise but by law enforcement noting the existence of large batches of credit card information being sold that were all correlated to purchases at Target.  While it is somewhat disappointing to admit we have to resort to the proverbial locking of the barn door after the horse has run out, these actions are more equivalent to forming a search party to find the horse, or in this case, searching to find a horse that the owner didn’t know he had lost.  Metaphors aside, we need to be better at leveraging third parties to help determine when a breach occurred.  In the past, this after-the-fact investigation was viewed as lazy.  In the current environment, such a response, when combined with a robust cybersecurity program, is likely to be viewed as the most responsible approach.

Finally, we have the response once a breach is detected.  It is here that better innovation is critical, particularly for critical infrastructure.  Knowing what to do to contain the damage, make customers whole where possible, and bring operations back to normal is critical.  Innovating here often means building business processes that are flexible and taking advantage of alternative resources.  For an electric utility that may mean participating in the Spare Transformer Equipment Program (STEP) to have equipment available at a reasonable cost or ensuring there are manual controls to take over for all automated processes.  In the future, it will be these sorts of questions that organizations should have to answer to show that they have not only considered the evolving threats but also what they should do once an attack is successful.

Target is a registered trademark of Target Brands, Inc. in the U.S. and/or other countries.  Visa is registered trademark of Visa International Service Association in the U.S. and/or other countries.

Gib Sorebo

Security Associate Director, Accenture

risk management critical infrastructure

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community