In a recent KrebsOnSecurity post, Brian Krebs details Verizon’s findings as set down in a Target corporate report.
The findings demonstrate that it really is important to put in place all the mundane security best practices widely talked about, and that without them even the best new security platforms can’t defend against breaches.
Here are six things Target did wrong both before and immediately after the breach that contributed to the theft of information from 40 million credit and debit cards.
Failure to segment networks: From the post: “‘[N]o controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.’ … In one instance, they were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.”
Poor password policy enforcement: From the post: “The Verizon consultants discovered a file containing valid network credentials being stored on several servers. The Verizon consultants also discovered systems and services utilizing either weak or default passwords. Utilizing these weak passwords the consultants were able to instantly gain access to the affected systems.
“The Verizon security consultants identified several systems that were using misconfigured services, such as several Microsoft SQL servers that had a weak administrator password, and Apache Tomcat servers using the default administrator password,” the report observes. “Through these weaknesses, the Verizon consultants were able to gain initial access to the corporate network and to eventually gain domain administrator access.”
Weak passwords: From the post: “Within one week, the security consultants reported that they were able to crack 472,308 of Target’s 547,470 passwords (86 percent) that allowed access to various internal networks, including; target.com, corp.target.com; email.target.com; stores.target.com; hq.target.com; labs.target.com; and olk.target.com.” The post says that Verizon consultants also cracked 12 (34%) of 35 admin domain passwords.
Lax patch management: From the post: “For example, the Verizon consultants found systems missing critical Microsoft patches.”
Running outdated, vulnerable services: From the post: “… running outdated [web server] software such as Apache, IBM WebSphere, and PHP. These services were hosted on web servers, databases, and other critical infrastructure,” the report notes. “These services have many known vulnerabilities associated with them. In several of these instances where Verizon discovered these outdated services or unpatched systems, they were able to gain access to the affected systems without needing to know any authentication credentials.”
Insufficient authentication requirements: From the post: “Verizon and the Target Red Team exploited several vulnerabilities on the internal network, from an unauthenticated standpoint. The consultants were able to use this initial access to compromise additional systems. Information on these additional systems eventually led to Verizon gaining full access to the network — and all sensitive data stored on network shares — through a domain administrator account.”