The Target Data Breach: A Risk Management Industry Perspective

April 9, 2014 Updated: April 8, 2014

How did the sizeable data breach at Target that came to light in December occur? A recent U.S. Senate report, based on media reports and expert analysis, answered this question in part.

The report shares that Target had deployed a type of “intrusion kill chain” framework that was originally introduced in 2011 by security researchers from Lockheed Martin and widely used today in the public and private sectors.

The report also provides that Target had a number of missed opportunities throughout the kill chain to thwart the data breach.

Key findings are, but not limited to, the following:

• Target provided network access to a third-party vendor that did not initially appear to follow widely accepted information security practices.

• Target appears to have failed to respond in a timely manner to numerous automated intrusion warnings from anti-intrusion software.

• The attackers appear to then have gained access and were able to move freely to more sensitive areas in Target’s network.

• Target appears to have failed to act on its anti-intrusion software on planned escape routes of the attackers.

The Kill Chain

The Kill Chain represents a widely accepted and deployed framework that outlines key processes in information security protection and defense. The framework allows for continuous monitoring and identifies key milestones where an attack may be intercepted and stopped. Any interception along the path can result in a halted attack.

Insider’s Response

It is estimated that trade secrets represent up to 80 percent of the value of today’s companies. Protecting intellectual property and, ultimately, competitive advantage is a highly complex endeavor. It requires businesses to operate at peak efficiency at all times in defending against ever-increasing capacity of aggressive and innovative adversaries. Any failure along the way can result in long-term catastrophic consequences.

Most companies today have an IT-based focus on information security. This is only part of the “puzzle” and places most of the focus on technology and cyberpolicies, procedures, and products. This singular view leaves companies highly vulnerable to failure points created by human frailty. Time and again, it is the human factor that creates the exposure for the breach to occur.

Now the “New Norm”

Each of the missed opportunities listed above details failures as a result of the human factor. Human intervention or the lack of it accounts for roughly over 90 percent of breaches today. The human factor is a key conduit and many times is required for the reprehensible cyberactivity.

The human factor in Target’s case included employees, contractors, and the supply chain actor—a HVAC (heating, ventilation, and air conditioning) vendor.

Target is by no means alone. Most companies simply fail to recognize all the components of the human factor and their significance in information security—for example: employees, new hires, former employees, contractors, vendors, supply chain, and even their law firms.

 More Than Binary

Business Versus IT Problem: Senior leadership must reclassify information security as a “business problem” and not an “IT problem.” The carnage caused by a catastrophic breach is a business problem and should be viewed this way by senior teams.

Status Quo: It is natural for companies to become complacent in information security protection. It is also natural for employees to want to hide issues or concerns in order to protect their roles within an organization. Companies need to be tuned to be aggressive defenders as well as offer incentives to identify potential failure points.

Human Factor: The Target example illustrates how significant the human factor is in a holistic information security structure. All segments of the human factor must be continually identified, vetted, and annually trained and drilled for both cyber and human incursions. All of the cyberprotection in the world can be circumvented by a careless employee or supplier—or as likely—a rogue insider.

“Cyber is just the canary. Immediately addressing the human element is paramount,” said Eric Qualkenbush, former CIA director of training and education and current director of BlackOps Partners Corporation.

Liability

As shown by the Target violation, all levels of senior leadership will be affected by a large-scale breach. Numerous lawsuits have been filed against several executives and the board, with potential for future legal action. This is a clear demonstration that information security must be driven from the top of the company.

Takeaways

• Companies typically have several opportunities to halt a major attack. Most can be missed due to a lack of awareness, communication, prioritization, or training, as well as due to simple complacency.

• Information security is a “business problem,” not just an IT problem and must be driven as a top-down priority.

• The “human factor” is a severely overlooked critical component that must be highly administered as an integral part of every information security strategy.

• Contingency plans must be reviewed and rehearsed frequently. It’s not a matter of “if” but “when.”

The full report referenced in this analysis, “A Kill Chain” Analysis of the 2013 Target Data Breach, issued on March 26, can be found at www.commerce.senate.gov.

T. Casey Fleming is chairman and CEO of BlackOps Partners Corporation, which provides counterintelligence, information security, and risk management services to Fortune 500 and private and public organizations. More information at www.blackopspartners.com. Target Corporation is not a current client of BlackOps Partners Corporation.