The Lessons from Target

Information security is all about the AIC triad: availability, integrity, and confidentiality. APM users primarily focus on availability, but the other two dimensions are equally important. Following up with what we wrote last week, the large retailer Target has admitted that 40 million credit card numbers were stolen from its computers after banks began to report theft on their credit cards. All of whose cardholders shopped at Target.  The details of how this theft happened are still not clear, as law enforcement has asked Target not to reveal it.  There are ongoing developments as Target comes under attack from a new threat: politicians, states attorneys general, and lawyers. Further, Brian Krebs (of krebsonsecurity.com) is reporting that he might have found the identity of who is operating one of the web sites where some of these stolen cards have been offered for sale.

CNN reports that Chase bank has limited the amount of cash that customers can withdraw from their ATMs. That seems reasonable, but the stolen data does not include the pin number needed to make such cash withdrawals. American Express on their web site asks their customers to look for fraudulent activity and reminds them that they are not liable for fraudulent charges.  Credit card cash ATM withdrawals do not have such protection or have limited protection.

Senator Chuck Schumer (D-NY) is calling for retailers to protect credit card data with encryption.  Senator Richard Blumenthal (D-CT) has called for an investigation saying that Target “failed to employ reasonable and appropriate security measures.”

CNN says the hackers stole the credit cards using malware injected into their payment systems.  They do not say what is meant by “payment systems.”  Could this be the point-of-sale terminal? Some kind of clearing house?  A back-end COTS retailing system or a custom application?  Perhaps they will reveal that in the near future.  Such knowledge would help others protect themselves from thieves.

There has been much focus in the last several years about the tighter integration of development and operations groups in a DevOps organization. Let us be among the first to propose a DevOpsSec group that integrates application development, operations, and security.