Now that the Target CEO and CIO have resigned, and the Institutional Shareholder Services (ISS) is calling for 7 of the 10 members of the Target Board of Directors to be removed, it is time to look at where the security of our organizations can be improved to reduce the probability of such an attack on our systems. It is unclear whether the executive resignations and the call for action against the Board members was the direct result of the security breach, or whether it was because of the disappointing financial results (which of course was somewhat linked to the breach) , but certainly the data breach played a big part.
Let me start out by admitting that I am an IBM z/OS mainframe guy, so I will be speaking mainly to the mainframe community about issues faced by it, although I will be using information from various other attacks.
It appears that the Target Board invested a great deal of money into the company’s IT security. What did they miss? How much should they have known about this? We can never assume that a CEO or Board of Directors will know enough of the technical details to be able to direct the technical portions of the company to increase their security on anything but a very general level.
This is where outside expertise comes in. If the Target Board had retained the correct external IT Auditors or Security Experts, they might have received recommendations about partitioning the environment, so that there would have been no way for an external heating and air conditioning contractor to be able to access Point of Sale systems data. They might also have received recommendations to implement two factor authentication for their contractors, so it would have been more difficult for the hacker to obtain and use the HVAC contractor’s identity, and to review the security incident response process so that any such attack might have been addressed more quickly.
Although I will be speaking in this column on External Reviews, I do not mean to disparage internal reviews by Internal Auditors. Internal Auditors will locate a portion of the issues that need to be addressed, and the more experienced they are in various environments, which is the case for very large organizations with multiple datacenters, the more issues they will identify. The key to external auditors or external review specialists is that they have seen and analyzed dozens of complex environments, and will more completely identify issues that need to be addressed.
From the reports I’ve read, the Target Board did authorize a significant amount of money to be invested into the security of their systems. Did they insist that external security reviews be conducted? I don’t have the answer to that question.
The other thing that is necessary is an Executive Management directive that security is everyone’s responsibility, and that no one will be punished or reprimanded for highlighting a potential security exposure. For example, there is a long discussion on the RACF List, entitled “Rant”, which talks about whose responsibility the security of mainframe systems is. It is not just the security staff’s. It is everyone’s. The discussion clarifies the situation that the security staff cannot know all the ins-and-outs of the applications or systems, and need the help and active assistance of the systems programmers and other supporting individuals as to how maximize the security for each of these individual areas.
A few years ago I was doing consulting and mainframe security reviews, and two security reviews I did stand out in my mind. One was for a well-known US Government Agency and the other was for a large Wall Street organization.
In both cases the systems programming staff placed their convenience over the security of their mainframe systems. In one case the users of the development system (LPAR) had free reign in reading and updating data and libraries on the production system (another LPAR), because the production volumes were shared with the development system and the separate development system security database allowed access.
In the other case a “Get Me Into Authorized State SVC” was installed, which allowed a normal problem state program to gain control in an authorized state. Once in an authorized state a user could change his/her identity and manipulate control blocks to gain access any data they wanted to. By the way, the first thing both organizations did when I started my review was to issue me an RSA token so I could be validated with two-factor identification.