Slashdot Mirror
Target's Internal Security Team Warned Management
david.emery writes "According to this story, Target's own internal computer security team raised concerns months before the retailer lost millions of credit card numbers in an attack. (Quoting a paywalled story in the Wall Street Journal.) Target's management allegedly 'brushed them off.' 'At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system.' This raises a more general question for the Slashdot community: how many of you have identified vulnerabilities in your company's/client's systems, only to be 'brushed off?' If the company took no action, did they ultimately suffer a breach?"
There are security concerns in every company, without exception. Obviously, even the NSA itself had inadequate security!
Yes, many times security concerns are brought up, and brushed off. But this is not necessarily an indication of a problem. Every security risk must be weighed based on the likelihood of occurrence, and the severity of the impact, should it occur. Many of these calculations are inexact, and must be based on incomplete information.
Should Target have protected themselves better? Probably. But hindsight is 20/20. The difficult part is to anticipate the problems that might occur, without crippling your organization through impossibly tight security.
You do realize that making people change their passwords all the time simply leads to people using weaker passwords or writing them down, right? This type of policy though up by some self-proclaimed security expert amongst the IT monkeys almost always leads to worse security than not. And you don't even need to take my word for it:
The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they're more likely to choose easy-to-remember -- and easy-to-guess -- passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.
https://www.schneier.com/blog/...
At my job, I have three different VPN tokens, and at one time had at least 30 different passwords all over the globe I had to use...ours forces changes at various times, some are 30 days, some 90, some never...depending on the system. RSA admin software had a PIN too. We usually just keep it all in a spreadsheet. If you can't remember a single password...but you also need the Active ID token too. We potentially have deep access into the air line reservation system, although that system is so insanely complicated and cross-platform good luck finding anything of worth haha.
It's kinda backwards in a way. Retail is always a huge target, the bigger the company the bigger the score. From a security design viewpoint, the "backend" and the "financial" systems should have been physically separated at all times, using some encrypted EDI to exchange whatever (inventory, overstock, per piece price, etc). The credit card terminals should have been "payment only" and not loaded down with all their SHIT like "cash back?" "cure cancer?" "are you sure?" "join our rewards / store card" and wtf other messages I have to tap on your stupid touchscreen a million times just to pay you. Some of them even have ads on them.
Soon, Walgreens, CVS, Dollar whoever...the more sophisticated we make these terminals where our card touches their system, the more exploitable they will become. It's the slow feature creep, the "we need to upload new ad images at 2:50AM" by developers in a far-off land...pushed forward by managers who just want "shiney bright things" that make us give up even more information, waste our time more, and provide little real actual benefit.