Perhaps you saw the report by the US security firm iSight Partners concluding the stolen customer data now reaches as many as 110 million Target consumers. According to the report, the cyber crime began in Texas stores. Customer data was collected for over two weeks. And, the information was immediately sold over 40 times by Eastern Europe cybercriminals.
As you may recall, the attack occurred between November 27 and December 15th. The malware ran mostly undetected during the busiest retail period of the year. Since the cyber theft, Target revealed the stolen customer data included names, credit card numbers, expiration dates, security codes, addresses, phone numbers, and email addresses.
Brian Krebs, a security expert for the Washington Post, reports cyber criminals used a server within Target to aggregate the data. The attack consisted of two stages. In the first, malware infected Target’s checkout counters point of sales (PoS) equipment extracting credit numbers and personal data. During the second stage, the malware used an abandoned server within Target’s network to transmit the stolen data to an external FTP server.
Before I go any further, this blog does not intend to pick on Target. Similarly, personal data theft was reported during the holidays by retailers JC Penney, 7-Eleven, Neiman Marcus, Michaels Stores, Harbor Freight Tools, BestBuy, and Aaron Brothers. This incident hopefully serves as a wake-up call for retail and IT executives. This blog intends to call out how identity management automation could help prevent an enterprise system compromise of Target’s magnitude.
Organized Cyber Crime, Criminals and Accomplices
When I read accounts of a 17-year old Ukrainian as a mastermind of the cyber security attack, I empathize with his rights. I believe it like I believe a YouTube video sparked Benghazi. At this point, no one who is reporting knows and whoever does know is not saying. Ironically, the media and public seem to think a Ukraine without even a CCNA should do a better job of policing his server than the combined resources at Target. Maybe, the kid’s server was compromised and used as an instrument in the crime. Perhaps, he learned an important lesson about firewalls and security. We don’t know. We know his server is the one known or at least reported as the upload hub.
If a 17-year old is involved, he is one pawn in the crime. Without wanting to overstate the obvious, organized crime is well… organized. They work as a network and leverage a great distribution channel. At this time, I am sure the retail giants named are determining where their systems were compromised during the cyber crime. They are also likely examining how prepared they are to respond when similar contributing events happen again.
As consumers of all information tweeted, shared, liked, +ed, and #hashtagged, we glamorize and iconize cyber criminals. Although entertaining, this portrayal misrepresents how organized crime operates in information technology circles. Lost in the media’s rush to condemn are the contributions of insiders. In his analysis, Krebs points out the location of the abandoned server used in the second stage and its administrators were not identified. If the practice inside of Target is to share privileged passwords, they may not even be able to provide a complete list of administrators. The iSight Partners’ report states the Target malware executed undetected on an abandoned server for over two weeks. Krebs points out it continued transmitting for four days after detection before it was removed.
For some administrators and technical professionals in some countries, this is how organized crime works. You accept a bribe in exchange for your life. Your motivation has little to do with ethics, righteous causes, or money. Your contribution may be as simple as providing an IP address to an abandoned server or relaying a shared privileged password. Their role generally can be equated to leaving a door unlocked, the keys in the car, or looking the other way. They too are pawns and their contribution often is minimal, yet critical.
With an initial investment between $3,000 to $6,000 and returns in the millions of dollars, the reasons for organized crime’s interest in consumer data are apparent. Already, the stolen Target account information appears to be divided and sold off regionally among Mexican cartels. Recently, two Mexican citizens were arrested by McAllen, TX police after buying tens of thousands of dollars worth of merchandise at Best Buy, Wal-Mart and Toys R Us with 96 counterfeit credit cards from Target data. With the arrests, the breadth of the cyber criminal network becomes apparent.
How to Prevent Cyber Crime
Target’s cyber security breach will cost its customers an estimated $4 billion in debit card losses alone. It will also cost Target a projected 130 million hours of enterprise resources to straighten out their accounts. As the Target details are reported, security leaders must look to automate IT operations that prevent system wide cyber crime. The actions of privileged identifies, the identification of abandoned servers, and the proliferation of access certification IT governance tools make anonymous actions more difficult. The goal of every IT organization should be to automate the removal of the most common contributors to information security breaches.
Begin your identity management initiative by following what corporate compliance experts recommend for the workflow automation of businesses processes, self-service administration and IT operations.