It is being reported that Target was warned by their Security Staff from reports they received that new malware was targeting PoS systems. Target was in the midst of upgrading their PoS at the time and brushed off the warning. I wonder if the person who blew this warning off still works there?
Article that Target knew of risk
If this is true, and most likely is, then Target Security and/or their Corporate Security Mentality is even more ineffective than we already believe. Business in most corporations accept risk when handed reports of various 'we are vulnerable to XYZ', it's normal business practices of risk acceptance. What InfoSec professionals often can't answer is the question that is always asked..."What is the probability and what would the impact be?". Yeah yeah there are formulas for this, but as we can all guess they would have NEVER calculated out to this amount of loss and cost, or if it was calculated out, management would never believe the numbers or costs. I also think Target InfoSec has no idea how to defend their network or what they needed to actually defend such a malware impact. Maybe they do and maybe they gave 'up yours' management a budget and purchase request, but not likely.
This is why I promote the 'Malware Management Framework'. We no longer have a choice, we MUST manage malware threats just like we manage vulnerabilities. In the case of Target or any other company that was notified of the potential PoS malware, their InfoSec team should have analyzed the data about the malware and potential impact to their own systems and then determined if they could have detected and responded to such an event. If the answer was 'NO', then IT/InfoSec management should have made a statement that was nothing short of "We must address this or the worst WILL happen, if we don't then I/We can no longer work for you". This is where InfoSec must move towards, putting our foot down when such obvious vulnerabilities threaten our companies, or find another job. Face it, if you don't, your probably going to get thrown under the bus anyways.
Every company should do what I call a "Detect and Response Assessment". This type of assessment tests the exact kind of impact that Target was facing. Take a host, assume it is compromised, give us admin credentials and let us see what we can do (non destructive), how far we can get and what we can access. Your goal.. Detect what was done, touched or the behavior I had during the test. This is not a PenTest, this is a faster, cheaper much more effective test of your Detection and Response abilities once a host is compromised, which we all know is inevitable. You WILL get compromised, how fast you detect the compromise needs to be "The New Normal" for InfoSec programs moving forward.
Ask me how, we will discuss it at BSidesAustin 2014.