Brian Krebs does a great job reviewing the details at his latest post
http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/#more-32276
The analysis of Target’s breach is obvious in the level of insecurity in Target 2012.
Default passwords used
Passwords of insufficient complexity
No segmentation of network.
Insufficient patching
No pentesting
Every point in the PCI (Payment Card Industry) was a failure.
Target did hire Verizon pentesters after the breach and they were able to roam at will through the network. 86% of all passwords were cracked.
If default passwords are used at critical systems, then I think that is a guarantee of eventually being hacked. If 12 of 35 (34%) admin passwords are cracked then that also means another avenue of being hacked.
What does it mean “your network administrator user was hacked”
One of the first actions the pentesters did is to create their own admin account called “verizon”
Then they copied all the password files so they can crack them later. With 86% of all passwords cracked then the hacker can find a username or several usernames to fulfill their goals.
Setting up segmented networks should make things more difficult, but if passwords are easily guessed then it does not matter.
That is why Security is hard. You can’t just do one piece. All the pieces must be done.
Here is a Ponemon Institute
2015 Global Study on IT spending and Investments(Sponsored by Secureworks):
http://www.secureworks.com/assets/pdf-store/white-papers/wp-ponemon-global-study
What is obvious is the general population thinks:
Security is not on the agenda and the budgeting is too complex, higher funding is needed but 43% of the respondents surveyed believe that the IT security budgets are adequate and most security programs have been partially deployed.
Security is not difficult if you focus on it, but the problem is when we do not focus and expend resources, then it becomes very difficult.
2 thoughts on “Why is Security Difficult? Target Breach Analysis 2 Yrs Later”