Why is Security Difficult? Target Breach Analysis 2 Yrs Later

Brian Krebs does a great job reviewing the details at his latest post

http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/#more-32276

The analysis of Target’s breach is obvious in the level of insecurity in Target 2012.

Default passwords used

Passwords of insufficient complexity

No segmentation of network.

Insufficient patching

No pentesting

Every point in the PCI (Payment Card Industry) was a failure.

Target did hire Verizon pentesters after the breach and they were able to roam at will through the network. 86% of all passwords were cracked.

targetpasswordsummary-1-580x349

If default passwords are used at critical systems, then I think that is a guarantee of eventually being hacked.  If 12 of 35 (34%) admin passwords are cracked then that also means another avenue of being hacked.

 

What does it mean “your network administrator user was hacked”

domainhacked

One of the first actions  the pentesters did is to create their own admin account called “verizon”

Then they copied all the password files so they can crack them later.  With 86% of all passwords cracked then the hacker can find a username or several usernames to fulfill their goals.

Setting up segmented networks should make things more difficult, but if passwords are easily guessed then it does not matter.

 

That is why Security is hard. You can’t just do one piece. All the pieces must be done.

 

Here is a Ponemon Institute

2015 Global Study on IT spending and Investments(Sponsored by Secureworks):

http://www.secureworks.com/assets/pdf-store/white-papers/wp-ponemon-global-study

What is obvious is the general population thinks:

Security is not on the agenda and the budgeting is too complex, higher funding is needed but 43% of the respondents surveyed believe that the IT security budgets are adequate and most security programs have been partially deployed.

 

Security is not difficult if you focus on it, but the problem is when we do not focus and expend resources, then it becomes very difficult.

 

 

 

2 thoughts on “Why is Security Difficult? Target Breach Analysis 2 Yrs Later”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.