There potentially could have been other avenues of exploitation. Man-in-the-middle attacks are a common attack vector, whereby the attacker intercepts traffic along the network path. Such attacks can be mitigated with the proper use of encryption and network configuration. In the Target incident, it is unknown if any network communications avenues were exploited, but given that so many devices were likely infected, the network might well have played a role.
Access controls and user privileges can also play a role in the exploitation phase. A super user or system root user gets access to everything on a network, but with proper role-based access control (RBAC)-type techniques and technologies, each individual user and device should be limited to only the data and access that is needed for their specific tasks. So, for example, a single POS device (exploited or not) should not have be able to access much on the network. A common attack vector in the enterprise space is a privilege escalation attack, which can give a regular user more control, akin to what a root user gets.
In the Target case, we don't know what access controls or limits were in place on POS devices or if any kind of privilege elevation attack was involved, but an attack vector might be considered.
Step three in any attack is data exfiltration—that is, the attackers had to get the data out of the network. Just because an attacker somehow infiltrates a network, finds a vulnerability and gets the access he or she needs doesn't necessarily mean that the attacker can get data out of the network. That's where data loss prevention (DLP) types of technology come into play. DLP-type solutions can and should enforce controls on what types of data can leave the network and who can access that data.
So to recap, the Target attackers had to infiltrate the network, find a known vulnerability and then get out with data. A proper IT security program should have mitigations in place for all three of those things, meaning an attack doesn't just have to beat any one single technology to be successful, it has to beat three of them.
To be fair, a retail environment is a challenge because the perimeter is very large (every POS terminal) and credit card data is supposed to move across the network. That said, a continuous security policy framework that enforces controls for entry, limits the risk of software vulnerabilities and monitors data exiting the network is how modern security should be deployed.
It is somewhat disingenuous to ascribe any one single technology failure at Target as being the reason why 70 million of its customers had their data stolen. Data protection should never be the domain of a single technology or process. While we don't know the full details yet about how Target was breached, we know that three things (entry, vulnerability, exit) have to happen in every breach.
While the POS terminal is a potential weak link, a complete process should make it just one-third of the risk chain and not 100 percent of it. Security is a process that demands rigor and vigilance at every level. Application vulnerabilities will always exist, but if those vulnerabilities can't be exploited because attackers can't access or exit a network, the risks will be significantly reduced.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.