Target Hack Blamed on Stolen Credentials: Who's at Fault?

NEWS ANALYSIS: In the modern connected payment system, attackers go after the weakest links. In the case of the Target breach, that was a third-party vendor.

Details continue to emerge about the root cause of the security breach at U.S. retailer Target that exposed the personal information of 70 million people during the 2013 holiday season.

According to a Wall Street Journal report this week, the Target attackers were able to gain access to the retailer's system by way of stolen credentials from a third-party vendor.

The investigation into the Target breach has widened and now involves the U.S. Department of Justice. In a submission to the U.S. Senate Committee on the Judiciary on Jan. 29, Attorney General Eric Holder specifically discussed the Target breach.

"The Department of Justice takes seriously reports of any data breach, particularly those involving personally identifiable or financial information, and looks into allegations that are brought to its attention," Holder said. "While we generally do not discuss specific matters under investigation, I can confirm the Department is investigating the breach involving the U.S. retailer, Target. And we are committed to working to find not only the perpetrators of these sorts of data breaches—but also any individuals and groups who exploit that data via credit card fraud."

The use of a third-party vendor as a patsy to gain access is not a new attack method in the IT landscape. Simply put, an attacker will always go after the weakest link in the security chain, wherever that link exists.

The fact that the attack leveraged lost or stolen credentials also is not a surprise since, after all, the first step in any attack is to gain access. To gain access to any system today, some credentials are required. That's where role-based access control (RBAC) types of systems have long played a key role, providing the right access to the right person to do the required tasks.

So where's the failure?

Trey Ford, who until recently served as general manager of the Black Hat security conference and now works at security firm Rapid7 as its new global security strategist, noted in an email sent to eWEEK that in most cases of lost or stolen credentials, organizations don't know they've had an account compromised until it's far too late and the damage is done.

"In the case of an organization like Target, you're looking at an extremely complex environment with hundreds of thousands of employees, systems, sites, and vendors; every aspect represents some level of risk," Ford said. "The problem is that it's impossible to make every one of those elements bulletproof and traditional incident detection systems aren't looking for deceptive activity."

That's a large issue in my view, as a lost or stolen credential is a legitimate credential until proven otherwise. To that end, organizations should have insider threat policies and technologies in place to limit the risk of lost or stolen credentials. If an organization is always monitoring the activities and access of its credentials in a constant effort of risk mitigation vigilance, the risk can be minimized.

This is not an easy challenge, and there is responsibility in this case, with both the vendor whose credentials were lost or stolen and Target itself. Security is an ecosystem, and every element in the system needs to be monitored and strengthened, which will inevitably make it harder for attackers to be successful.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.