Target Data Breach: Could IAM Controls Have Helped?

The data breach that Target, Inc. experienced late last year has dominated the trade press for the past couple of months. Although forensic investigations are still in process at Target and no conclusive report has been issued, new details were released in early February revealing that hackers originally gained access to Target’s network by stealing the access credentials (via a phishing attack) of a refrigeration contractor. The contractor said its electronic interaction with Target was limited to billing, contract submission, and project management (i.e., nothing related to customer personal or credit card data).

Further details of the breach covered in the press reveal a sophisticated and prolonged attack at Target. Once the hackers infiltrated the Target network, they distributed malware to thousands of point-of-sale (PoS) machines designed to siphon off customer data, and set up a control server within Target’s internal network that acted as the central repository for the stolen credit card data. The stolen data was later uploaded from the Target network to an FTP server. Unfortunately, this is not unlike the scenario TJX experienced with their breach a few years ago.

As most security professionals know, there is no easy solution for protecting corporations like Target from an attack like this one. It requires a coordinated defense involving people, processes and tools that span anti-malware, firewalls, application, server, and network access control, intrusion detection and prevention, security event monitoring, and more. But what about identity management (IdM) – our particular focus at SailPoint? As I think through the Target scenario, I can see several areas where the right Identity Management preventive and detective controls could have helped to prevent, detect or mitigate the attack:

  • It all starts with getting visibility and control over user access privileges (who has access to what?) – especially for highly sensitive data or applications. This means putting in place Identity Management tools to ensure the right access controls are in place and that user access privileges conform to policy.
  • Next, you need detective controls such as periodic access certifications, which are designed to detect and revoke inappropriate access (e.g., an HVAC partner with access to credit card data), or access that does not map to a legitimate user (so-called “rogue” accounts). To ensure that potentially serious issues are detected promptly, many of our customers use “event-based” certifications that are triggered by any change in a user’s privileges – requiring management review and approval.
  • Access policy that can prevent or detect “toxic combinations” of access privileges.  These types of policies are very useful in preventing risky scenarios. For example, you can easily define policies that prevent partners from having access to PoS systems or systems storing customer data. Likewise, you can enforce network segmentation by defining policies that prevent administrators on one network from having the same privileges on another.
  • Lastly, to find cases where hackers are granting their own “rogue” privileges, you can use automated account reconciliation to detect unauthorized changes to access privileges. Running a reconciliation process allows companies to detect access privileges that were granted outside of normal provisioning processes, without management approval. These rogue accounts can be detected in nightly scans and immediately reported to managers and application owners.

As your organization plans its strategies for layered security, don’t forget to include Identity Management. Implementing the right Identity Management controls can help you mitigate risks and more effectively protect critical resources and your customers’ data.