These are not the only likely points of failures, but they are the most obvious ones.
Retailers targeted in attacks such as the one that hit Target like to claim that they were the victims of sophisticated attackers, with the implication that the attack was somehow unstoppable. But there was nothing particularly sophisticated about the Target attack. The attackers appeared to be persistent and disciplined more than technologically advanced. That is exactly how most attacks are perpetrated.
I have no reason to believe that Target's technical employees are anything but well intentioned. But not ensuring that a high-level risk and architecture assessment was in place that could look for exactly those points of failure was in itself a failure. I'm not talking about a penetration test, but a thorough assessment of the overall network architecture to look for security vulnerabilities and the best places to install detection tools.
For example, Target should have reviewed the access architecture to verify that vendors were segregated and monitored. Given widely publicized breaches at other retailers, Target should have looked for covert channels with network monitoring tools. And it certainly should have assured the integrity of the POS systems, looking at best practices such as whitelisting software and verifying the applications that are pushed out to those systems.
A company like Target, with billions in revenue, can certainly allocate the appropriate resources to stop an attacker, sophisticated or otherwise. In fact, companies with considerably less in revenue should do the same, since an attack of this nature puts that revenue at risk. But don't tell us how you are at the mercy of sophisticated attackers when you haven't covered the basics. Target's attackers exploited predictable vulnerabilities. They were tenacious and formidable, but they weren't unstoppable. These attacks should have been detected and prevented.
Sign up for CIO Asia eNewsletters.