Laundry list of what to do
Target agreed to tighten its digital security, which includes:
- Develop and maintain a comprehensive information security program
- Maintain software and encryption programs to safeguard people’s personal information
- Separate its cardholder data from the rest of its computer network
- Rigorously control who has access to the network
- Regularly bring in an independent and well-qualified third party to conduct regular, comprehensive security assessments of its security measures.
- Hire an executive officer to run its new security program and serve as a security advisor to the CEO and the board of directors.
Other must-have safeguards are specific to the payment systems and “cardholder data environment”:
- Whitelisting to detect and block unauthorized applications from executing on payment systems and servers
- File integrity monitoring
- Change management to detect unauthorized changes to applications and operating systems
- Logging and monitoring all security-relation information and devices attempting to connect to the sensitive network.
None of this sounds particularly advanced. In fact, network segmentation is an IT best practice and something companies should already be doing. It is nice to finally see a mandate that calls for two-factor authentication on individual, administrator and vendor accounts. The fact that card information has to be encrypted is a basic part of the Payment Card Industry-Data Security Standard (PCI-DSS) requirements, and just reiterates that encryption needs to be at the center of any comprehensive security program. The settlement also reminds Target that it has to keep up with patching and software updates.
"Target shall make reasonable efforts to maintain and support the software on its networks, taking into consideration the impact an update will have on data security in the context of Target's overall network and its ongoing business and network operations, and the scope of resources required to address an end-of-life software issue," according to the settlement.
Considering the initial breach came from the third-party vendor, the settlement is vague on what enterprises should be doing regarding their partners and contractors beyond “develop, implement and revise as necessary written, risk-based policies and procedures for auditing vendor compliance” against existing security policies. Requiring two-factor authentication for contractors and vendors will make a difference, but enterprises need to have a clearer idea of what other risks the third-party poses to their environment.
“It is essential that outsources know what services third-parties are performing, what controls they have in place, and verify that these controls are operational,” said Charlie Miller, a senior vice president with the Santa Fe Group’s Shared Assessments Program. Enterprises need to have processes that determine what kind of restricted access and security controls are appropriate when bringing a third-party onboard.
The settlement also talks about penetration tests and other ways to assess security measures, but it stopped short of asking for continuous assessments. “The recommendations on assessing risks using penetration testing are not enough,” Guy Bejerano, CEO and co-founder of SafeBreach says. Enterprises can’t rely on once-a-year, or periodic penetration tests to stay abreast of all the threats, because new vulnerabilities are always being found and new attack tools being developed.
Sign up for CIO Asia eNewsletters.