Josh Tyrangiel of Bloomberg Business Week this week published an article on the successful attempt by unauthorized individuals to access customer information from the servers at Target. The title of Tyrangiel’s article, How Target Could Have Prevented Customer Data Hack (http://www NULL.bloomberg NULL.com/video/how-target-could-have-prevented-customer-data-hack-uQOYQYlZT0aGWAbT4muXHA NULL.html) tells his story. Click the link to watch Betty Liu of Bloomberg’s “In the Loop” morning show briefly interview Mr. Tyrangiel.
As anyone who takes the time to watch this short, 6:20 minute interview, will note, Tyrangiel found several glaring lapses in what can only be called operational risk management policy, at Target, which not only contributed to the Target breach, but can actually be said to have caused it. The hack could have been contained had these policies and procedures been followed and the whole mess, following the breach, would have been prevented.
So, if Tyrangiel is right, then the problem at Target wasn’t a lack of effective software to defend the servers from an attempt at unauthorized access, but, rather, a set of policies which were easily ignored, or even circumvented.
According to Tyrangiel, Target had already purchased, and implemented FireEye™ (http://www NULL.fireeye NULL.com), reputed to be one of the most effective software solutions against hackers on the market today. But when an offshore team received alerts from the FireEye system (within only a day or two of the first attempts to penetrate the Target network), the alerts were ignored by their counterparts here in the US. Even worse, although the FireEye system offered a configuration option for automatic removal of malware, Target had opted to disable the feature.
Target had made a personnel change at the top of its IT threat management team in early October, 2013. When the first attacks occurred, on November 27, 2013, this team still operated without an executive at the top, and proved to be completely ineffective in its efforts to contain the problem.
Each of the above points fall, clearly, within the bounds of a set of operational risk management policies and procedures for Information Technology. Tyrangiel’s story should be a very loud and clear call to enterprise IT management anywhere to carefully review policies and procedures to ensure disasters like the Target breach do not occur again.
Ira Michael Blonder (https://plus NULL.google NULL.com/108970003169613491972/posts?tab=XX?rel=author)
© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved