If there’s any upside to the sprawling Target data breach, it’s that it heightened security awareness for millions of consumers, says Ryan Elkins, senior manager, information security, for Diebold, a CUNA Strategic Services alliance provider.
“If everyone can keep security top of mind while performing their daily tasks and understand their role as both a security control and significant attack vector, we as an industry will have addressed an invaluable level of defense in depth,” Elkins says.
He and Credit Union Magazine Editor Walt Laskos recently discussed the Target data breach, its implications for lenders—and how it all might play out.
CU Mag: How did the Target security breach occur?
Elkins: The target breach is a fascinating case because it follows standard penetration testing methodology. The attack demonstrates multiple phases of reconnaissance, vulnerability discovery, exploitation, and data harvesting.
This is a common methodology used by both “black hat” and “white hat” hackers because of its high success rate. Attackers successfully chained together multiple vulnerabilities by entering through an externally facing system, pivoting across systems on the internal network, deploying malicious code to point-of-sale devices, scraping customer information from memory, centrally storing the information, and then transmitting the data to an external server.
CU Mag: Can a compromise of this magnitude be attributed to the growing sophistication of “black hats” or does it point to a failure in the execution of best practices?
Elkins: With hacking, there is a stigma and some degree of truth that the Internet provides a certain level of safety. Even once an attack is discovered, it requires international cooperation, resources, time, expertise, and money to be caught.
Best practices must remain at the core of information security programs. Defense in depth is absolutely necessary and should be established through strong policies, standards, and governance.
CU Mag: While the data from Target is no longer secure, it is encrypted. Will it be a just a matter of time before the key is extracted and the data decrypted?
Elkins: Cryptographic algorithms are designed so encrypted data cannot be recovered within a reasonable computational timeframe without the key.
When implemented correctly, this should hold true. But I have seen many flaws within the way a cryptographic process is implemented, whether it is a hard-coded or weak encryption key, static initialization vectors, outdated algorithms, or insecure modes. These issues are common and would reduce the confidence level and time that the data will remain protected.
The reality is, all encrypted data can eventually be decrypted. The purpose of encryption is not to keep the data from ever being decrypted, but more so to keep it encrypted throughout its useful life.
CU Mag: How do you see the Target data breach playing out?
Elkins: This has been a busy year so far for the security industry. There will continue to be an influx of disclosed breaches stemming from other companies implementing detective controls and analyzing their networks for similar patterns.
Security awareness is invaluable for both our personal and professional lives and is one of the major areas that we try to integrate within the Diebold culture. Target will probably not directly receive recognition, but they have introduced a heightened level of security awareness and knowledge to millions of people.
If each person can keep security top of mind while performing their daily tasks and understand their role as both a security control and significant attack vector, we as an industry will have addressed an invaluable level of defense in depth.
CU Mag: Do you think the Target breach put renewed pressure on payment vendors, big banks, NACHA, and others to upgrade their payment processes to a more sophisticated and secure standard, such as the technology used throughout Europe supporting the EMV (Euro MasterCard/Visa) chip card?
Elkins: Everyone is looking for the “silver bullet” fix. There is a reason that the attackers focused on stealing the information from memory.
Compliance regulations focus on protecting cardholder data in transit and at rest, but memory is often overlooked and requires an additional level of controls many times at the hardware level. EMV would introduce an additional factor of security, but the area of concern still remains between the card reader and the point of encryption.
There are devices available with secure read heads where the encryption occurs at the hardware level, similar to an encrypting pin-pad. Upgrading devices to models that offer this capability should be strongly considered.
Next up: Part II of this interview examines the top three fundamentals to preserve the integrity of member data.