Major companies, like Target, often fail to act on malware alerts

Target paid the price for its apparent failure; other big firms follow the same pattern and could face the same fate, analyst say

Companies that suffer major data breaches almost always portray themselves as victims of cutting edge attack techniques and tools. The reality, though, is often much more mundane.

Case in point: Target, which last year was hit with a major data breach that exposed to hackers data on some 40 million credit and debit cards and personal data on another 70 million customers.

[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The retailer on on Thursday acknowledged that it could have mitigated or even avoided the breach had it paid closer attention to alerts generated by a security monitoring tools.

Target spokeswoman Molly Snyder said the company investigated but ultimately dismissed early signs of a data breach. "Based on their interpretation and evaluation of that activity, the [Target security] team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different," she said.

Target isn't alone in making such mistakes, says Joe Schumacher, a security consultant for Neohapsis, a security and risk consulting company.

"I have seen enterprises roll out very expensive systems to handle security monitoring, yet there is no subject matter expert for this technology or risks within the enterprise," he said.

Often, companies deploy security technologies with default alerts, resulting in many false positive warnings, Schumacher added.

"Any organization looking to implement security technologies should make the same investment in their people to help configure the technology," he said.

Eric Chiu, president and co-founder of HyTrust, a cloud security company, added that companies often ignore security alarms because they are numb to them, they get too many false warnings or because they are understaffed.

"You can have all the alarms you want, but unless you put security in a prominent position in the company and have enough staff to review them, those alarms don't mean anything," he said.

While alarms are great at signaling that something bad may be happening, they're just a means to monitor for inappropriate actions, he said.

In Target's case, a newly installed a network monitoring tool from security vendor FireEye alerted Target security personnel of malware on its networks on two separate occasions before it was hit by hackers, according to a Bloomberg BusinessWeek report. The installation of the tool cost Target around $1.6 million, according to Bloomberg, which interviewed several former Target employees, law enforcement officials and security researchers familiar with the case.

According to the report, a team of security specialists in Bangalore, India, spotted the alerts and relayed the information to counterparts at Target's headquarters in Minneapolis, who apparently failed to follow up.

The retailer's security pros should have been able to shut down the attack relatively easily had officials acted on the warnings, sources told Bloomberg. Target's Symantec Endpoint protection software also detected the "absolutely unsophisticated and uninteresting" malware early on and pointed to the same server identified by the FireEye alerts, the report said.

The FireEye system could have been configured to automatically remove the threat, but apparently because the software was new and untested at Target, the feature wasn't activated.

Such incidents show why IT operations can't depend on technology alone to secure business networks, said Gartner analyst Avivah Litan. Companies also need strong security polices and processes for managing systems -- and for dealing with alerts, she said.

"In this case, Target apparently fell short on process and policies -- they had the technology piece down," Litan noted.

She added Target's response is typical for large organizations. "In fact, I have heard several times and from several sources that in the case of each large breach over the past few years, the alarms and alerts went off but no one paid attention to them."

Jeremy Kirk of the IDG News Service contributed to this story.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

This story, "Major companies, like Target, often fail to act on malware alerts" was originally published by Computerworld.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies