There has been a lot attention paid to vulnerabilities in Point-of-Sale Systems since the breaches at Target became front-page news during the 2013 Christmas season. And for good reason: some 40 million credit and debit card numbers were stolen in the breach. This lead Target to decide to spend approximately $100 million on Chip-and-Pin (EMV) credit card technology. Other retailers in the US, including Sam's Club, have recently decided to adopt EMV chip technology. Over in Europe 95% of credit card terminals are EMV chip enabled. And that's great, because EMV technology is more secure that the mag-stripe cards that are dominant in the US.
The only problem is Target isn't even closing the barn door after the cows have gotten out. According the highly-respected security blogger Brian Krebs (http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ ), this fix doesn't address the problems that lead to the breach in the first place. In Target's case what's needed from a security stand-point is end-to-end encryption (encryption-at-rest and encryption-in-transit). And, "Yes," the "in transit" part includes inside the production network.
So that brings up the question of why Target is fixing a problem that doesn't address the security issue. I don't have any special knowledge of the inner workings of the Target Board of Directors, but I'm going to guess that it was more important to the Board to fix the PR problem than the Security problem. And end-to-end encryption is not tangible enough to Target's customers to address the PR side of the equation. But I could be wrong. Maybe they hired a consultant and the consultant made that recommendation. Maybe both are true.
All of which brings us to another issue brought on by the breach. Target didn't have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) at the time of the breach. On June 11, 2014 they hired Brad Maiorino from GM. This was after Chairman of the Board, President and CEO Gregg Steinhafel announced he would be resigning. And that was after Target announced that they had hired a new Chief Information Officer (Bob DeRodes).
Again, I have no special knowledge of the inner workings of Target or the psychology of its employees, but I'm going to guess that the last nine months at Target have been confusing and demoralizing for its employees - from top to bottom. And all because of a breach of the Point-of-Sale systems.
There have been a lot of articles and blogs written about the technical aspects of the breaches, but I'm going to suggest that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is to blame - or rather a lack of attention to the governance aspects of COSO. And let's not forget Control Objectives for Information and Related Technology (COBIT).
In addition to articles about the technical aspects of the Target breach, there have also been a number of articles about the need for corporate boards to focus more of their attention on Cyber-Security. And I think the Target breach is a good example of what can happen when there is insufficient attention paid to Information Security matters.
And I'm going to predict that we haven't heard the last of Information Security issues where Target is concerned. Why? Because that new CISO reports to that new CIO (as opposed to, say, the CFO). And why would that be a problem? The CIO has to make difficult technology budget decisions - and, after all, the company just spent $100 million to address those concerns. Right? If Information Security is to have the ear of the Board, then there must be a conversation at that table. If that conversation happens in the CIO's office instead, how does the Board know they have heard all the relevant issues, all the risks, and all the opinions about the importance of those risks. It's something the to think about. And we've already seen what can happen if insufficient attention is paid to Information Security.
No comments:
Post a Comment