Seeking Alpha

keu4bike's  Instablog

keu4bike
Send Message
Individual investor starting over on retirement saving way too late in life.
  • Does The Recent Data Breach Reflect Cracks In TGT's Infrastructure? 5 comments
    Jan 19, 2014 11:47 AM | about stocks: TGT

    They say that in investing, you should invest what you know. On Seeking Alpha, that translates to writing about what you know. I am not an investment professional. I understand compound interest. I understand inflation. I fear not having enough money at retirement.

    My background -- what I know

    I have worked in a lot of IT departments, and I have peeked under the hood of many more. I think I have a reasonable comprehension of what symptoms in the IT department tend to indicate for companies as a whole.

    I'm not an IT security professional. My specialty is data and databases. I have, in the past, done some development where security was a major consideration. Developers need to understand security so they can build that in. I feel like I have a minimally adequate understanding of security for a developer which probably puts me ahead of 90% of the people actually doing development in the U.S. Any true black hat hacker or security professional, however, will laugh at my knowledge and skill set.

    With that said, I thought I would take a look at the question of whether security breaches indicate general infrastructure problems within an organization.

    Security and Breach Vocabulary:

    Script Kiddies: Individuals with little or no true technical skill who run pre-packaged scripts to attack. In general, organizations that pay any attention to security are not at risk from script kiddies -- see penetration testers below.

    Kiddie Scripts: Scripts used by script kiddies. They're generally available on the internet, often for free. Most people in the security community -- black hat and white hat -- have a library of these things.

    Junior Penetration Tester: A white hack hacker who is paid to run kiddie scripts against your system and tell you what gets breached.

    Penetration Tester: A white hat hacker with considerable skill who performs a few tests on your system in addition to running the kiddie scripts.

    Sophisticated Attack: Anything that breached our system. Seriously, has any company that announced a breach ever admitted they were breached by anything less than a "sophisticated" or "advanced" attack? (Even Kiddie Scripts can seem pretty sophisticated to an old school security manager with a physical view of security.)

    Definition of Security:

    Like safety in investments, all security is relative and it involves a lot of trade-offs. If you ask somebody if a system is secure, and they answer "yes", fire them on the spot. They are either incompetent or lying. If you expect to hear "yes", either educate yourself or fire yourself. No system is secure. Any system can be breached. I don't think a true security professional can ever say "yes" about a system that can be turned on and plugged in.

    Is the system secure is the wrong question to ask. The questions to ask are things like "How secure is the system?" or "Is the level of security adequate to the value of the information?". The other question is, are we implementing the usual and standard best practices?

    To the Question

    So, to our question, what can security breaches indicate about an organization? Can they offer clues to infrastructure inadequacies within an organization?

    I'm going to say the answer is it depends on the breach. Because I am of the opinion that all systems are vulnerable, I'm going to say that anybody can be breached. The fact that an organization got breached doesn't mean much to me. The headlines are going to be the fact of the breach. The headlines mean bad press and the company's stock may be down for a couple weeks. In terms of indications about company infrastructure, though, breach headlines mean nothing.

    TGTgot hit recently -- might be a good time to buy Target. Lets do some due diligence on the breach.

    You have to look at the facts of the breach. What do the security professionals say about the sophistication of the attack? How quickly was it identified? How quickly was it stopped? What was the company's response.

    Never trust the company's press release about the sophistication of the attack. The breached entity will always use terms like "sophisticated" or "advanced". Has anybody ever admitted to being cracked by a a Script Kiddie? Go to the security blogs. What do the security professionals say about the attack?

    If the security professionals are using terms like "new", "novel", "advanced", "sophisticated", or "zero-day", then it probably really is sophisticated or advanced. The fact of the breach probably tells you nothing about the organization's IT.

    If the security professionals are saying things like "patch available" or "preventable", then you know that IT security at the organization is not keeping up.

    If you see terms like "well-known", "previously identified", the simple fact of the breach may tell you something about the organization's IT, but you have to dig a little further. Look at how long it has been well known and when it was previously identified. Has the organization had time to respond? Was it identified five years ago, or was it identified last week? In general, if the organization has had a month to patch the system and failed to do so, then the simple fact of the breach tells you something.

    Basic IT security these days includes utilizing automated penetration testing tools and employing penetration testers. Basic and well known attacks simply shouldn't be able to get through. when a basic or well-known attack gets through, that speaks volumes -- negative volumes.

    In the case of the TGT breach, it seems to be a sophisticated new attack taking advantage of some known, but hard to address, vulnerabilities. The fact of the breach at TGT does not alarm me a great deal. Perhaps TGT should have had a more aggressive security stance, but their stance seems pretty standard and I don't think a pretty standard stance is going to stop this breach.

    In terms of what it says about TGT's management or TGT as an investment, I don't think it really says much. The industry standard security profile is a little lax and TGT is not out of line.

    The real key to looking at an attack is the identification of and response to the breach. How long was it going on? How difficult or easy was it to identify that the breach had happened? Did it last past one password change cycle? Were any hints or suggestions ignored?

    Sometimes organization press releases are helpful here, particularly if you have an IT background. Again, the security blogs are the place to look. Since all breaches are different, it's hard to quantify or provide guidelines. A very subtle breach may, reasonably, go undetected for six months, while a more obvious breach should be identified and shut down in minutes or hours. Many should be identified in daily or weekly log monitoring cycles. You will have to depend on the security blogs to get clues as to what the security professionals think about the response.

    In the case of the TGT data, the fact of the breach may have been hard to recognize, but the data being sent out of the organization was not. TGT should have recognized that somebody was sending huge volumes of data outside the firewall to unusual destinations. Yes, it happened on Black Friday when a data spike is expected. However, my opinion is that an organization like TGT probably should have noticed the data flow was above and beyond what was expected for Black Friday within 24 hours and identified that data flow as a threat within an additional 24 hours. From everything I have read, they completely missed the outbound data flow, and I fault them very heavily for that.

    Simply identifying the outbound data flow doesn't identify the vector. TGT would still have had a lot of work to do to figure out where the data was coming from. However, there is a good chance the data can be contained within the TGT firewall and no further information compromised. From what I have read, there is no indication this sort of reaction happened. I'll fault TGT heavily for that.

    There are suggestions -- I don't know if it is fact or speculation -- that TGT had information about an increased frequency of compromised cards somehow associated with TGT. Even if they did know they were likely the source of the breach, knowing where to look is hard. I've been there, "Yes boss, I believe we are the source of the leak. I have no idea where it's coming from." Very frustrating. You simply have to make a plan to check everything you can think of and you have to work the plan systematically. The outbound data volume was there to see. I think it's a lack of attention to detail. However, since this notification may be rumor rather than fact -- hard to say what TGT knew and when -- it's hard to say this indicates an issue with TGT's infrastructure.

    In summation

    If you want to steal credit cards, you go where the credit cards are -- and retailers are the weak link in the chain right now. Retailers are going to get hacked. I don't fault TGT for being a target (no pun intended). I don't know how much you can say about a company for being a (lowercase) target.

    The entry and data collection was sophisticated. I don't fault TGT for the attack getting in. In general, I don't think you can fault organizations for entry of cutting edge attacks, but you can fault them for entry of lower-level and preventable attacks.

    The data exit from TGT was reportedly brute force and obvious. Apparently, this is something TGT should have identified and responded to much faster than they did. This raises questions in my mind about TGT's it. It always raises questions when an organization fails to respond to an attack or doesn't even know they have been attacked.

    TGT's technical response to the breach raises questions in my mind about their infrastructure. These questions may or may not be valid, but they are enough that I wouldn't sleep well at night if I held the stock.

    Not all breaches are a negative indicator for the breached organization, and some, in fact, may create buying opportunities. The recent TGT breach -- at least for me -- is not.

    Disclosure: I have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

    Additional disclosure: No direct holdings in TGT or intent to buy any time soon. Probably long some ETF or fund that holds TGT.

    Themes: Retail, data breaches Stocks: TGT
Back To keu4bike's Instablog HomePage »

Instablogs are blogs which are instantly set up and networked within the Seeking Alpha community. Instablog posts are not selected, edited or screened by Seeking Alpha editors, in contrast to contributors' articles.

Comments (5)
Track new comments
  • Were there more weaknesses?

     

    There were two sets of data.
    Would the second set of data that affected 70 million customers be in the stores other than query at non POS customer return counters back to a DB in home data center?

     

    Even if both sets were sent outside via FTP (let's at least hope it was SFTP), it does not mean it was collected at the POS scan device. What weaknesses does that show?

     

    http://bit.ly/1cJ69n5
    19 Jan, 03:29 PM Reply Like
  • Author’s reply » regarding ftp:

     

    You would think that in an organization as large as TGT, sensitive and financial data would be firewalled off from the intranet at large. Personally, I would be limiting outbound FTP from that area -- maybe blocking outbound FTP to force SFTP. You probably have data exchanges with specific ips and ip ranges you have to allow, but I'm not sure you have to allow ftp or sftp to the world at large. I'm not inside TGT, and I don't know what they had. I don't know what the attack evaded. I'm just looking from the outside thinking they're missing security in layers and I'd certainly want to know what that big chunk of data going from my financial area to an unknown server is.
    20 Jan, 08:59 AM Reply Like
  • Author’s reply » regarding the second set of data:

     

    It sounds almost like a database scrape. Based on what I have read, it was collected using the same in-memory technique, meaning the database may be encrypted at rest, and they just grabbed the data when it was pulled into RAM by users and applications. That's a guess -- a really wild-ass guess.

     

    Based on what I am reading/assuming about the data content, there has been until quite recently a tendency to regard that data as lower risk and less sensitive. That attitude is starting to change, but systems haven't caught up yet. I expect less supervision of this sort of data and I don't expect it to be within a second firewall -- yet.

     

    In terms of the thought of my data being stolen, yes, I'm offended -- very offended. In terms of TGT's IT, they have work to do. In terms of TGT's security policies, they need a review. In terms of implications for TGT's infrastructure and how I view TGT as an investment, I am absolutely not comfortable suggesting the second breach indicates any issues with TGT's infrastructure.
    20 Jan, 09:23 AM Reply Like
  • For those who might not yet be caught up, this link will help a little:
    cybercrime-firm-says-u...
    http://on-msn.com/LD1i1r
    19 Jan, 04:51 PM Reply Like
  • A couple of good resources for late Jan updates

     

    29 Jan 2014 Kreb on Security
    New Clues in the Target Breach
    http://bit.ly/1afixQY
    Dell SecureWorks
    http://bit.ly/1afizID
    2 Feb, 11:00 AM Reply Like
Full index of posts »
Latest Followers

StockTalks

More »

Latest Comments


Posts by Themes
Instablogs are Seeking Alpha's free blogging platform customized for finance, with instant set up and exposure to millions of readers interested in the financial markets. Publish your own instablog in minutes.