By Jack Rosenberger
In the wake of the news that Target’s profit fell more than 40 percent during the fourth quarter of 2013, due in large part to a data breach that affected up to 110 million customers, CIO Insight interviewed Eric Cole, a SANS Institute Faculty Fellow and the head of SANS’s Cyber Defense Foundations program, about the Target breach, how the retailer’s lack of a chief security officer (CSO) might have affected the incident’s outcome, the complicated relationship between CIOs and CSOs, and upcoming cybersecurity trends.
A lot of people were surprised when Beth M. Jacob, Target’s CIO, resigned last week, following the fallout from the retailer’s massive data breach. What are your thoughts about these events?
Eric Cole: When a major event like this occurs, someone needs to be held responsible for the negligence. Therefore, it is not surprising that someone was blamed for the breach. What was surprising, however, is that security was a responsibility of the CIO. The fact that a large organization did not have a separate CSO, who is a peer with the CIO, is most concerning about this story.
Clearly, many things went wrong during the Target breach and whoever had the responsibility of security needs to be held accountable. However, it was not fair that the executives structured the company in the way they did. Running the IT infrastructure, which is typically a role of the CIO, and protecting the information, which is typically a role of the CSO, are two different roles. It is unfair to have one person expected to do both effectively.
What should Target have done to prevent the data breach or mitigate its impact, but didn’t?
First and foremost, organizations of any size, especially one the size of Target, need to have an executive that is responsible for security. With the large interdependence that organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom. If security gets buried under IT, whose primary responsibility is running a reliable infrastructure, bad decisions will be made and breaches will happen.
Second, there should have been a more keen focus on both the infrastructure and device security. From an infrastructure perspective, better segmenting with proper boundary defense would have reduced the impact of one system having full visibility into the entire network. From a device security perspective, organizations need to perform asset inventory, configuration management and strict change control. Organizations cannot protect what they do not know. If the organization had more carefully tracked and secured the devices on its network, it could have better managed the impact of the breach.
What’s your opinion of Target’s cryptology practices?
The golden rule of cryptography is “the secrecy of the information is based on the secrecy of the key, not the secrecy of the algorithm.” Key management is the core to success in using cryptography. In the case of Target, plain text, unencrypted information was stolen. Therefore, if the information is not encrypted and protected at all times, an organization is only as secure as the weakest link. If you do not encrypt the information, cryptography cannot do its job.
In order to ensure success with cryptography, organizations must follow three core components of the cryptographic lifecycle: 1) protecting the information at rest, 2) protecting the information in transit, and 3) protecting and managing the keys. There is no partial credit with security. If an organization does not all do all three, cryptography will not work correctly.
Target had a CIO, but not a CSO. How might the lack of a CSO have contributed to Target’s data breach?
Not having a CSO today is like a football team not having a quarterback. You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games. In order for organizations to be successful, they must have a reliable infrastructure and proper protection of information. If an organization only has a CIO and not a CSO, no one is focusing in on security, which means bad things will happen. Lack of a CSO means a lack of security.
It is almost a guarantee that Target had an amazing security team, and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting for their cause with the executives. There needs to be a communication path from the engineers to the CEO, and the CSO is that channel. Without a CSO, the proper security communication does not make it to the executives. Therefore, if the Target executives had received the proper information about security, my guess is they would have made different decisions and this story would potentially have a happy ending.