Wednesday, March 26, 2014
Cyber security and data breaches remain front and center on the Congressional radar as the Senate Commerce Committee today holds a hearing on protecting consumers from data breaches.
The witness list includes John Mulligan, vice president and chief financial officer at Target, and Dr. Wallace Loh, president, University of Maryland. Thereâ€™s an insurance industry witness too, with Peter Beshar, executive vice president and general counsel, Marsh & McLennan giving testimony.
Recent data breaches at Target and the University of Maryland highlight the fact that organizations across many different business sectors are vulnerable to cyber attacks.
The February 18, 2014 UMD data breach compromised an estimated 309,079 student, faculty and staff records, including names, birth dates, university ID numbers and social security numbers.
The massive 2013 data breach at Target during the holiday season exposed the financial and personal information of as many as 110 million consumers.
A report released yesterday by the U.S. Senate Commerce, Science and Transportation Committee suggests that Target missed a number of opportunities to prevent the massive data breach. Hat tip to Reuters via Huffington Post which reports on the findings here.
The Senate staffers report, titled â€œA Kill Chain Analysis of the 2013 Target Data Breachâ€ says key points at which Target apparently failed to detect and stop the attack include:
â— Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendorâ€™s weak security allowed the attackers to gain a foothold in Targetâ€™s network.
â— Target appears to have failed to respond to multiple automated warnings from the companyâ€™s anti-intrusion software that the attackers were installing malware on Targetâ€™s systems.
â— Attackers who infiltrated Targetâ€™s network with a vendor credential appear to have successfully moved from less sensitive areas of Targetâ€™s network to areas storing consumer data, suggesting Target failed to properly isolate its most sensitive network assets.
â— Target appears to have failed to respond to multiple warnings from the companyâ€™s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Targetâ€™s network.
The report analyzes what has been reported to date about the Target data breach, using the â€œintrusion kill chainâ€ framework, an analytical tool introduced by Lockheed Martin security researchers in 2011, and widely used by information security professionals today.
Check out an I.I.I. whitepaper on cyber risks and insurance here.