Target 2013 Breach: Understanding the Need for Secure Network Segmentation

A recent post from Cyber Security Investigative Reporter, Brian Krebs, does a great job of reminding IT and Information Security professionals everywhere why proper Network Segmentation is so important.

The post, “Inside Target Corp., Days after 2013 Breach” goes into detail about how once criminals infiltrated Target’s corporate network, they were able to run free within the network/domain, easily gaining access to individual point of sale (POS) systems, aka- the cash registers!

By properly segmenting its network, Target could have minimized the level of access to sensitive systems, applications and data.

What is Network Segmentation?

Before diving into how Target might have thwarted its cyber criminals with proper Network Segmentation, let’s define what it is.

Network segmentation is the process of dividing a corporate network into sub-networks with each being referred to as a network segment. The act of network segmentation itself does not inherently make a network more secure. Corporate IT departments routinely segment their networks into subnets and LANs, with traffic between the segments potentially being restricted, but not completely separated and controlled.

When the primary goal is to increase security, Network Segmentation typically involves either physically (i.e. separate hardware) or logically (i.e. virtual systems) segregating networks via completely separate Local Area Networks (LAN).

Segmenting a network into separate LANs (or VLAN when referring to the virtual flavor) creates the opportunity to implement multiple benefits including:

  • Enhanced control over traffic entering and leaving the LAN via firewall port rules and router Access Control Lists (ACLs).
  • Greater visibility of traffic, users and systems within the LAN thanks to a scoped down to focus to a specific business need/requirement.
  • Reduced attack surface thanks to segregation from other Network Segments and a reduced number of users, rules/policies and systems within the LAN.
  • The ability to set a ‘Default Deny All’ policy that disallows all inter organization traffic between the various LANs if needed and allows you to apply the Principle of Least Privilege.

What if Target had its Network Properly Segmented?

As the Krebs article pointed out: “Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.”

The attackers gained entry into Target’s network via a Trojan horse style of attack. Target allowed access to a vendor who unknowingly carried the virus with them via their infected system, and once entering the network there were no further barriers to keep the thieves from accessing any sensitive parts of the network.

Assume that Target had four major groupings of systems within its corporate network. The Point of Sale systems, Corporate Infrastructure (HR, Marketing, Finance and Accountings, etc), its e-Commerce web servers (Target.com), and its Payment Card Information databases (used for processing credit and debit card payments).

Based on the Kreb’s article, it is easy to assume that at the time of Target’s breach, there were few to no controls in place to limit traffic traversing between the different network segments.

target single network

Now consider how Target may have benefited through the use of proper Network Segmentation, with major grouping of systems encapsulated into their own secure LANs.

  • Each LAN is protected by firewall and configured with strict rules and ACLs that regulate specifically who and what can communicate with the systems within them.
  • User access is limited only to approved systems and IP addresses, and a very small pool of system administrators (e.g. a dedicated management network).
  • Network monitoring utilities are configured to detect anomalies in network traffic like brute force attacks, failed authentication attempts or attempts to gain access via unapproved IP addresses.

target segmented network

In a scenario where the attackers gained access to Target’s corporate network via an outside vendor, the attackers would have been limited to only systems within that LAN they gained access to (i.e. the attack surface would have been greatly reduced).

Further, even if criminals gained access to a sensitive network (e.g. the Point of Sale LAN), given that communication between that network and other networks were properly controlled, gaining access to sensitive data would be much more difficult.

*A big thanks to Jon Welch, Information Security Engineer and Networking Guru, for help with co-authoring this post.

 

2 thoughts on “Target 2013 Breach: Understanding the Need for Secure Network Segmentation

  • This reminds me of “pass the hash” hackers can use to move laterally inside a network if the same admin usernames/passwords are used across servers. A friendly reminder to also use unique usernames and passwords on each server for all privileged accounts.

    • Unfortunately, using unique usernames and password across all servers in unrealistic and kind of defeats the purpose of using an LDAP system to centralize security and logical access restrictions.

      I’ll write a post soon on how to effectively mitigate the risks of pass the hash attacks while not abandoning the use of centralized logical access controls.

Leave a Reply