Report: Target failed to execute security basics


Verizon consultants probed Target’s network for weaknesses in the immediate aftermath of the company’s 2013 breach and came back with results that point to one overriding – if not dramatic - lesson: be sure to implement basic security best practices.

In a recent KrebsOnSecurity post, Brian Krebs details Verizon’s findings as set down in a Target corporate report.

The findings demonstrate that it really is important to put in place all the mundane security best practices widely talked about, and that without them even the best new security platforms can’t defend against breaches.

Here are six things Target did wrong both before and immediately after the breach that contributed to the theft of information from 40 million credit and debit cards.

Failure to segment networks: From the post: “‘[N]o controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.’ … In one instance, they were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.”

Poor password policy enforcement: From the post: “The Verizon consultants discovered a file containing valid network credentials being stored on several servers. The Verizon consultants also discovered systems and services utilizing either weak or default passwords. Utilizing these weak passwords the consultants were able to instantly gain access to the affected systems.

“The Verizon security consultants identified several systems that were using misconfigured services, such as several Microsoft SQL servers that had a weak administrator password, and Apache Tomcat servers using the default administrator password,” the report observes. “Through these weaknesses, the Verizon consultants were able to gain initial access to the corporate network and to eventually gain domain administrator access.”

Weak passwords: From the post: “Within one week, the security consultants reported that they were able to crack 472,308 of Target’s 547,470 passwords (86 percent) that allowed access to various internal networks, including;,;;;;; and” The post says that Verizon consultants also cracked 12 (34%) of 35 admin domain passwords.

Lax patch management: From the post: “For example, the Verizon consultants found systems missing critical Microsoft patches.”

Running outdated, vulnerable services: From the post: “… running outdated [web server] software such as Apache, IBM WebSphere, and PHP. These services were hosted on web servers, databases, and other critical infrastructure,” the report notes. “These services have many known vulnerabilities associated with them. In several of these instances where Verizon discovered these outdated services or unpatched systems, they were able to gain access to the affected systems without needing to know any authentication credentials.”

Insufficient authentication requirements: From the post: “Verizon and the Target Red Team exploited several vulnerabilities on the internal network, from an unauthenticated standpoint. The consultants were able to use this initial access to compromise additional systems. Information on these additional systems eventually led to Verizon gaining full access to the network — and all sensitive data stored on network shares — through a domain administrator account.”


News View all

Panduit Flash Sale

Thời gian: 15/12/2016 đến 15/2/2017 Sản phẩm: Cáp UTP CAT6 và Cáp UTP CAT5e

PANDUIT Distributor Certificate

Ngày 13/07/2016, Công ty Cổ phần AD.TEK công bố hợp tác chính thức, trở thành nhà phân phối trực tiếp các sản phẩm của PANDUIT tại Việt Nam


Địa chỉ văn phòng giao dịch mới: Hà Nội: Số 45, Ngõ 140 Khuất Duy Tiến ( hoặc ngõ 40 Ngụy Như Kon Tum), Quận Thanh Xuân, Tp. Hà Nội. Hồ Chí Minh: Số 26F/11 Lê Quốc Hưng, Phường 12, Quận 4, Tp. Hồ Chí Minh.

Gartner Wired/Wireless LAN Critical Capabilities 2015

Gartner’s annual critical capabilities research provides network decision makers with the critical information and research needed when determining which vendors have the best mix of capabilities for their needs. This report evaluates the top 14 networ