Expect more data breaches as large and severe as the Target breach.
That’s the takeaway from our exclusive interview with a security expert Jeff Williams. The types of security missteps a Senate Committee recently cited in analyzing the Target incident are found in many organizations, he said. “The problem isn’t really Target," he said. "The problem is systemic. This could have been anybody.”
How likely is it that this sort of incident would be repeated? “More breaches of the size and severity of the Target breach are inevitable, given the fact that the security practices Target used are widespread," he said.
Williams, Chief Technology Officer and co-founder of a security firm, Aspect Security, is a founding member of the Open Web Application Security Project, a not-for-profit whose international mission is to improve the security of application software.
Here is Williams' professional assessment of several of key security mistakes cited in the March 26 Senate Commerce Committee Report.
Giving network access to a third-party vendor whose security was weak.
Many big companies do business with small vendors that don’t have the same type of security systems in place, Williams said. Due to efficiencies of scale, “it’s difficult for a small vendor to achieve the same level of security as big companies,” he said.
Failure to respond to automated warnings that attackers were installing malware and automated warnings about the means the attackers intended to use to retrieve the stolen data from Target’s network.
Many companies ignore alarms because more than half, based on his experience, are false. “It’s really, really common to not respond to automated warnings from protection software, because those devices alarm all the time," Williams said.
Still, he thought it would have been good if Target had been able to figure out that the two sets of warnings were connected. “I’m surprised they didn’t take it more seriously,” he said. “I’m of two minds about this. It was pretty obvious from the warnings that this was a legitimate attack. It is really easy to ignore things that don’t reach some crazy threshold of alarm.”
Learn how to protect yourself from a variety of threats with our guide to Internet security.
Another security lapse that is cited in the Senate report:
Failure to properly isolate the most sensitive network assets.
“Most organizations that I have experience with would have that same problem," Williams said. "It’s actually really difficult to segregate networks the way they’re suggesting here."
Williams said that there’s no way to know precisely how many consumers’ files were stolen in the Target breach because “nobody records all the network traffic in and out.” Instead, he said, people look at log files and access times, and try to deduce what was taken. “The logs don’t capture nearly enough data," he said. "They’re more about who went in and out of the building, not all the things they did inside the building.”
Read about PrivacyAtlas.com, a new service that aims to protect you from data breaches.
—Jeff Fox and Wendy Davis
Consumer Reports has no relationship with any advertisers or sponsors on this website. Copyright © 2006-2014 Consumers Union of U.S.