The IT folks at Target weren't stupid or lazy. They had actually done a lot of security work, but it wasn't enough. Modern enterprises are so large and complex that applying best security practices at all times and locations is just too much to ask.
But we all can do better. As a starting point, consider these six programming techniques, products and services which tend to minimize the most common of security problems.
We know that most attackers are lazy and looking for low-hanging fruit. The harder a target you make yourself, the less likely it is that you will be compromised.
This is #1 because it's so well-understood and so long-established as an effective defense against SQL injection, and yet it is still widely unused. Any programmers using SQL and not parameterizing your queries out there? Shame on you.
SQL injection is well-illustrated in the classic XKCD cartoon on this page. When a program blindly accepts input from a user and stuffs it into a string constructed as a SQL query, it allows an attacker to damage and steal data from the database. Enormous harm has been done through such sloppy programming.
Any decent programming environment provides facilities for parameterizing SQL queries. These facilities sanitize inputs, but you can do more if you wish. Consider this example in PHP:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
Required reading: OWASP SQL Injection Prevention Cheat Sheet
The idea of two-factor authentication is that losing your username and password is not a killer problem because you need a second factory, typically some physical object that you have with you, in order to log in.
Two-factor authentication has been around for a long time, but has made few inroads in broad markets because it can be a gigantic pain to use. The aim of the new standards and of support by Microsoft and Google is to make two-factor authentication easy enough that users won't mind it. The image on this page is a Duo Security Android push notification used as a second factor for Lastpass, a password manager.
So far, perhaps the most successful implementation is EMV (Europay/MasterCard/VISA), also known as "chip and PIN." EMV is a standard for payment cards which is widely deployed in Europe and coming to the US over the next couple of years. It puts an embedded cryptographic processor in the card that talks to a reader of RFID. In combination with a PIN entered by the user, it eliminates the incentive to steal card swipe information because you need the physical card. (Unless you are going online, which is a weakness in the system now, but we'll leave that for another day.)
Careless and erroneous management of identities and credentials is a major source of security incidents. The previous page of this gallery on two-factor authentication describes one of the main and best techniques for securing authentication, but today it's not a practical solution in all cases.
All operating systems perform some amount of IAM (Identity and Access Management) and may be extensible by third parties so that the operating system directory can be used to authenticate access to other applications. All of that is generic talk for Microsoft Active Directory, the widely-disliked system that nearly everyone uses. Working with Active Directory, especially in a multi-site, federated network, can be a major pain.
Enterprises and other managed networks often need to use an IAM solution, such as those from OneLogin, IBM and Computer Associates, that allows better maintenance of identity whether the application is in Active DirectoryPart of that.
Increasingly, enterprises are concerned about migrating to cloud services such as Google Apps, SalesForce or Office 365 without creating an authentication mess. In such cases, a cloud-based IAM solution such as that from OneLogin may be the best long-term solution.
This is one of those things that everyone knows now they should do, but it's still a hard thing, particularly in light of some botched recent updates by some big companies. Enterprises can mitigate the immediacy of many updates with a good NGFW/IPS system that is aggressively updated.
Security research shows that this is a problem which has been lessening over the years, as update systems have become more automatic.
There's an added level of complexity to it, as different companies have different policies regarding the period of time they will provide patches to a particular generation of software. For many, such as Apple, once the new generation appears, updates for the old ones are limited or nonexistent. For instance, since iOS 8 appeared, there have been no updates for iOS 7, there may be an imperative to upgrade products for security reasons as well as to update for patches.
Even Microsoft, which provides security updates for products for ten years, will include new architectural security features in new versions of Windows that are not in the older ones. Therefore, from a security standpoint, you're always better off running the latest generation of Windows (currently 8.1), although it may not be practical to do so.
Once an organization reaches a certain size, central management of the process is necessary. For mobiles, that means an EMM solution. For Windows desktops it means a patch management solution, often part of a larger system management solution. The patch manager pictured here is from SolarWinds.
XSS (cross-site scripting) might be better termed "HTML/script injection" because that's what it is: The insertion of code into a page by a page on another domain.
The usual vector for this attack is a script trusting the input from a user in a field without sufficiently checking the contents for invalid text. The screen capture on this page shows a hacker causing VK, a Russian social network, to raise an alert. The same technique can be and has been used to insert more malicious code.
As OWASP says in their typically invaluable XSS (Cross Site Scripting) Prevention Cheat Sheet: "While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack."
The eight rules (numbered zero through seven) deal with escaping input, such as turning double quotes (") into (").
Classic anti-malware techniques work on blacklisting, i.e. checking programs against a list of known bad programs.
Where possible, a better approach is whitelisting: Nothing is allowed to run unless it's specifically permitted. The image on this page is of Microsoft Applocker, a standard feature of domain-manageable editions of the operating system. An administrator can define rules to allow or exclude specific programs. Since it operates through Active Directory Group Policy, the rules can be made to apply to specific users or groups of users.
Whitelisting helps when a user or system is tricked into running an executable which is not what it appears to be. But malicious code can still be run on the system through vulnerability exploits, so whitelisting isn't a complete block on it.
Whitelisting has been an important part of mobile operating systems management for some time. EMM (Enterprise Mobility Management) solutions often provide an "enterprise app store" to which IT can restrict users, and allow only corporate and approved outside apps in it.