As if sustaining your own IT security data breach wasn’t enough, Target is now looking at the very real possibility that the attackers hacked their way in using access credentials stolen from an…wait for it…environmental systems contractor.
Investigators from the Secret Service, which is leading the investigation, recently visited the offices of Fazio Mechanical Services, a refrigeration and HVAC (heating, ventilation, and air conditioning) systems provider based in Sharpsburg, Pennsylvania, according to blogger Brian Krebs, who broke the story on February 5th. Officials at Fazio reportedly confirmed that the Secret Service had indeed visited their offices but declined to comment on it.
So here’s the kicker. According to “unnamed sources” cited by Krebs, investigators now believe that Target’s attackers first accessed the retailer’s network on November 15—well ahead of the Holidays using access credentials that they’d stolen from Fazio Mechanical Services. What??
Theoretically, those access credentials allowed attackers to gain a beachhead inside Target’s network, and form a platform to infect other Target systems, such as payment processing and point-of-sale checkout systems. This is horrifying on so many IT security levels.
IT Security Exposure
First, the idea that the Maytag repairman (to use a loose analogy) could provide access to the corporate jewels is a chilling thought and, a nightmare for IT departments. So, when you consider the scope of keeping both your in-house information security operations secure, as well as the access from every vendor your company works with, the Target fiasco can be considered a very loud wake up call.
Evidently, HVACs are now IP-addressable appliances, which means that they have network access. Logins are now required to remotely manage settings or to look at problems within the network or their devices (the darker-side of the Internet of Things.)
IT Security Requires Systemic Prevention
Of course, questions relating to the Target breach should now focus systemically on the IT security practices in place at their suppliers as well as the controls in place at Target. As you may or may not know, the Payment Card Industry Data Security Standards (PCI-DSS) regulations which provide security guidelines for the retail payment card industry, says that a company is responsible (read liable) for any third-party contractor’s security problems.
In fact, the PCI requires the "incorporation of two-factor authentication for remote access to the network by employees, administrators, and third parties." That puts the Target IT security breach in a whole new light. It’s not enough to worry about carefully crafted and precisely handled internal compliance. Now it becomes a much bigger issue. And, there is absolutely no way the depth and breadth of the relationships can be set up, tested and confirmed manually.
It’s possible that multiple vendors have access to your login credentials right now. And it’s possible for just one of those firms to have hundreds of technicians who require access on a revolving basis. In other words, login credentials issued to an administrator on Monday may be used by someone else on Friday. Believe me, no one can manage privileges in this manner and secure access to their systems. In today’s world of enterprise applications, cloud subscriptions and federated access, only an automated identity and access management system can provide the thorough detection capabilities required to prevent similar IT security breaches.
Suddenly Target becomes not only the poster child for what can go wrong when you’re hacked—but an example of how many holes your enterprise may already have exposed.
You can now find a number of stories in the press with finger pointing between Target, Fazio, BMC Software (suggested as the third party vendor credentials that were stolen from Fazio), and let’s not forget the seventeen-year-old Ukrainian. But in the end, if you are ever unlucky enough to be at the center of this kind of firestorm, you can be certain the finger will point at you.
Begin your identity and access management initiative by following expert recommends for business process workflow automation, self-service administration and IT security.