Target Breach Takeaway: Secure Your Remote Access - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Target Breach Takeaway: Secure Your Remote Access
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Roy Atkinson
50%
50%
Roy Atkinson,
User Rank: Apprentice
2/21/2014 | 1:17:41 PM
The HVAC Account, Target, and the Real World
It is true that the HVAC account used to infiltrate Target should never have had access to the POS systems. But it did, and that was an IT mistake. However, some of the comments about the HVAC account having "read-only" access and so on indicate a lack of awareness of what really goes on. Vendors that install and maintain building systems such as HVAC, card readers for entry and the like own those systems, and IT's access to them is either non-existent or minimal. The vendors' concerns about security are also usually nonexistent. I have seen building control systems that have "admin" as the user and the company name as the password for years, and through the careers of multiple technicians. The systems in many (if not all) of the other buildings maintained by these vendors had the same exact credentials. The passwords were never changed when technicians left, no matter what the circumstances of that separation. Of course, IT could not get enforcement power over the vendors because of the siloed nature of the organizations. There are thousands of breaches waiting to happen.
prebil
50%
50%
prebil,
User Rank: Apprentice
2/11/2014 | 2:59:41 PM
Re: 2-factor or more factor
I agree. Hackers should never have been able to gain access to Target's payment processors via the HVAC system. Clearly this was poor network planning.  The company I work for has been providing secure remote access solutions - complete with granular access controls - to retailers for several decades. Most recently though, we introduced a new security solution designed to completely mask access to devices - like HVAC systems - except for authorized individuals. I invite you to learn more at http://www.netop.com/securem2m
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
2/11/2014 | 1:48:50 PM
Re: Lack of security at Target --details!
Mat Schwartz, quoting unnamed sources cited by journalist Brian Krebs, reported in InformationWeek 2/6

"...investigators now believe that Target's attackers first accessed the retailer's network on November 15, 2013, using access credentials that they'd stolen from Fazio Mechanical Services. Theoretically, those access credentials allowed attackers to gain a beachhead inside Target's network, and from there access and infect other Target systems, such as payment processing and point-of-sale (POS) checkout systems."

It's a good read. You can check it out here: http://www.informationweek.com/security/attacks-and-breaches/target-breach-hvac-contractor-systems-investigated/d/d-id/1113728.

rradina
50%
50%
rradina,
User Rank: Ninja
2/11/2014 | 10:31:06 AM
Re: Lack of security at Target
I don't know the details.  Did they use the HVAC account to do all that or did the HVAC account enable them to penetrate the permiter defenses.  Once inside, did they then leverage privilege escalation vulnerabilities in unpatched systems?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/11/2014 | 9:51:37 AM
Re: 2-factor or more factor
The problem is the HVAC systems weren't dealing with payment data. Stronger authentication might have helped, but so would network segmentation. The attackers shouldn't have been able to leap from HVAC controls all the way to POS systems.
norris1231
50%
50%
norris1231,
User Rank: Apprentice
2/10/2014 | 10:18:17 PM
Re: 2-factor or more factor
You nailed two of the most important factors.  Authentication is a true security measure that should be identified as well as being on site.  However, the overall remote process is vulnerable.  Therefore, tight very tight security measures must be taken to protect the business from any forms of threats. There are many security procedures that must take place not just two.  
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
2/10/2014 | 4:44:58 PM
Re: 2-factor or more factor
When dealing with people's payment data, two-factor authentication and being onsite should be requirements.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
2/10/2014 | 3:46:10 PM
2-factor or more factor
Lori,

What approach do you recommend for 2-factor or multi-factor authentication? You said something about "at least" 2-factor should be required, but what do you really recommend?
Laurianne
50%
50%
Laurianne,
User Rank: Author
2/10/2014 | 2:28:58 PM
Security Leverage
"This is one area where you can use the Target example to your advantage, to light a fire under stakeholders." This will be a time to pick your battles and use your leverage from this incident, certainly. In what other areas is the Target incident helping you make security arguments, readers?
majenkins
100%
0%
majenkins,
User Rank: Ninja
2/10/2014 | 2:06:53 PM
Re: Lack of security at Target
I work in IT also and if the executives in your company never over ride your decisions on things like this then you work for an unusual company in my experience and based on my discussions with other IT people at other companies.
Page 1 / 2   >   >>


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll