Page 2 of 2 Previous

Continued: Growing computer connections between vendors and businesses give hackers many points of entry

  • Article by: JENNIFER BJORHUS and JIM SPENCER , Star Tribune
  • Last update: February 11, 2014 - 3:47 PM

Not en­ough

Still, it wasn’t en­ough.

Point of sale sys­tems are par­tic­u­lar­ly vul­nera­ble, TrustedSec’s Kennedy said, be­cause com­panies typ­i­cal­ly don’t want to make chan­ges to them, such as add­ing se­curi­ty en­hance­ments. Af­ter all, tak­ing sys­tems down for any length of time can di­rect­ly af­fect sales.

“These POS net­works are u­su­al­ly Swiss cheese,” Kennedy said. “They’re just terri­ble.”

Mc­Afee’s Brown said he doesn’t think the in­dus­try’s safe-prac­tice guide­lines, called the Pay­ment Card Industry Data Security Standards and re­ferred to as PCI, do much to ad­dress the data vulnerabilities in a com­pany’s sup­ply chain.

“It doesn’t ex­plic­it­ly call out third-par­ty re­la­tion­ships like we’re talk­ing about,” Brown said.

Bob Russo, gen­er­al man­ag­er of the PCI Security Standards Council, said the guide­lines re­quire mer­chants to use what’s called “two-fac­tor au­then­ti­ca­tion” for all third par­ties using re­mote net­work ac­cess to a com­pany’s net­work, if the ac­cess could lead to the area where card­hold­er data ex­ists. Such login ver­i­fi­ca­tion re­quires two out of three things, he said: some­thing you have (such as a smart card), some­thing you know (a pass­word) or some­thing you are (fin­ger­print or eye scan, for in­stance.)

Ven­dors need watch­ing

The PCI stand­ards don’t spe­cif­i­cal­ly ad­dress all ven­dor con­nec­tions or re­quire for­mal ven­dor risk as­sess­ments, Russo said in a writ­ten re­sponse to ques­tions, but ven­dor con­nec­tions should be part of the annu­al risk as­sess­ment com­panies are re­quired to con­duct.

PCI stand­ards don’t re­quire card en­cryp­tion at the point of sale, which means there’s a mil­li­sec­ond af­ter a swipe when in­for­ma­tion is out in the open, un­en­crypted.

“The key mes­sage here is to under­stand the se­curi­ty con­trols your ven­dors and busi­ness part­ners have in place when al­low­ing them ac­cess to your net­work,” said Chad Boeckmann CEO of Se­cure Dig­i­tal Solutions in Minneapolis. “I know many big com­panies con­duct those ex­er­cis­es, but some­times those ex­er­cis­es aren’t con­ducted fre­quent­ly en­ough or they’re not con­ducted thor­ough­ly en­ough.”

Cyber­crime cost $113 bil­lion in 2013 and ex­posed 435 mil­lion peo­ple to in­for­ma­tion theft, Frank Rosch of the com­puter se­curi­ty soft­ware firm Sy­man­tec told the Senate Ju­di­ci­ar­y Committee in a hear­ing last week. Tar­get­ed at­tacks on com­puter sys­tems such as Tar­get’s are ex­pand­ing, he add­ed.

Isle, at Adventium Labs, says a breach was prob­a­bly in­evi­table giv­en the Secret Service’s de­scrip­tion of the crimi­nals as re­lent­less, well-or­gan­ized and so­phis­ti­cat­ed.

“With un­lim­it­ed peo­ple, time and mon­ey, they will get in,” said Isle. “Tar­get may or may not have screwed up, but the peo­ple who came at them were good.”


Jim Spencer • 202-383-6123

Jen­ni­fer Bjorhus 612-673-4683

  • get related content delivered to your inbox

  • manage my email subscriptions





Connect with twitterConnect with facebookConnect with Google+Connect with PinterestConnect with PinterestConnect with RssfeedConnect with email newsletters