Growing computer connections between vendors and businesses give hackers many points of entry

  • Article by: JENNIFER BJORHUS and JIM SPENCER , Star Tribune
  • Updated: February 11, 2014 - 3:47 PM

Tar­get, oth­er firms need strong­er protections to pre­vent data thefts.

The cyber­thieves who hit Tar­get Corp. took ad­van­tage of a wide­spread and of­ten over­looked weak­ness in cor­po­rate in­for­ma­tion se­curi­ty: third-par­ty com­puter con­nec­tions that can cre­ate a vir­tual back door to cus­tom­er in­for­ma­tion.

Dig­i­tal links with sup­pli­ers, con­trac­tors or con­sult­ants are es­sen­tial to run a com­plex busi­ness in the In­ter­net age. Yet, even as com­panies spend mil­lions to bol­ster the se­curi­ty of their net­works, the ac­cess ven­dors are giv­en doesn’t get near­ly en­ough at­ten­tion, sev­er­al in­for­ma­tion se­curi­ty pro­fes­sion­als say.

Hack­ers gained ac­cess to Tar­get’s com­puter sys­tems through the sto­len cre­den­tials of a heat­ing and re­frig­er­a­tion con­trac­tor. Once in­side, the thieves were able to move around and ul­ti­mate­ly stole pay­ment card data card or per­son­al in­for­ma­tion of up to 110 mil­lion Tar­get cus­tom­ers.

Giv­en that the typi­cal For­tune 1000 com­pany like­ly has thou­sands of ac­tive sup­pli­ers, hack­ers have plen­ty of ways to in­fil­trate, said Jeff Hall, a se­curi­ty con­sult­ant in the Twin Cities for O­ver­land Park, Kan.-based Fish­Net Security.

“I’ve hacked com­panies through their el­e­va­tor con­trac­tors,” Hall said.

Most com­panies don’t view third par­ty ven­dors as a ma­jor se­curi­ty threat, said David Kennedy, found­er of the se­curi­ty firm TrustedSec. in Strongsville, O­hi­o. Ven­dor man­age­ment, as he de­scribes it, is “ex­treme­ly loose.”

Security pros con­sider the sup­ply chain a criti­cal se­curi­ty risk — rank­ing with the clas­sic employee in­sid­er at­tack and the tra­di­tion­al hack, where an out­sid­er fer­rets a hole in a com­pany’s fire­wall.

“In the mod­ern world, busi­ness-to-busi­ness con­nec­tions are the weak­est link,” said Brian Isle, found­er of the Minneapolis-based cyber­security firm Adventium Labs. “The first thing an at­tack­er will do is look at who you do busi­ness with.”

One door opens many

Once a skilled hack­er gains en­try into a com­pany’s net­work, they fre­quent­ly can move around even if there’s seg­men­ta­tion such as fire­walls with rules that re­strict net­work traf­fic, said TrustedSec’s Kennedy. “The rest of it is bas­i­cal­ly wide open,” he said.

Investigations into Tar­get’s hack, one of the larg­est re­cord­ed data breach­es in U.S. his­to­ry, con­tin­ue. It’s not yet clear how cyber thieves stole the net­work ac­cess cre­den­tials from Fazio Me­chan­i­cal Services Inc., a heat­ing and re­frig­er­a­tion com­pany in Sharps­burg, Penn., first iden­ti­fied by in­ves­ti­ga­tive se­curi­ty blogger Brian Krebs at KrebsonSecurity as the point of en­try.

It’s also un­clear how they moved from ven­dor ac­cess to the point of sale sys­tems in Tar­get’s stores. That’s where malware was dis­cov­ered that al­lowed hack­ers to col­lect un­en­crypted card data.

Isle, Kennedy and oth­ers en­cour­age cli­ents to run pen­e­tra­tion tests, some­times called Red Team­ing, in which ex­pert crews stage hack at­tacks to sleuth out ven­dor vulnerabilities to fix so the bad guys can’t get in.

Un­til now, how­ever, cor­po­rate in­for­ma­tion se­curi­ty ef­forts have fo­cused more on the in­sid­er at­tack and the tra­di­tion­al out­sid­er hack­er, said Greg Brown, chief tech­nol­o­gy of­fi­cer of Cloud and In­ter­net of Things at Mc­Afee, a lead­ing com­puter se­curi­ty com­pany based in San­ta Clar­a, Calif. They gen­er­al­ly ha­ven’t been ap­plied to the chain of third par­ties com­panies do busi­ness with, he said.

Fazio Pres­i­dent Ross Fazio is­sued a state­ment last Thurs­day say­ing his com­pany, too, was a “vic­tim of a so­phis­ti­cat­ed cyberattack op­er­a­tion.”

“Fazio Me­chan­i­cal does not per­form re­mote moni­tor­ing of or con­trol of heat­ing, cool­ing and re­frig­er­a­tion sys­tems for Tar­get,” Fazio said.

Cit­ing the on­go­ing in­ves­ti­gat­ions, Tar­get would not dis­cuss its pro­to­col for grant­ing com­puter ac­cess to ven­dors or what fire­walls it built to keep con­sum­ers’ cred­it card and per­son­al data se­cure.

Tar­get Chief Financial Officer John Mul­li­gan tes­ti­fied in Congressional hear­ings last week that Tar­get has in­vest­ed “hun­dreds of mil­lions of dol­lars” over the past sev­er­al years in in­for­ma­tion se­curi­ty, in­clud­ing seg­men­ta­tion, malware de­tec­tion, in­tru­sion de­tec­tion and pre­ven­tion, and data loss pre­ven­tion.

  • get related content delivered to your inbox

  • manage my email subscriptions


Connect with twitterConnect with facebookConnect with Google+Connect with PinterestConnect with PinterestConnect with RssfeedConnect with email newsletters