Growing computer connections between vendors and businesses give hackers many points of entry

The cyber­thieves who hit Tar­get Corp. took ad­van­tage of a wide­spread and of­ten over­looked weak­ness in cor­po­rate in­for­ma­tion se­curi­ty: third-par­ty com­puter con­nec­tions that can cre­ate a vir­tual back door to cus­tom­er in­for­ma­tion.

Dig­i­tal links with sup­pli­ers, con­trac­tors or con­sult­ants are es­sen­tial to run a com­plex busi­ness in the In­ter­net age. Yet, even as com­panies spend mil­lions to bol­ster the se­curi­ty of their net­works, the ac­cess ven­dors are giv­en doesn't get near­ly en­ough at­ten­tion, sev­er­al in­for­ma­tion se­curi­ty pro­fes­sion­als say.

Hack­ers gained ac­cess to Tar­get's com­puter sys­tems through the sto­len cre­den­tials of a heat­ing and re­frig­er­a­tion con­trac­tor. Once in­side, the thieves were able to move around and ul­ti­mate­ly stole pay­ment card data card or per­son­al in­for­ma­tion of up to 110 mil­lion Tar­get cus­tom­ers.

Giv­en that the typi­cal For­tune 1000 com­pany like­ly has thou­sands of ac­tive sup­pli­ers, hack­ers have plen­ty of ways to in­fil­trate, said Jeff Hall, a se­curi­ty con­sult­ant in the Twin Cities for O­ver­land Park, Kan.-based Fish­Net Security.

"I've hacked com­panies through their el­e­va­tor con­trac­tors," Hall said.

Most com­panies don't view third par­ty ven­dors as a ma­jor se­curi­ty threat, said David Kennedy, found­er of the se­curi­ty firm TrustedSec. in Strongsville, O­hi­o. Ven­dor man­age­ment, as he de­scribes it, is "ex­treme­ly loose."

Security pros con­sider the sup­ply chain a criti­cal se­curi­ty risk — rank­ing with the clas­sic employee in­sid­er at­tack and the tra­di­tion­al hack, where an out­sid­er fer­rets a hole in a com­pany's fire­wall.

"In the mod­ern world, busi­ness-to-busi­ness con­nec­tions are the weak­est link," said Brian Isle, found­er of the Minneapolis-based cyber­security firm Adventium Labs. "The first thing an at­tack­er will do is look at who you do busi­ness with."

One door opens many

Once a skilled hack­er gains en­try into a com­pany's net­work, they fre­quent­ly can move around even if there's seg­men­ta­tion such as fire­walls with rules that re­strict net­work traf­fic, said TrustedSec's Kennedy. "The rest of it is bas­i­cal­ly wide open," he said.

Investigations into Tar­get's hack, one of the larg­est re­cord­ed data breach­es in U.S. his­to­ry, con­tin­ue. It's not yet clear how cyber thieves stole the net­work ac­cess cre­den­tials from Fazio Me­chan­i­cal Services Inc., a heat­ing and re­frig­er­a­tion com­pany in Sharps­burg, Penn., first iden­ti­fied by in­ves­ti­ga­tive se­curi­ty blogger Brian Krebs at KrebsonSecurity as the point of en­try.

It's also un­clear how they moved from ven­dor ac­cess to the point of sale sys­tems in Tar­get's stores. That's where malware was dis­cov­ered that al­lowed hack­ers to col­lect un­en­crypted card data.

Isle, Kennedy and oth­ers en­cour­age cli­ents to run pen­e­tra­tion tests, some­times called Red Team­ing, in which ex­pert crews stage hack at­tacks to sleuth out ven­dor vulnerabilities to fix so the bad guys can't get in.

Un­til now, how­ever, cor­po­rate in­for­ma­tion se­curi­ty ef­forts have fo­cused more on the in­sid­er at­tack and the tra­di­tion­al out­sid­er hack­er, said Greg Brown, chief tech­nol­o­gy of­fi­cer of Cloud and In­ter­net of Things at Mc­Afee, a lead­ing com­puter se­curi­ty com­pany based in San­ta Clar­a, Calif. They gen­er­al­ly ha­ven't been ap­plied to the chain of third par­ties com­panies do busi­ness with, he said.

Fazio Pres­i­dent Ross Fazio is­sued a state­ment last Thurs­day say­ing his com­pany, too, was a "vic­tim of a so­phis­ti­cat­ed cyberattack op­er­a­tion."

"Fazio Me­chan­i­cal does not per­form re­mote moni­tor­ing of or con­trol of heat­ing, cool­ing and re­frig­er­a­tion sys­tems for Tar­get," Fazio said.

Cit­ing the on­go­ing in­ves­ti­gat­ions, Tar­get would not dis­cuss its pro­to­col for grant­ing com­puter ac­cess to ven­dors or what fire­walls it built to keep con­sum­ers' cred­it card and per­son­al data se­cure.

Tar­get Chief Financial Officer John Mul­li­gan tes­ti­fied in Congressional hear­ings last week that Tar­get has in­vest­ed "hun­dreds of mil­lions of dol­lars" over the past sev­er­al years in in­for­ma­tion se­curi­ty, in­clud­ing seg­men­ta­tion, malware de­tec­tion, in­tru­sion de­tec­tion and pre­ven­tion, and data loss pre­ven­tion.

Not en­ough

Still, it wasn't en­ough.

Point of sale sys­tems are par­tic­u­lar­ly vul­nera­ble, TrustedSec's Kennedy said, be­cause com­panies typ­i­cal­ly don't want to make chan­ges to them, such as add­ing se­curi­ty en­hance­ments. Af­ter all, tak­ing sys­tems down for any length of time can di­rect­ly af­fect sales.

"These POS net­works are u­su­al­ly Swiss cheese," Kennedy said. "They're just terri­ble."

Mc­Afee's Brown said he doesn't think the in­dus­try's safe-prac­tice guide­lines, called the Pay­ment Card Industry Data Security Standards and re­ferred to as PCI, do much to ad­dress the data vulnerabilities in a com­pany's sup­ply chain.

"It doesn't ex­plic­it­ly call out third-par­ty re­la­tion­ships like we're talk­ing about," Brown said.

Bob Russo, gen­er­al man­ag­er of the PCI Security Standards Council, said the guide­lines re­quire mer­chants to use what's called "two-fac­tor au­then­ti­ca­tion" for all third par­ties using re­mote net­work ac­cess to a com­pany's net­work, if the ac­cess could lead to the area where card­hold­er data ex­ists. Such login ver­i­fi­ca­tion re­quires two out of three things, he said: some­thing you have (such as a smart card), some­thing you know (a pass­word) or some­thing you are (fin­ger­print or eye scan, for in­stance.)

Ven­dors need watch­ing

The PCI stand­ards don't spe­cif­i­cal­ly ad­dress all ven­dor con­nec­tions or re­quire for­mal ven­dor risk as­sess­ments, Russo said in a writ­ten re­sponse to ques­tions, but ven­dor con­nec­tions should be part of the annu­al risk as­sess­ment com­panies are re­quired to con­duct.

PCI stand­ards don't re­quire card en­cryp­tion at the point of sale, which means there's a mil­li­sec­ond af­ter a swipe when in­for­ma­tion is out in the open, un­en­crypted.

"The key mes­sage here is to under­stand the se­curi­ty con­trols your ven­dors and busi­ness part­ners have in place when al­low­ing them ac­cess to your net­work," said Chad Boeckmann CEO of Se­cure Dig­i­tal Solutions in Minneapolis. "I know many big com­panies con­duct those ex­er­cis­es, but some­times those ex­er­cis­es aren't con­ducted fre­quent­ly en­ough or they're not con­ducted thor­ough­ly en­ough."

Cyber­crime cost $113 bil­lion in 2013 and ex­posed 435 mil­lion peo­ple to in­for­ma­tion theft, Frank Rosch of the com­puter se­curi­ty soft­ware firm Sy­man­tec told the Senate Ju­di­ci­ar­y Committee in a hear­ing last week. Tar­get­ed at­tacks on com­puter sys­tems such as Tar­get's are ex­pand­ing, he add­ed.

Isle, at Adventium Labs, says a breach was prob­a­bly in­evi­table giv­en the Secret Service's de­scrip­tion of the crimi­nals as re­lent­less, well-or­gan­ized and so­phis­ti­cat­ed.

"With un­lim­it­ed peo­ple, time and mon­ey, they will get in," said Isle. "Tar­get may or may not have screwed up, but the peo­ple who came at them were good."

Jim Spencer • 202-383-6123

Jen­ni­fer Bjorhus 612-673-4683