Experts Question Security Used in Target Breach
The latest details from the Target breach investigation raises questions as to the security the retailer had in place for third-party vendors accessing its partner portal and billing system.
Fri, February 14, 2014
CSO — The latest details from the Target breach investigation raises questions as to the security the retailer had in place for third-party vendors accessing its partner portal and billing system.
In addition, the information uncovered by the blog KrebsOnSecurity revealed that the Target attack started with malware-carrying email used in a phishing attack against an outside vendor, which used a free version of anti-virus software for protection. More than 110 million consumers had credit card and personal data stolen in the breach of Target's electronic cash registers late last year.
Because the break-in started with an external vendor, security experts are asking whether the company had too much access to Target's systems and whether the retailer properly isolated the registers, called point of sale (POS) systems, from the rest of the network.
The hackers reportedly stole the login credentials of vendor Fazio Mechanical, a heating, air conditioning and refrigeration firm. Those credentials may have provided access to Target's external billing system, called Ariba, and its project management and contract submissions portal, called Partners Online, KrebsOnSecurity reported.
Such portals are usually separated from the rest of the corporate network to prevent malware from reaching sensitive information. Only highly skilled hackers could find a way around such network segmentation.
"Getting from a procurement portal to a cardholder data environment is a long road," Anton Chuvakin, analyst for Gartner, said.
KrebsonSecurity reported that the Target portal might have been integrated with Microsoft software called Active Directory, which authenticates all logins to a Windows network. If the hackers broke into the directory, then they may have been able to find a way into other parts of the network.
Another possibility is Target gave the vendor too much access to the network, which could have been exploited by the hackers. If that's the case, then "the blame lies firmly with Target," Chuvakin said.
The Payment Card Industry Security Standards Council (PCI SSC), which sets standards retailers must follow in order to accept debit and credit cards, requires companies to limit and monitor network access to outside vendors. If Target were found to be in violation of PCI SSC rules, then the retailer would be liable for losses from the breach, as well as substantial fines.
While Fazio said earlier that it used "industry practices" for security, KrebsonSecurity, quoting unnamed investigators in the Target breach, reported that the company's primary defense in stopping malicious software from entering its internal systems was the free version of Malwarebytes Anti-Malware.