Target Breach Underscores Need to Monitor Third-Party Network Access
Cyber-attackers compromised Target's network by stealing the credentials of an HVAC service firm, underscoring the importance of minimizing third-party access to networks.The group that stole more than 40 million credit- and debit-card accounts from retail giant Target's network reportedly gained access through the company's heating, ventilation and air-conditioning (HVAC) vendor, highlighting the importance of limiting third-party access to corporate networks, security experts said. On Nov. 15, attackers compromised the network of HVAC vendor Fazio Mechanical Services of Sharpsburg, Pa., and stole the company's credentials for Target's network, according to a Feb. 5 report by researcher and journalist Brian Krebs. Target issued a statement to news media last week saying that the investigation had identified a stolen username and password as the method by which the attackers got into its network. Target apparently did not place the network-connected HVAC systems on a sub-network separated from the rest of its systems, allowing attackers to use the compromised HVAC system as a launch pad for their other attacks on Target's network. Such configuration errors are common. Many companies allow vendors and contractors temporary access to their network to maintain or administer technology, and then forget to revoke their credentials, leaving them open to attack, Jody Brazil, CEO of security-policy firm FireMon, told eWEEK. "It is very possible that some store had a refrigeration issue and they needed to give the vendor access to certain systems, and so they circumvent it, and then don't undo the access," he said.
The incident underscores that companies should pay close attention to the level of access they give to third parties, as attackers frequently use smaller providers to compromise the networks of the larger companies who are their actual targets. In 2011, for example, Lockheed Martin stated that attackers attempted to get into its network by using a third party's systems.