The group that stole more than 40 million credit- and debit-card accounts from retail giant Target's network reportedly gained access through the company's heating, ventilation and air-conditioning (HVAC) vendor, highlighting the importance of limiting third-party access to corporate networks, security experts said.
On Nov. 15, attackers compromised the network of HVAC vendor Fazio Mechanical Services of Sharpsburg, Pa., and stole the company's credentials for Target's network, according to a Feb. 5 report by researcher and journalist Brian Krebs. Target issued a statement to news media last week saying that the investigation had identified a stolen username and password as the method by which the attackers got into its network.
Target apparently did not place the network-connected HVAC systems on a sub-network separated from the rest of its systems, allowing attackers to use the compromised HVAC system as a launch pad for their other attacks on Target's network. Such configuration errors are common. Many companies allow vendors and contractors temporary access to their network to maintain or administer technology, and then forget to revoke their credentials, leaving them open to attack, Jody Brazil, CEO of security-policy firm FireMon, told eWEEK.
"It is very possible that some store had a refrigeration issue and they needed to give the vendor access to certain systems, and so they circumvent it, and then don't undo the access," he said.
The incident underscores that companies should pay close attention to the level of access they give to third parties, as attackers frequently use smaller providers to compromise the networks of the larger companies who are their actual targets. In 2011, for example, Lockheed Martin stated that attackers attempted to get into its network by using a third party's systems.
Companies should aim to have better visibility into their systems, Brazil said. "It is not new technology that we need to stop these attacks," he said. "We just need to use the old technology better."
Other security experts have reached similar conclusions. Most breaches are not the result of a lack of security technology or a problem with the main security standard for retailers, the Payment Card Industry's Data Security Standard (PCI-DSS), but with companies' ability to keep their systems compliant over time, according to business services and telecommunications firm Verizon.
Only 11.1 percent of companies comply with all 12 requirements of the PCI-DSS, although about 85 percent of the companies complied with 85 percent of the controls, according to a report released on Feb. 6.
"We continue to see many organizations viewing PCI compliance as a single annual event, unaware that compliance needs to have a 365-day-a-year focus," Rodolphe Simonetti, managing director of the PCI practice for Verizon Enterprise Solutions, said in a statement.
The Web site of Fazio Mechanical Services is currently down due to bandwidth issues, according to an error page.