Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Networking

    Target Breach Underscores Need to Monitor Third-Party Network Access

    By
    Robert Lemos
    -
    February 7, 2014
    Share
    Facebook
    Twitter
    Linkedin

      The group that stole more than 40 million credit- and debit-card accounts from retail giant Target’s network reportedly gained access through the company’s heating, ventilation and air-conditioning (HVAC) vendor, highlighting the importance of limiting third-party access to corporate networks, security experts said.

      On Nov. 15, attackers compromised the network of HVAC vendor Fazio Mechanical Services of Sharpsburg, Pa., and stole the company’s credentials for Target’s network, according to a Feb. 5 report by researcher and journalist Brian Krebs. Target issued a statement to news media last week saying that the investigation had identified a stolen username and password as the method by which the attackers got into its network.

      Target apparently did not place the network-connected HVAC systems on a sub-network separated from the rest of its systems, allowing attackers to use the compromised HVAC system as a launch pad for their other attacks on Target’s network. Such configuration errors are common. Many companies allow vendors and contractors temporary access to their network to maintain or administer technology, and then forget to revoke their credentials, leaving them open to attack, Jody Brazil, CEO of security-policy firm FireMon, told eWEEK.

      “It is very possible that some store had a refrigeration issue and they needed to give the vendor access to certain systems, and so they circumvent it, and then don’t undo the access,” he said.

      The incident underscores that companies should pay close attention to the level of access they give to third parties, as attackers frequently use smaller providers to compromise the networks of the larger companies who are their actual targets. In 2011, for example, Lockheed Martin stated that attackers attempted to get into its network by using a third party’s systems.

      Companies should aim to have better visibility into their systems, Brazil said. “It is not new technology that we need to stop these attacks,” he said. “We just need to use the old technology better.”

      Other security experts have reached similar conclusions. Most breaches are not the result of a lack of security technology or a problem with the main security standard for retailers, the Payment Card Industry’s Data Security Standard (PCI-DSS), but with companies’ ability to keep their systems compliant over time, according to business services and telecommunications firm Verizon.

      Only 11.1 percent of companies comply with all 12 requirements of the PCI-DSS, although about 85 percent of the companies complied with 85 percent of the controls, according to a report released on Feb. 6.

      “We continue to see many organizations viewing PCI compliance as a single annual event, unaware that compliance needs to have a 365-day-a-year focus,” Rodolphe Simonetti, managing director of the PCI practice for Verizon Enterprise Solutions, said in a statement.

      The Web site of Fazio Mechanical Services is currently down due to bandwidth issues, according to an error page.

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Careers

      SThree’s Sunny Ackerman on Tech Hiring Trends

      James Maguire - June 9, 2022 0
      I spoke with Sunny Ackerman, President/Americas for tech recruiter SThree, about the tight labor market in the tech sector, and much needed efforts to...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×