written by Chris Griesemer

Is your company vulnerable to attacks? Do you know what security questions to ask your vendors? How do you keep your computers up to date? Over the next few months, we will answers these questions and more with a series of articles on how to keep your company and yourself safe and secure.

This month we will review a case study on the Target breach and also discuss vendor management. In January we will examine The Onion breach and importance of using unique passwords. Click here to read the November article about How to Outsmart Hackers.

Although other big companies have been hacked recently, the Target data breach really hit a nerve in the security community. We wondered how this could happen to a company that pours millions of dollars into their security. Let’s take a closer look at what we know and what we can learn from this breach.

Timeline
In May 2013, Target purchased a product called FireEye for 1.6 million dollars. FireEye analyzes a network and is always on the lookout for behaviors associated with hacking. When it discovers questionable activity it notifies a monitoring group that in turn contacts the company (in this case Target) and informs them of the potential threat.

On November 27th, hackers started collecting credit card data in 1,797 US Target stores. On Nov 30th, FireEye detected the malware activity and notified Target. Target security personnel looked at the potential threat and decided to do nothing about it. A couple of days later, Symantec Endpoint Protection identified suspicious behavior and sent alerts to Target. Again, Target security personnel did nothing. On December 12th, Federal Law enforcement notified Target they were seeing suspicious activity. Target hired an independent team to run an investigation.

On December 15th, Target confirmed they had been hacked and removed the malware. On December 19th, Target issued a public statement. According to Businessweek.com, this data breach is estimated to cost Target 1 Billion dollars. In May 2014, CEO Gregg Steinhafel stepped down.

How did it happen?
Big retail companies with thousands of stores will have a third party vendor routinely monitor energy consumption and temperature in stores to find the most efficient settings in order to save the company money. By adjusting the temperature one or two degrees in 1,700 stores, there is a potential to save thousands to millions of dollars. It is believed this HVAC vendor was given remote access with administration credentials to the network. There is a possibility these credentials were stolen.

What can we learn?
Make sure you know who your third party vendors are and consider the following items as other best practices with your vendors:

  • There should be contracts that explain the roles of the vendor and the roles of the business.
  • If a vendor does need to have remote access, make sure there are proper controls in place. They should never have more access than they need.
  • There should also be restrictions on when the vendor can remote into the system. A good policy is to have the vendor call and ask for permission to log in remotely. This way the business can control when the vendor can log in and for how long.
  • Do not allow vendors to have domain Admin usernames and passwords.
  • If you need to give a vendor administrative rights, create a new username and password for that vendor. Never use the existing Domain Administrators username and password. By creating a new username and password, the company administrator can disable the account when it is not being used.
  • At least quarterly review all usernames on the network and make sure new names have not been created.

Conclusion
Most companies do not have an HVAC vendor to monitor their energy consumption. However, most companies do have relationships with third party vendors needing access to their building and possibly the computer system from time to time. From physical access into the building to logical access on the network, it is important to make sure controls are in place to protect the company and vendors do not have free reign over your network. A review of those controls to make sure they are working is also recommended. If you have any questions about controls or security in general, please don’t hesitate to email or call Chris Griesemer at cgriesemer@whitlockco.com or 417.881.0145.