Friday, February 7, 2014

Reflections on trusting Trust*

Target got hacked a while back, and millions of credit cards were compromised.  Now details are starting to come out about how the hack was executed.  The Bad Guys got in to Target via a supplier who was monitoring their systems:
Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
No, people are not hacking your refrigerator.  But they are hacking peopole who monitor refrigerators (and air conditioning, and that sort of thing). This was a trusted supplier.  So how much should Target have trusted that the supplier was not hackable?
It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
Quite frankly, it's well known that HVAC systems are poorly protected.  The unpleasant little secret here is that it was less expensive for Target to outsource this sort of specialized monitoring.  It's likely that the monitored systems were not isolated from the main network because that would add cost and complexity.  In other words, Business Unit A outsourced to meet its cost goals, and IT refused to rearchitect to meet its cost goals.  And the Bad Guys had an open field to run on.

This is speculation, of course, but shows that the most maddening security problems are not technical, but organizational.  If this is how Target got hacked, it looks like they are in a very poor position regarding due diligence, or maybe even negligence.

* Post title shamelessly stolen from one of the most significant security papers ever given.


Dave H said...

I can see wanting to outsource environmental monitoring, for the same reason you'd hire ADT to monitor your home security system - it's a darned sight cheaper than hiring a night watchman. But I wouldn't hand ADT the keys to my house or my debit card PIN.

Chris Byrne said...

Phonehome systems have been a security problem for decades now. Unfortunately, it's very difficult to get clients to do anything about it.

Maybe this will help change their minds.

Chris Byrne said...

Oh and it's not just a matter of negligence.

Target has clearly violated multiple provisions of the PCI data security standards, in several ways, which are immediately obvious. They would also have been immediately obvious to anyone signing off on an audit report.

Target has undergone multiple PCI audits since the partner connection has been in place.

At least once per year, multiple senior managers have signed documents certifying that policies and controls were in place and being followed, and that they were effective controls.

It is VERY clear that no attempt was ever made to implement policies and controls in multiple areas of risk or vulnerability; and yet for years, they signed legal documents attesting they were.

That's not just negligence, it's deliberate fraud and malfeasance.

Target is in for some VERY large fines, massive lawsuits, and they will likely lose their merchant accounts entirely; having to process cards through a third party processor (MUCH higher fees on every card transaction).

Divemedic said...
This comment has been removed by the author.
Divemedic said...

I had my own security breach this week. I am not sure how much damage has been done, or what else is vulnerable.