Target credential theft highlights third-party vendor risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/d/security/target-credential-theft-highlights-third-party-vendor-risk-235530

Target's disclosure that credentials stolen from a vendor were used to
break into its network and steal 40 million credit- and debit-card numbers
highlights the fact that a company's security is only as strong as the
weakest link in its supply chain.

No matter how strong Target's internal security was, if the breach started
with a third-party vendor, then the weakness was in how the retailer
managed the security risk all large companies face when partners and
suppliers interact with their networks, experts say.

"Hackers have reached a new level of mastery and companies are really
struggling," Torsten George, vice president of marketing and products at
risk management vendor Agiliance, said. "They're putting a lot of effort in
protecting their own networks, but how do you really go after your
suppliers and vendors? How do you assess the risk in doing business with
them?"

Many companies will send out questionnaires to new suppliers to get a
description of the security of the systems that will be used to conduct
business. The questionnaires will also cover the suppliers' security
processes, including regular audits and penetration testing.

In addition, some companies will require some type of certification that
suppliers' systems are secure and may even use a third-party for
penetration testing.

Unfortunately, the security check often happens only once.

"A lot of times, for the most part, that's where it ends. So, it's kind of
a one-point-in-time type of view and they never look at it again," said
Stephen Boyer, chief technology officer for BitSight Technologies, which
measures companies' security effectiveness.

That kind of approach to supply chain security is changing, led by the
financial services industry. Besides sending questionnaires out regularly,
banks are hiring consultants to conduct security audits or hiring companies
to monitor suppliers' systems for unusual traffic, experts say.

Outside of the banking industry, companies are becoming more aware of the
importance of third-party risk management as they increasingly integrate
their systems with cloud services, Renee Murphy, analyst for Forrester
Research, said.

"The cloud made everybody think a little differently about their third
parties, because that integration to that particular third party is
drastic," Murphy said. "That made them rethink everything else that they
were doing and now they're taking the whole thing a lot more seriously."

Beyond confirming the credential theft, Target provided no other details on
how the information was stolen or which portal the hackers used to enter
the retailer's network and eventually install malware in the company's
electronic cash registers, called point-of-sale systems.

The blog KrebsonSecurity reported Tuesday that the hackers might have
entered Target's network by breaking into an IT management software suite
made by BMC Software. From there, the hackers might have moved laterally
through the corporate network, eventually finding their way to the POS
systems.

BMC has denied that its software was used in the break-in.

The hackers also managed to infect another system and steal personal data,
such as email addresses and phone numbers, for 70 million people before
Target shut down the breach Dec. 15, almost three weeks after the hackers
planted malware in the POS systems.

The integration of so much technology in a large corporation makes it
nearly impossible to plug every hole, Murphy said.

"The interconnectivity of this stuff makes it so supremely difficult to
find (the vulnerability)," Murphy said.

So, a good risk management strategy would identify the most valuable
information in an organization and regularly check the security in every
system that could be used to gain access to that data, she said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!