Recent reports indicate that unauthorized persons gained access to Target’s network using credentials stolen from a company that worked on the company’s refrigeration, heating, ventilation and air conditioning. The ongoing investigation will have to determine whether this was the root cause of the Point-of-Sale (POS) malware, or was a parallel attack. Whichever it turns out to be, it is clear that you should take steps to assure that any access you provide for vendors not be abused or misused.
Kroll has seen cases that are not dissimilar. In one example, we were engaged to conduct a vendor-neutral review of a company’s data security, and in the course of our penetration testing, we determined that there was an external Internet-based connection to a company that had been engaged to install and maintain a network of security sensors and cameras. This network of cameras, controllers and digital recorders, which ran over the company’s corporate IT network, primarily allowed on-site security personnel to observe the camera images, steer the cameras, respond to alarms, and to control the recording of camera images.
The vendor had the ability to log into the network to maintain the camera software and diagnose problems with the security systems. We determined that there were some significant issues.
- First, when the access account had been provisioned for the security vendor, it wasn’t assigned to an individual, but to the vendor so that anyone could use it.
- It was provisioned with an initial and trivial default password, and there was no requirement that the password be changed. In fact, we learned that it was known to a number of employees (and former employees) of the vendor.
- There was no test in place to see if the vendor’s log-in came from a known IP address associated with the vendor.
- There was no audit to see if the access using the vendor’s account was reasonable something the company’s facilities manager could easily have done.
- The vendor was not required to maintain security controls equivalent to those of the company.
- Finally, once in the network, an intruder with those security company credentials could pivot and reach parts of the network unrelated to the security system.
Increasing convergence, increasing risk?
Over the past few years, there has been recognition of the advantages of running multiple systems over a single IP network. As network speeds have increased, it has made sense not to run parallel networks for infrastructural elements like security, environmental management and similar support systems. But we have found that in many cases, the security issues relating to these systems are not well understood, since it seems like they just use the network for data transport. Of course, as real-world cases demonstrate, it isn’t that simple.
Read the rest of this article on Net-Security.org