Target credential theft highlights third-party vendor risk

Target's disclosure that credentials stolen from a vendor were used to break into its network and steal 40 million credit- and debit-card numbers highlights the fact that a company's security is only as strong as the weakest link in its supply chain.

No matter how strong Target's internal security was, if the breach started with a third-party vendor, then the weakness was in how the retailer managed the security risk all large companies face when partners and suppliers interact with their networks, experts say.

"Hackers have reached a new level of mastery and companies are really struggling," Torsten George, vice president of marketing and products at risk management vendor Agiliance, said. "They're putting a lot of effort in protecting their own networks, but how do you really go after your suppliers and vendors? How do you assess the risk in doing business with them?"

Many companies will send out questionnaires to new suppliers to get a description of the security of the systems that will be used to conduct business. The questionnaires will also cover the suppliers' security processes, including regular audits and penetration testing.

In addition, some companies will require some type of certification that suppliers' systems are secure and may even use a third-party for penetration testing.

Unfortunately, the security check often happens only once.

"A lot of times, for the most part, that's where it ends. So, it's kind of a one-point-in-time type of view and they never look at it again," said Stephen Boyer, chief technology officer for BitSight Technologies, which measures companies' security effectiveness.

That kind of approach to supply chain security is changing, led by the financial services industry. Besides sending questionnaires out regularly, banks are hiring consultants to conduct security audits or hiring companies to monitor suppliers' systems for unusual traffic, experts say.

Outside of the banking industry, companies are becoming more aware of the importance of third-party risk management as they increasingly integrate their systems with cloud services, Renee Murphy, analyst for Forrester Research, said.

"The cloud made everybody think a little differently about their third parties, because that integration to that particular third party is drastic," Murphy said. "That made them rethink everything else that they were doing and now they're taking the whole thing a lot more seriously."

Beyond confirming the credential theft, Target provided no other details on how the information was stolen or which portal the hackers used to enter the retailer's network and eventually install malware in the company's electronic cash registers, called point-of-sale systems.

The blog KrebsonSecurity reported Tuesday that the hackers might have entered Target's network by breaking into an IT management software suite made by BMC Software. From there, the hackers might have moved laterally through the corporate network, eventually finding their way to the POS systems.

BMC has denied that its software was used in the break in.

The hackers also managed to infect another system and steal personal data, such as email addresses and phone numbers, for 70 million people before Target shutdown the breach December 15, almost three weeks after the hackers planted malware in the POS systems.

The integration of so much technology in a large corporation makes it nearly impossible to plug every hole, Murphy said.

"The interconnectivity of this stuff makes it so supremely difficult to find (the vulnerability)," Murphy said.

So, a good risk management strategy would identify the most valuable information in an organization and regularly check the security in every system that could be used to gain access to that data, she said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecurity

More about AgilianceBMC Software AustraliaBMC Software AustraliaBMC Software AustraliaForrester Research

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts