Experts question security used in Target breach

Security experts determining whether third-party vendor had too much access to Target's point of sale systems

The latest details from the Target breach investigation raises questions as to the security the retailer had in place for third-party vendors accessing its partner portal and billing system.

[Target credential theft highlights third party vendor risk]

In addition, the information uncovered by the blog KrebsOnSecurity revealed that the Target attack started with malware-carrying email used in a phishing attack against an outside vendor, which used a free version of anti-virus software for protection. More than 110 million consumers had credit card and personal data stolen in the breach of Target's electronic cash registers late last year.

Because the break-in started with an external vendor, security experts are asking whether the company had too much access to Target's systems and whether the retailer properly isolated the registers, called point of sale (POS) systems, from the rest of the network.

The hackers reportedly stole the login credentials of vendor Fazio Mechanical, a heating, air conditioning and refrigeration firm. Those credentials may have provided access to Target's external billing system, called Ariba, and its project management and contract submissions portal, called Partners Online, KrebsOnSecurity reported.

Such portals are usually separated from the rest of the corporate network to prevent malware from reaching sensitive information. Only highly skilled hackers could find a way around such network segmentation.

"Getting from a procurement portal to a cardholder data environment is a long road," Anton Chuvakin, analyst for Gartner, said.

KrebsonSecurity reported that the Target portal might have been integrated with Microsoft software called Active Directory, which authenticates all logins to a Windows network. If the hackers broke into the directory, then they may have been able to find a way into other parts of the network.

Another possibility is Target gave the vendor too much access to the network, which could have been exploited by the hackers. If that's the case, then "the blame lies firmly with Target," Chuvakin said.

The Payment Card Industry Security Standards Council (PCI SSC), which sets standards retailers must follow in order to accept debit and credit cards, requires companies to limit and monitor network access to outside vendors. If Target were found to be in violation of PCI SSC rules, then the retailer would be liable for losses from the breach, as well as substantial fines.

[Target-like attack unlikely against small retailers]

While Fazio said earlier that it used "industry practices" for security, KrebsonSecurity, quoting unnamed investigators in the Target breach, reported that the company's primary defense in stopping malicious software from entering its internal systems was the free version of Malwarebytes Anti-Malware.

This would cause two problems for Fazio. First, the free AV version is for consumer use only, which means it would be in violation of Malwarebytes' license. Secondly, the software does not provide real-time scanning of files for malware.

"Free AV as sole corporate malware defense is not an industry best practice," Chuvakin said.

Nevertheless, it's not unusual to find Malwarebytes in corporate environments, Peter Firstbrook, an analyst for Gartner, said.

"Malwarebytes is often in use in our big enterprise customers, but mostly for malware removal rather than a first line of defense," he said. "More traditional AV players like Symantec, McAfee, Trend Micro, Kaspersky and Sophos are more common."

[Two coders closely tied to Target-related malware, security firm says]

In terms of being able to catch malware, free versions of AV software is often as effective as paid versions from the same vendor, because the signatures are the same.

"When it comes to free antivirus versus paid, it comes down to features the user wants, administration capabilities and frequency of updates," Candis Orr, senior security analyst for consulting firm Bishop Fox, said. "An enterprise level antivirus that one has to pay for will have all these features, while a free antivirus will be lacking in one or more areas."

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetSecurity suitesretailsecuritydata breachsoftwareindustry verticals

More about AribaGartnerKasperskyMalwarebytesMcAfee AustraliaMicrosoftSophosSymantecTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place