Friday, February 14, 2014

Hack Stack

Retail giant Target was hacked late last year in a blow to holiday shoppers across the country.  Security investigators found out that the intrusion started with an HVAC contractor.  A reasonable computer user, denied access to others' secure systems, could ask themselves what an outside company would be doing with access like this.  Let's talk a bit about how large corporate systems are set up and how an attack can cascade like this through a supply chain.

Inter, Intra, and Extra

Most large companies' computer networks are set up in multiple zones.  The Internet zone holds customer-facing systems like company webpages, online shopping, and contact information.  These systems should only deal with low security issues like presenting product information or mailing addresses.  The Intranet zone is for internal use by employees.  A company's trouble ticketing system or employee computer-based training terminals are connected to this zone.  Extranet is the most complicated zone to manage and secure.  This is where partner companies connect to your systems for more access than the internet zone can provide without having employee level access on an intranet user.

Extra, Extra, Extra

In Target's case, Fazio Mechanical Services had access credentials to Target's systems to support billing and work contracts when Fazio was hired to perform work on the HVAC systems at Target stores in the Mid-Atlantic region. 
And, no, as user of Target's extranet, Fazio's credentials should not have enabled them to upload to or in any way make contact with any part of Target's point of sale terminals. 
Payment Card Industry (PCI) standards now come into play.  Companies which submit credit card payments are not required to build a separate network for payment and non-payment activities.  But outside users like contractors and vendors are required to use two-factor authentication to access a company's network.