Brian Krebs, intrepid chronicler of the Target breach, has uncovered yet another cog in the criminal gearbox behind Target’s data disaster.
We already think we know how the cybercriminals moved data around once they were inside the network.
That part of the attack used a shabbily-coded service process with a hardwired password – as we discussed in the latest Chet Chat podcast. (If you listen below, the Target piece starts at 8’49”.)
But Krebs’s latest article provides a likely-sounding explanation of how the criminals breached the network in the first place.
Rather casually oversimplified, the crooks tailgated the cleaners.
Actually, that wasn’t what happened – neither literally, of course, because the crooks did their dirty work remotely; nor figuratively, because it was supposedly an HVAC company (heating, ventilation and air conditioning), not a cleaning company.
Nevertheless, it was tailgating of a sort, and it might well be a slip-up that could happen in your own organisation.
Having said that, my first thought, on reading Brian’s piece, was that his explanation sounded preposterous.
Why would someone who maintains your aircon need remote access to your network?
Emergency access to the server room, perhaps, to tweak the settings on the plant itself if there’s a snowstorm (or a heatwave) between Christmas and New Year.
But remote access to your whole corporate network?
It turns out, however, that heating and cooling in retail stores aren’t just important services: they’re as vital to opening for business, and taking money off customers, as your cash registers.
More vital, perhaps: if your cash registers are offline at 2am when no-one is shopping, you won’t lose any sales, but if your air conditioning gets out of whack overnight, you might not be able to admit customers to your store at all in the morning.
Apparently, therefore, many HVAC companies have remote access to retail company networks in order to keep their eye out for heating and cooling problems.
That needn’t be a recipe for disaster, but in Target’s case, it sounds as though:
- The third-party company wasn’t required to use any sort of two factor authentication.
- The network used by the third-party company and the network used for retail payments weren’t segregated.
→ Note. Brian Krebs has published an update from the third-party in which the company states that it did not provide HVAC services to Target. Rather, it enjoyed remote access “exclusively for electronic billing, contract submission and project management.” We’re not sure whether that makes lapses (1) and (2) easier or harder to forgive.
If you’re going to let outsiders onto your network, especially if you are admitting them for a specific purpose, rather than as part of a general network management project, you simply can’t afford not to apply the “divide and conquer” principle.
After all, just as you don’t want the aircon guy installing unknown software on your cash registers, you don’t want the payment card chaps messing with your heating and cooling systems, either.
One commonly-heard objection to “divide and conquer” is that it can be complicated and expensive, and makes rapid response harder in an IT emergency.
What you need to watch out for, though, is that by making emergency response easier, you don’t make things easier for intruders at the same time.
If you do, you make it paradoxically more likely that you’ll end up with an emergency to respond to…