Recent reports indicate that unauthorized persons gained access to Target’s network using credentials stolen from a company that worked on the company’s refrigeration, heating, ventilation and air conditioning. The ongoing investigation will have to determine whether this was the root cause of the Point-of-Sale (POS) malware, or was a parallel attack. Whichever it turns out to be, it is clear that you should take steps to assure that any access you provide for vendors not be abused or misused.
Kroll has seen cases that are not dissimilar. In one example, we were engaged to conduct a vendor-neutral review of a company’s data security, and in the course of our penetration testing, we determined that there was an external Internet-based connection to a company that had been engaged to install and maintain a network of security sensors and cameras. This network of cameras, controllers and digital recorders, which ran over the company’s corporate IT network, primarily allowed on-site security personnel to observe the camera images, steer the cameras, respond to alarms, and to control the recording of camera images.
The vendor had the ability to log into the network to maintain the camera software and diagnose problems with the security systems. We determined that there were some significant issues.
- First, when the access account had been provisioned for the security vendor, it wasn’t assigned to an individual, but to the vendor so that anyone could use it.
- It was provisioned with an initial and trivial default password, and there was no requirement that the password be changed. In fact, we learned that it was known to a number of employees (and former employees) of the vendor.
- There was no test in place to see if the vendor’s log-in came from a known IP address associated with the vendor.
- There was no audit to see if the access using the vendor’s account was reasonable – something the company’s facilities manager could easily have done.
- The vendor was not required to maintain security controls equivalent to those of the company.
- Finally, once in the network, an intruder with those security company credentials could pivot and reach parts of the network unrelated to the security system.
Increasing Convergence, Increasing Risk?
Over the past few years, there has been recognition of the advantages of running multiple systems over a single IP network. As network speeds have increased, it has made sense not to run parallel networks for infrastructural elements like security, environmental management and similar support systems. But we have found that in many cases, the security issues relating to these systems are not well understood, since it seems like they just use the network for data transport. Of course, as real-world cases demonstrate, it isn’t that simple.
These infrastructure support systems must often be accessed by vendors as well as company personnel. Even for company personnel, there may be a need for remote access to respond to off-hour emergencies. As a result, many of these systems require that they be accessible online from outside of the company. That leads to the issue of authentication. Who has the access? How is it authenticated? Are access credentials tied to an individual, or are they just supplied to a vendor for anyone to use? Are strong passwords required and changed recently? Is account usage subject to audits?
The other issue is connectivity. Are the users of these accounts (particularly vendor accounts where they don’t need access to other company online resources) limited to the specific level of access they require? Are they limited to accessing the specific devices and applications they need, or is it just assumed that’s what they will do?
Isolation between systems is sometimes more assumed than proved, and for systems involved in site security or environmental protection, sometimes considered to be peripheral to IT’s primary missions, security and identity management have not been top-of-mind.
This is nothing new. There are instances on record where government classified systems were found to have undocumented links to non-classified systems, and these allowed malware to spread from unclassified systems into a classified environment, and to send highly sensitive information to foreign cyber-spies.
Managing IP convergence risk
The clear message is that as an IT or compliance professional, you can’t ignore any systems that are using your network for data transmission and remote computing. Our experience is that you should consider the following steps:
- Identify all of the systems that are using your network for any purpose. This should include environmental, energy management, security and alarm devices, and anything else that connects to your network.
- For each, determine who uses it, and whether it is accessible remotely via the Internet.
- Identify each user account that accesses those systems. Each should be identified to a particular individual, and how each account is authenticated, and how often the password is changed. We strongly recommend 2-factor authentication to minimize the option for the vendor to circulate a simple password to multiple people.
- For non-employee users, determine which users can and can’t get into your network.
- Determine how the requirement to protect account credentials and to notify you of personnel changes is written into your contract with the vendor.
- Determine if any application run by a vendor has passwords, and whether those have been changed from default values.
- Determine if any application run by a vendor is updated, and how such updates are made.
- Working with your risk manager, determine if there are insurance issues with vendor access, or whether the vendor should provide proof of insurance to protect you if their failure results in a data breach situation.
While every system represents risk, it should be clear that for systems you do not have to deal with on a regular basis and which may be largely or entirely operated by outside vendors, every system connected to your network, particularly those that can be remotely accessed from the global Internet, represents a potentially significant security issue. Given our experience and the evidence regarding the intrusions into Target’s network using a misappropriated vendor remote access credentials misuse, this should be a high priority issue for every company.