Q&A: HVAC firm’s logon used in Target breach

By Byron V. Acohido

SEATTLE – In his latest scoop, investigative blogger Brian Krebs makes the case that the Target vendor whose network credentials were used to tap into 110 million customer accounts may have been a heating, ventilation and air conditioning (HVAC) contractor.

Krebs reports that intruders accessed Target’s network on Nov. 15, 2013 using network credentials stolen from a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.

More: Target breach timeline of disclosures

CyberTruth asked Boatner Blankenstein, Sr., director of solutions engineering at enterprise software vendor Bomgar; Jeff Swearingen, CEO of SecureLink, and Dr. Lance Larson, information systems professor at San Diego State University to outline the implications.

CT:Is it surprising that an HVAC vendor had credentials that could get someone into Target’s point-of-sale systems?

Swearingen:It’s surprising but understandable. A large data center environment may have thousands of applications that work together, so enabling access to one application server may accidentally open a door to another.

Larson: Access control and environmental monitoring systems now routinely integrate air conditioning, door access control systems, and fire and police alarm systems into one, so-called, smart system.

CT: What are other examples of this sort of access routinely given to partners and contractors?

Blankenstein: Software manufacturers that support their applications need access. This could include vendors who sell time card systems, multi-functions printers and copiers, or medical records software. A big retailer needs vendors to regularly monitor, patch and update their software.

Swearingen: Software vendors, contractors and other third parties are frequently given access to privileged, or administrative accounts. This type of access is very different than the access you give to your employees, but all too frequently managed the same way. Your employee can view a sales report. Your vendor can copy a database.

CT: Will companies have to tighten down?

Blankenstein: There are things companies should do to prevent this type of event. Require vendors to use a remote access solution that limits access to individual applications or servers, rather than giving them open VPN access. Use two-factor authentication to access your network. And capture a secure audit trail of any activity that vendor conducts.

Larson: Network segmentation would only give network users access to the network areas they need to do their job. And least privileged access is the understanding that a network administrator only give a user the permissions required to do their job.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone