Remote Access
Commentary
2/10/2014
10:00 AM
Lori MacVittie
Lori MacVittie
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Target Breach Takeaway: Secure Your Remote Access

Yes, attackers could use stolen credentials to get into your systems from a distance. But slamming the door is not the answer.

Fallout from the Target breach continues to rack up as more details are revealed. The latest revelations focus on how the attackers gained the access necessary to plant the malware responsible for capturing millions of consumers' sensitive financial information: remote access using stolen credentials.

The consensus on a local radio station show I recently heard was that Target -- and others -- should reconsider whether they should continue to allow remote access. After all, no remote access, no security breach, right?

Let’s not be too hasty. Certainly, it behooves us to review how we support remote access for employees, partners, and contractors alike, to figure out whether, as with the Target breach, miscreants able to obtain the proper credentials could also be authorized access to internal systems and networks.

The real questions every organization that supports remote access should be asking are not around whether such technologies pose a significant security risk. They’re around whether the policies those technologies act on pose a significant security risk.

An audit of your remote access policies is certainly in order. Such audits should be performed at least annually, if not biannually -- and not on an ad hoc basis as a reaction to someone else’s bad luck.

The percentage of respondents to our 2013 Strategic Security Survey who say controlling remote access is a problem jumped 11 points year-over-year.
The percentage of respondents to our 2013 Strategic Security Survey who say controlling remote access is a problem jumped 11 points year-over-year.

There are three key areas to consider when auditing remote access policies:

1. Set boundaries. Business stakeholders should document exactly which applications and systems are vital to each remote user. A person who needs access to only two or three applications should not be allowed to roam around the network. Limit access to only what is required -- no more, no less. This is one area where you can use the Target example to your advantage, to light a fire under stakeholders.

2. Trust but verify. Evaluate how users are authorized. While login credentials are common, the Target breach shows us they can be compromised. If a username and password are the only means used to verify authenticity of a remote user, disaster awaits. Consider additional means of verifying remote users -- two-factor authentication at minimum.

3. Detect anomalies. Fraud detection has long used device (platform) and location changes as possible indicators of attempted fraudulent access using valid credentials. Investigate the ability of your remote access system to support detection of such anomalies and incorporate that into your authentication and authorization processes. Emerging technologies, such as browser fingerprinting, which aims to uniquely identify a browser from among millions of other browsers, can help identify attempts to fraudulently use valid credentials.

As attackers become more sophisticated, so too must security technology. Incorporating heuristic analysis of user behavior and location is on the cusp of providing better security through more trustworthy means of verifying the authenticity of the user behind the credentials.  

Any service that's made available to the public Internet is going to pose a security risk. The key to avoiding a breach is to ensure that policies driving authorization to those services are able to make decisions in the context that requests are made.

As web-based integration wins, it's dawning on enterprises that they need a more sophisticated API strategy. Find out how to get there. Also in this issue: 3 Techs That Depend On AI. Machine learning and artificial intelligence will be key to building exciting, compelling products and services.

Lori MacVittie is a subject matter expert on cloud computing, cloud and application security, and application delivery and is responsible for education and evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
hho927
50%
50%
hho927,
User Rank: Moderator
2/10/2014 | 12:08:22 PM
Lack of security at Target
You hit it on the head. Target can blame no one but itself. Why a HVAC account allowed to install software? This account should have only read access. Why a HVAC account could access POS? First Target gave to much priviledges to that account and there was no security audit at target. Target simply sux. They should fire their IT dept.
majenkins
50%
50%
majenkins,
User Rank: Ninja
2/10/2014 | 1:25:01 PM
Re: Lack of security at Target
Fire the IT department????????? The entire IT department did not make the decisions that allowed the access you describe. In fact it may not have been anyone in IT that did. Often business users, managers, over ride the controls that IT wants to put in place.
hho927
50%
50%
hho927,
User Rank: Moderator
2/10/2014 | 2:02:28 PM
Re: Lack of security at Target
I work in IT. I know some IT people are lack of security training or simply lazy. They just want to make it work, Always try to take an easy route. The easy way is giving full access to accounts.

Why a HVAC account was allowed to access POS systems? Plus permission to install software? It has no role in that area.

If you work in IT, you have the right to say no. My managers often whine about access. I simply said no. If you have no role in that area why do i give you access?
majenkins
100%
0%
majenkins,
User Rank: Ninja
2/10/2014 | 2:06:53 PM
Re: Lack of security at Target
I work in IT also and if the executives in your company never over ride your decisions on things like this then you work for an unusual company in my experience and based on my discussions with other IT people at other companies.
rradina
50%
50%
rradina,
User Rank: Ninja
2/11/2014 | 10:31:06 AM
Re: Lack of security at Target
I don't know the details.  Did they use the HVAC account to do all that or did the HVAC account enable them to penetrate the permiter defenses.  Once inside, did they then leverage privilege escalation vulnerabilities in unpatched systems?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
2/11/2014 | 1:48:50 PM
Re: Lack of security at Target --details!
Mat Schwartz, quoting unnamed sources cited by journalist Brian Krebs, reported in InformationWeek 2/6

"...investigators now believe that Target's attackers first accessed the retailer's network on November 15, 2013, using access credentials that they'd stolen from Fazio Mechanical Services. Theoretically, those access credentials allowed attackers to gain a beachhead inside Target's network, and from there access and infect other Target systems, such as payment processing and point-of-sale (POS) checkout systems."

It's a good read. You can check it out here: http://www.informationweek.com/security/attacks-and-breaches/target-breach-hvac-contractor-systems-investigated/d/d-id/1113728.

edyang73
100%
0%
edyang73,
User Rank: Strategist
2/10/2014 | 1:57:59 PM
Tokenizing individual data
While credit card numbers have been tokenized for encryption, there's now the ability to tokenize inidividual pieces of data far beyond just 16 digits. All the way to files MB and GB in size. This means even if a server is breached, it's mathematically impossible to break the individual MicroTokenized files. 

http://multichannelmerchant.com/ecommerce/mass-retail-data-breaches-can-now-prevented-certainstores-microencryption-27012014/#_
Laurianne
50%
50%
Laurianne,
User Rank: Author
2/10/2014 | 2:28:58 PM
Security Leverage
"This is one area where you can use the Target example to your advantage, to light a fire under stakeholders." This will be a time to pick your battles and use your leverage from this incident, certainly. In what other areas is the Target incident helping you make security arguments, readers?
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
2/10/2014 | 3:46:10 PM
2-factor or more factor
Lori,

What approach do you recommend for 2-factor or multi-factor authentication? You said something about "at least" 2-factor should be required, but what do you really recommend?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
2/10/2014 | 4:44:58 PM
Re: 2-factor or more factor
When dealing with people's payment data, two-factor authentication and being onsite should be requirements.
norris1231
50%
50%
norris1231,
User Rank: Apprentice
2/10/2014 | 10:18:17 PM
Re: 2-factor or more factor
You nailed two of the most important factors.  Authentication is a true security measure that should be identified as well as being on site.  However, the overall remote process is vulnerable.  Therefore, tight very tight security measures must be taken to protect the business from any forms of threats. There are many security procedures that must take place not just two.  
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/11/2014 | 9:51:37 AM
Re: 2-factor or more factor
The problem is the HVAC systems weren't dealing with payment data. Stronger authentication might have helped, but so would network segmentation. The attackers shouldn't have been able to leap from HVAC controls all the way to POS systems.
prebil
50%
50%
prebil,
User Rank: Apprentice
2/11/2014 | 2:59:41 PM
Re: 2-factor or more factor
I agree. Hackers should never have been able to gain access to Target's payment processors via the HVAC system. Clearly this was poor network planning.  The company I work for has been providing secure remote access solutions - complete with granular access controls - to retailers for several decades. Most recently though, we introduced a new security solution designed to completely mask access to devices - like HVAC systems - except for authorized individuals. I invite you to learn more at http://www.netop.com/securem2m
Roy Atkinson
50%
50%
Roy Atkinson,
User Rank: Apprentice
2/21/2014 | 1:17:41 PM
The HVAC Account, Target, and the Real World
It is true that the HVAC account used to infiltrate Target should never have had access to the POS systems. But it did, and that was an IT mistake. However, some of the comments about the HVAC account having "read-only" access and so on indicate a lack of awareness of what really goes on. Vendors that install and maintain building systems such as HVAC, card readers for entry and the like own those systems, and IT's access to them is either non-existent or minimal. The vendors' concerns about security are also usually nonexistent. I have seen building control systems that have "admin" as the user and the company name as the password for years, and through the careers of multiple technicians. The systems in many (if not all) of the other buildings maintained by these vendors had the same exact credentials. The passwords were never changed when technicians left, no matter what the circumstances of that separation. Of course, IT could not get enforcement power over the vendors because of the siloed nature of the organizations. There are thousands of breaches waiting to happen.
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.