Over the course of this past year several large companies here in the U.S. have experienced a large data breach: Target, Neiman Marcus, Dairy Queen, and most recently Home Depot. The question is often asked: How is it that these large companies with large resources at their disposal can find themselves in a situation like this?
The Anatomy of a Breach
To frame this properly it must be understood that just because you are a big company with lots of resources, PCI can at times be more difficult than it would be for a smaller organization. When you are a large company with a several very large and complex nationwide networks, the likelihood of something been overlooked and therefore exploited is increased.
We’re going to take a look at the Target breach but before we get into the specifics as they have been reported, let’s look at the anatomy of a breach in three steps:
- Identify Vulnerabilities:
This is done a variety of ways. Here are just a few:
- Phishing emails sent to employees within the company hoping they might respond and inadvertently disclose personal information or login credentials.
- Scanning their website criminals will look for any vulnerability that could be exploited.
- Building webpages that have malicious code built into them which can be delivered through other familiar applications.
Once they have enough information to access the first level of the network their actual work begins.
Now with access to a network within the company the criminals begin to map out the network. Frequently they will poke around and try to find locations where this network may connect to another of their networks; especially one that is protected by only a username and password. Next they will attempt to access this network usually using one of the following ways:
- Attempt to guess the password by brute force and sheer number of attempts hoping to eventually determine the password
- Attempt to login using a list of basic passwords that are still commonly used despite their terrible security. For example passwords such as “Password1” which is still among the top 5 most used passwords in the world.
- They will try to identify the device/system they are trying to access and do a quick Google search for the default username and password. If the company has not changed the password from the default – the criminals are in. This is the reason that your IT department is probably always making sure you using complex passwords, that you change them every 90-days, and that you are NEVER using the default username or password. If your organization is not doing these things you should start immediately.
- Installation and Export:
Now that they are deeper into your network they will continue to gain access to other areas of the network as they begin to identify areas of interest. Remember the ultimate goal is to find a payment system such as an internet connected terminal that is used for customer checkout. Once the payment system is located they will try to upload malicious software to that payment system or device. This malicious software will memorize any data input into it which the cyber criminals can then siphon out over time, effectively making the data their own. Once they have access to the data the criminals will either use the stolen data themselves and/or sell it online to others who will make use of the information.
Bullseye: Target’s Breach
With the anatomy of a breach in your mind, let’s take a look at how this played out for Target:
It is reported that the criminals responsible for the breach initially stole network credentials from a third-party service provider who was working for Target – a HVAC/Refrigeration company. These credentials provided the criminals with external access to Target’s HVAC/Refrigeration network. Doesn’t sound very fruitful at first glance, but keep reading.
With access to this system they were able to look around and see if there were any other networks accessible from the HVAC/Refrigeration network. They discovered that Target’s networks were relatively open and they were also able to access their payment systems network from within this network. It is surprising that the payments network was not cordoned from any other network. With access to the payment network they were able to upload their malicious card-stealing code and push this code out to the majority of Target’s point-of-sale devices.
Passwords: It’s Simple, But Critical
A key take away from this is that no matter what, password security should always be taken seriously and payment systems or devices should always be segmented from any other systems. There is no reason for any other system to ever access your payment device or systems.
If you or any members of your organization have questions on how you can protect your systems better send us an email or post a comment below, security is a team effort and we are here to help!