octoberasian
2[H]4U
- Joined
- Oct 13, 2007
- Messages
- 4,082
from KrebsonSecurity.
via Gizmodo.
Question for the security experts on [H]ardForum:
via Gizmodo.
Rough sketch how this happened based on what I've read in the article and the news so far since this was reported.Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
...
It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”
Question for the security experts on [H]ardForum:
- For those that work for large companies like Target, is it typical for them to cut costs over improving security? Is it typically cheaper to remotely accessing a system to monitor and maintain a remote system instead of hiring and sending a technician there to personally check on it?
- Is Target wholly at fault here for not securing their system or providing a separate network for third-part vendors and companies? At fault for consolidating all systems on one network system?
- What are your thoughts on this data breach?