The Green Sheet Online Edition
December 08, 2014 • Issue 14:12:01
Home Depot breached via third-party vendor
In the wake of the Target Brands Inc. breach that occurred during the 2013 holiday season, it was disclosed that the massive intrusion originated from network credentials stolen by fraudsters from Target's heating, ventilation and air conditioning (HVAC) subcontractor. The Home Depot U.S.A. Inc. recently reported that the same attack vector was used in the breach of its systems in early 2014. That breach reportedly resulted in the theft of 53 million customer email addresses; apparently no payment card information.
On Nov. 6, 2014, Home Depot said an investigation into the breach, which began in April 2014 and was uncovered in September, discovered that fraudsters stole the user name and password of an unnamed third-party vendor that had access to Home Depot's electronic network. "These stolen credentials alone did not provide direct access to the company's point-of-sale devices," Home Depot said. Instead, the hackers employed the user credentials to access Home Depot's network and install malware that targeted the retailer's self-checkout systems in the United States and Canada.
At the time of the breach, Home Depot was in the middle of transitioning some 85,000 POS terminals to the Europay/MasterCard/Visa (EMV) chip card standard to boost security against fraudsters using counterfeit cards at the POS. Following its breach, Target instituted its own EMV transition. But, ironically, neither EMV implementation addresses the source of the breaches: back-door weaknesses in network security.
Ease of intrusion
Chicago-based data security and compliance firm Trustwave has been vocal in its criticism of businesses for having lax security practices when it comes to third-party vendors. Karl Sigler, Trustwave Threat Intelligence Manager, said retailers rely on third-party vendors for all kinds of services, including HVAC maintenance and after hours cleaning crews.
"For a lot of these third-party vendors, it's all about ease of access and [to] be able to get in and do their job as quickly and efficiently as possible," Sigler said, "That opens up vulnerabilities." The main point of vulnerability is via remote access, according to Sigler, where businesses supply vendors with user credentials to access their networks remotely. But, often, those credentials contain weak, easily hackable passwords and PINs, or businesses dole out the same credentials to multiple vendors.
Trustwave conducted research on password strength based on thousands of network penetration tests it performed on businesses in 2013. Out of a sample of over 625,000 passwords, Trustwave was able to crack over half within minutes, and almost 92 percent of them within a month's time. Additionally, Trustwave found that the most common password is Password1, followed by Hello123, and password. Trustwave said weak or default passwords contributed to one third of compromises it investigated in 2013 and 2014.
Sigler pointed out that physical network intrusions are also common. "A lot of the time the easiest method to get into a facility physically is by becoming part of the cleaning crew or the HVAC crew," he said. "And once they have physical access to a system, and you don't have strong protections on the systems inside, it's pretty easy to gain access and install whatever malware they want."
It is for these reasons that third-party vendors are popular targets for fraudsters. "The large organizations are hard to attack directly," Sigler said. "But a lot of these third-party vendors are themselves a smaller shop, and they don't often have proper security controls put in place, the manpower, or they don't have the skills in-house to do it. So it's an easier attack vector. [Fraudsters] are going to take the easiest path to get to the data they want to steal."
Awareness and control
Fortunately, awareness is growing of the security vulnerabilities inherent with third-party vendors and the network access given them by businesses. The PCI Security Standards Council has put a focus on security issues involving third-party vendors in the update to its global data security standard.
Version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS), which becomes the de facto standard for securing networks on Jan. 1, 2015, puts the onus on vendors to clarify for the benefit of merchants which PCI DSS controls they will address and which are the responsibility of merchants. The updated standard also mandates that vendors use unique passwords for each merchant they connect to remotely, and deploy two-factor authentication for those connections as well.
Sigler recommended practical steps businesses can take to make fraud attacks via third-party vendors less likely. First, lock down physical environments. "You should be very aware of the physical environment you're giving [vendors] access to," he said. "If you're giving them access to the entire facility, they should at least be monitored or escorted through rooms or through server situations that have very critical systems."
Second, given that businesses often employ multiple vendors, organizations should have awareness and control over how those vendors access networks. "Because of vendor preferences, [businesses] end up having too many remote access solutions," Sigler said. For example, one vendor might prefer a remote desktop interface; another vendor might use a virtual private network solution.
So businesses should regularly audit how vendors are accessing networks and limit access points to one or two that can be more easily monitored, Sigler noted.
Additionally, if a breach occurs, businesses should be able to recognize and respond to it quickly. "That's the last safety net," Sigler said. "And that involves monitoring your network, monitoring your systems for things that are abnormal – things that you wouldn't expect to see."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.