Don't Be A Target – Do The TightenUp™

They came in through the bathroom window… [YouTube]

Life lessons come in all flavors and it seems that today's is: Don't be a Target.

Everyone knows by now that there was a data intrusion into Target's customer data, but it is only clear today how it happened…and how it can relate to you. See: Target Hackers Broke in Via HVAC Company — Krebs on Security

It seems that a service company – in this case an HVAC service company – had access to a sliver of the corporate giant's elaborate back-end, probably for the purposes of monitoring store temperatures. Many companies have this capability in their equipment where the fans and compressors and their delivery are monitored via SNMP messages.


Someone figured out how to get a Trojan into that system – so the conjecture goes. Working its way from the air conditioner through to the billing system was then only a matter of the diligence and technique of the hackers.

It isn't only Target. See a probably much more gruesome story that is yet to reach the public eye:  Hotel Franchise Firm White Lodging Investigates Breach — Krebs on Security. White Lodging is the hotel franchise group that we all know under the brands that include Hilton, Marriott, Sheraton and Westin.

From the Kreb's Target article: Avivah Litan, a fraud analyst with Gartner, said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).

The comments list other PCI violations. How familiar are you with this standard…or how secure is the structure of your internal walls.

Putting on my other hat as an equipment manufacturer, this conversation came up just a few days ago. It is typical for a company (you) to allow data into your system, but not so typical to let it out. It is up to you to make certain that all connections to your equipment and data server are necessary, vetted, secure, and monitored. The best way seems to be "on request" services, for example, a RESTful service with certificate authentication.

But don't take our word for it; read up so that you can ask intelligent questions of your security personnel…and ironically, your service group.

Security setup for RESTful web services - IBM

Securing RESTful Web Services - 12c Release 1 (12.1.1) – Oracle

And, good luck to us all.