It’s recently come to light that the Target data breach, in which millions of credit card numbers and pins were compromised, was accomplished through the usage of a 3rd party HVAC vendors stolen account credentials. Aside from the obvious questions of why on earth does the HVAC network come in contact with the financial network, or why would either a 3rd party or the heating and air system personnel have access to financial data – it also brings up plethora of other interesting topics for you to consider with your network. Hopefully Target has some good answers to the questions above — perhaps the HVAC password was used to gain access to other credentials that had access on financial networks…. whatever their answers may be — what questions should you ask about your network in light of their revelations ?
With an ever-increasing level of connectivity between ancillary devices and our data networks, careful thought should be given to what devices have access to your data network. What vendors have you provided critical password or account information to over the years that might not be segmented from your network (Phone vendors, copier vendors, HVAC service personnel, postage machines, CCTV/DVR equipment etc.). Are those devices and accounts restricted to only the areas for which they need access ? Do you keep track of and delete/change passwords for these vendors when they are replaced or when begin using a new vendors for various services ? What is the password policy of the vendor ? If they are going to require long-term access to devices on your network, wouldn’t you like to know how many of their former personnel might know passwords and access-paths to your network. How do they handle password storage on their end ?
What about your predecessors or current/former coworkers. How many of them had been given or may have gleaned a critical username or password. Did they provide (with authority or not) any account information to vendors or 3rd parties. When an employee/vendor leaves — did you do a complete change of all passwords for all devices and existing personnel they might have known.
Some obvious solutions to Targets issue would be to implement VLAN’s to segment non-critical devices from your data network, and further segment departments where it makes sense. Separate physical networks when it makes sense to do so. Implement some policies to mitigate security issues, and audit your systems to make sure you have good documentation of who has access. Rotate those passwords periodically, especially with vendor changes.
As an MSP, we often have passwords to everything on our clients networks from routers to QuickBooks, as do most internal IT departments (especially in the small to mid-sized business sector). It’s not always necessary, but it is extremely convenient when problems arise, and convenience is often direct opposition to being secure. We have and build trust relationships with our clients as professionals, and provide contracts stating how the above issues are mitigated by our policies and procedures. Do you use an MSP — and what are their policies on stored passwords and critical network information ?
If you don’t know the answers to the above, time to do an audit of your accounts and access levels to all your infrastructure, your topology, vendor policies, and possibly your own policies. Don’t forget to thank Target for the lesson!
Next Step -> Encrypting sensitive data and securing communications
Leave a Reply