Experts question security used in Target breach

Security experts determining whether third-party vendor had too much access to Target's point of sale systems

The latest details from the Target breach investigation raises questions as to the security the retailer had in place for third-party vendors accessing its partner portal and billing system.

[Target credential theft highlights third party vendor risk]

In addition, the information uncovered by the blog KrebsOnSecurity revealed that the Target attack started with malware-carrying email used in a phishing attack against an outside vendor, which used a free version of anti-virus software for protection. More than 110 million consumers had credit card and personal data stolen in the breach of Target's electronic cash registers late last year.

Because the break-in started with an external vendor, security experts are asking whether the company had too much access to Target's systems and whether the retailer properly isolated the registers, called point of sale (POS) systems, from the rest of the network.

The hackers reportedly stole the login credentials of vendor Fazio Mechanical, a heating, air conditioning and refrigeration firm. Those credentials may have provided access to Target's external billing system, called Ariba, and its project management and contract submissions portal, called Partners Online, KrebsOnSecurity reported.

Such portals are usually separated from the rest of the corporate network to prevent malware from reaching sensitive information. Only highly skilled hackers could find a way around such network segmentation.

"Getting from a procurement portal to a cardholder data environment is a long road," Anton Chuvakin, analyst for Gartner, said.

KrebsonSecurity reported that the Target portal might have been integrated with Microsoft software called Active Directory, which authenticates all logins to a Windows network. If the hackers broke into the directory, then they may have been able to find a way into other parts of the network.

Another possibility is Target gave the vendor too much access to the network, which could have been exploited by the hackers. If that's the case, then "the blame lies firmly with Target," Chuvakin said.

The Payment Card Industry Security Standards Council (PCI SSC), which sets standards retailers must follow in order to accept debit and credit cards, requires companies to limit and monitor network access to outside vendors. If Target were found to be in violation of PCI SSC rules, then the retailer would be liable for losses from the breach, as well as substantial fines.

[Target-like attack unlikely against small retailers]

While Fazio said earlier that it used "industry practices" for security, KrebsonSecurity, quoting unnamed investigators in the Target breach, reported that the company's primary defense in stopping malicious software from entering its internal systems was the free version of Malwarebytes Anti-Malware.

This would cause two problems for Fazio. First, the free AV version is for consumer use only, which means it would be in violation of Marlwarebytes' license. Secondly, the software does not provide real-time scanning of files for malware.

"Free AV as sole corporate malware defense is not an industry best practice," Chuvakin said.

Nevertheless, it's not unusual to find Malwarebytes in corporate environments, Peter Firstbrook, an analyst for Gartner, said.

"Malwarebytes is often in use in our big enterprise customers, but mostly for malware removal rather than a first line of defense," he said. "More traditional AV players like Symantec, McAfee, Trend Micro, Kaspersky and Sophos are more common."

[Two coders closely tied to Target-related malware, security firm says]

In terms of being able to catch malware, free versions of AV software is often as effective as paid versions from the same vendor, because the signatures are the same.

"When it comes to free antivirus versus paid, it comes down to features the user wants, administration capabilities and frequency of updates," Candis Orr, senior security analyst for consulting firm Bishop Fox, said. "An enterprise level antivirus that one has to pay for will have all these features, while a free antivirus will be lacking in one or more areas."

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)