Retailer discloses that attackers stole credentials from vendor to break into its network Target’s disclosure that credentials stolen from a vendor were used to break into its network and steal 40 million credit- and debit-card numbers highlights the fact that a company’s security is only as strong as the weakest link in its supply chain.[Target-like attack unlikely against small retailers]No matter how strong Target’s internal security was, if the breach started with a third-party vendor, then the weakness was in how the retailer managed the security risk all large companies face when partners and suppliers interact with their networks, experts say.“Hackers have reached a new level of mastery and companies are really struggling,” Torsten George, vice president of marketing and products at risk management vendor Agiliance, said. “They’re putting a lot of effort in protecting their own networks, but how do you really go after your suppliers and vendors? How do you assess the risk in doing business with them?”Many companies will send out questionnaires to new suppliers to get a description of the security of the systems that will be used to conduct business. The questionnaires will also cover the suppliers’ security processes, including regular audits and penetration testing. In addition, some companies will require some type of certification that suppliers’ systems are secure and may even use a third-party for penetration testing. Unfortunately, the security check often happens only once. “A lot of times, for the most part, that’s where it ends. So, it’s kind of a one-point-in-time type of view and they never look at it again,” said Stephen Boyer, chief technology officer for BitSight Technologies, which measures companies’ security effectiveness.That kind of approach to supply chain security is changing, led by the financial services industry. Besides sending questionnaires out regularly, banks are hiring consultants to conduct security audits or hiring companies to monitor suppliers’ systems for unusual traffic, experts say.Outside of the banking industry, companies are becoming more aware of the importance of third-party risk management as they increasingly integrate their systems with cloud services, Renee Murphy, analyst for Forrester Research, said.“The cloud made everybody think a little differently about their third parties, because that integration to that particular third party is drastic,” Murphy said. “That made them rethink everything else that they were doing and now they’re taking the whole thing a lot more seriously.”[Two coders closely tied to Target-related malware, security firm says]Beyond confirming the credential theft, Target provided no other details on how the information was stolen or which portal the hackers used to enter the retailer’s network and eventually install malware in the company’s electronic cash registers, called point-of-sale systems.The blog KrebsonSecurity reported Tuesday that the hackers might have entered Target’s network by breaking into an IT management software suite made by BMC Software. From there, the hackers might have moved laterally through the corporate network, eventually finding their way to the POS systems. BMC has denied that its software was used in the break in.The hackers also managed to infect another system and steal personal data, such as email addresses and phone numbers, for 70 million people before Target shutdown the breach December 15, almost three weeks after the hackers planted malware in the POS systems.The integration of so much technology in a large corporation makes it nearly impossible to plug every hole, Murphy said. “The interconnectivity of this stuff makes it so supremely difficult to find (the vulnerability),” Murphy said. So, a good risk management strategy would identify the most valuable information in an organization and regularly check the security in every system that could be used to gain access to that data, she said. Related content news UK CSO 30 Awards 2023 winners announced By Romy Tuin Dec 05, 2023 4 mins CSO and CISO C-Suite Roles news analysis Deepfakes emerge as a top security threat ahead of the 2024 US election As the US enters a critical election year, AI-generated threats, particularly deepfakes, are emerging as a top security issue, with no reliable tools yet in place to combat them. By Cynthia Brumfield Dec 05, 2023 7 mins Election Hacking Government Security Practices feature How cybersecurity teams should prepare for geopolitical crisis spillover CISOs can anticipate and prepare for cyberattacks conducted by participants in geopolitical conflict such as the Israel/Hamas war by understanding the threat actors' motivations and goals. By Christopher Whyte Dec 05, 2023 12 mins Advanced Persistent Threats Threat and Vulnerability Management Risk Management news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Hacker Groups Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe