Retailer discloses that attackers stole credentials from vendor to break into its network Target’s disclosure that credentials stolen from a vendor were used to break into its network and steal 40 million credit- and debit-card numbers highlights the fact that a company’s security is only as strong as the weakest link in its supply chain.[Target-like attack unlikely against small retailers]No matter how strong Target’s internal security was, if the breach started with a third-party vendor, then the weakness was in how the retailer managed the security risk all large companies face when partners and suppliers interact with their networks, experts say.“Hackers have reached a new level of mastery and companies are really struggling,” Torsten George, vice president of marketing and products at risk management vendor Agiliance, said. “They’re putting a lot of effort in protecting their own networks, but how do you really go after your suppliers and vendors? How do you assess the risk in doing business with them?”Many companies will send out questionnaires to new suppliers to get a description of the security of the systems that will be used to conduct business. The questionnaires will also cover the suppliers’ security processes, including regular audits and penetration testing. In addition, some companies will require some type of certification that suppliers’ systems are secure and may even use a third-party for penetration testing. Unfortunately, the security check often happens only once. “A lot of times, for the most part, that’s where it ends. So, it’s kind of a one-point-in-time type of view and they never look at it again,” said Stephen Boyer, chief technology officer for BitSight Technologies, which measures companies’ security effectiveness.That kind of approach to supply chain security is changing, led by the financial services industry. Besides sending questionnaires out regularly, banks are hiring consultants to conduct security audits or hiring companies to monitor suppliers’ systems for unusual traffic, experts say.Outside of the banking industry, companies are becoming more aware of the importance of third-party risk management as they increasingly integrate their systems with cloud services, Renee Murphy, analyst for Forrester Research, said.“The cloud made everybody think a little differently about their third parties, because that integration to that particular third party is drastic,” Murphy said. “That made them rethink everything else that they were doing and now they’re taking the whole thing a lot more seriously.”[Two coders closely tied to Target-related malware, security firm says]Beyond confirming the credential theft, Target provided no other details on how the information was stolen or which portal the hackers used to enter the retailer’s network and eventually install malware in the company’s electronic cash registers, called point-of-sale systems.The blog KrebsonSecurity reported Tuesday that the hackers might have entered Target’s network by breaking into an IT management software suite made by BMC Software. From there, the hackers might have moved laterally through the corporate network, eventually finding their way to the POS systems. BMC has denied that its software was used in the break in.The hackers also managed to infect another system and steal personal data, such as email addresses and phone numbers, for 70 million people before Target shutdown the breach December 15, almost three weeks after the hackers planted malware in the POS systems.The integration of so much technology in a large corporation makes it nearly impossible to plug every hole, Murphy said. “The interconnectivity of this stuff makes it so supremely difficult to find (the vulnerability),” Murphy said. So, a good risk management strategy would identify the most valuable information in an organization and regularly check the security in every system that could be used to gain access to that data, she said. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe