Does IP convergence open you up to hackers?
by Alan Brill - Senior Managing Director, Kroll - Monday, 7 April 2014.
Recent reports indicate that unauthorized persons gained access to Target's network using credentials stolen from a company that worked on the company's refrigeration, heating, ventilation and air conditioning. The ongoing investigation will have to determine whether this was the root cause of the Point-of-Sale (POS) malware, or was a parallel attack. Whichever it turns out to be, it is clear that you should take steps to assure that any access you provide for vendors not be abused or misused.

Kroll has seen cases that are not dissimilar. In one example, we were engaged to conduct a vendor-neutral review of a company's data security, and in the course of our penetration testing, we determined that there was an external Internet-based connection to a company that had been engaged to install and maintain a network of security sensors and cameras. This network of cameras, controllers and digital recorders, which ran over the company's corporate IT network, primarily allowed on-site security personnel to observe the camera images, steer the cameras, respond to alarms, and to control the recording of camera images.

The vendor had the ability to log into the network to maintain the camera software and diagnose problems with the security systems. We determined that there were some significant issues.
  • First, when the access account had been provisioned for the security vendor, it wasn't assigned to an individual, but to the vendor so that anyone could use it.
  • It was provisioned with an initial and trivial default password, and there was no requirement that the password be changed. In fact, we learned that it was known to a number of employees (and former employees) of the vendor.
  • There was no test in place to see if the vendor's log-in came from a known IP address associated with the vendor.
  • There was no audit to see if the access using the vendor's account was reasonable – something the company's facilities manager could easily have done.
  • The vendor was not required to maintain security controls equivalent to those of the company.
  • Finally, once in the network, an intruder with those security company credentials could pivot and reach parts of the network unrelated to the security system.
Increasing Convergence, Increasing Risk?

Over the past few years, there has been recognition of the advantages of running multiple systems over a single IP network. As network speeds have increased, it has made sense not to run parallel networks for infrastructural elements like security, environmental management and similar support systems. But we have found that in many cases, the security issues relating to these systems are not well understood, since it seems like they just use the network for data transport. Of course, as real-world cases demonstrate, it isn't that simple.

These infrastructure support systems must often be accessed by vendors as well as company personnel. Even for company personnel, there may be a need for remote access to respond to off-hour emergencies. As a result, many of these systems require that they be accessible online from outside of the company. That leads to the issue of authentication. Who has the access? How is it authenticated? Are access credentials tied to an individual, or are they just supplied to a vendor for anyone to use? Are strong passwords required and changed recently? Is account usage subject to audits?

The other issue is connectivity. Are the users of these accounts (particularly vendor accounts where they don't need access to other company online resources) limited to the specific level of access they require? Are they limited to accessing the specific devices and applications they need, or is it just assumed that's what they will do?

Spotlight

What can we learn from the top 10 biggest data breaches?

Posted on 21 August 2014.  |  Here's a list of the top 10 biggest data breaches of the last five years. It identifies the cause of each breach as well as the resulting financial and reputation damage suffered by each company.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //