Retail Breaches: FBI Says Remote Management Software May Be The Culprit
The software used by service providers to remotely monitor and conduct maintenance on their clients' systems is consistently being targeted by attackers, according to a leaked FBI document warning about the threat.
Vulnerabilities in remote-access software used to monitor the networks at Target and Neiman Marcus may have been at the core of the two retailers' data security breaches, in which the personal data of millions of customers was stolen during the holiday shopping season. A two-page report, obtained by The Wall Street Journal, warns that the software was exploited during a recent string of payment card hacks.
Security experts told CRN that remote monitoring software is a common target of financially motivated cybercriminals. The software is often poorly maintained and frequently contains weak and default passwords and vulnerabilities that can be exploited by malware, they said.
[Related: POS Resellers To Clients: You're Just As Vulnerable As The Big Retailers ]
Solution providers should be doing their due diligence -- strengthening passwords and ensuring that system patches are tested and up to date, said Ben Goodman, president of 4A Security, a managed security service and risk management consultancy based in New York. Goodman said his system engineers use McAfee software to monitor their customers' systems.
"This is a case where the cobbler's children have no shoes; the folks that are the most at risk are not necessarily doing the best they can," Goodman said. "How many administrators out there have passwords that are totally simple and easy to guess?"
Vulnerability scanning, which must be performed quarterly, is one of the most common practices seen lacking at retailer locations, said Aaron Reynolds,a managing principal within Verizon's PCI North America Practice. In an interview with CRN, Reynolds said retailers are often missing demonstrable evidence that identified vulnerabilities have been remediated.
"Vulnerability scanning would probably be the most challenging area," Reynolds said. "It is a quarterly process and with the threat landscape, zero-day attacks, and constant patching or lack thereof, a dynamically challenging environment is a major challenge and difficult to stay on top of."
Providers of point-of-sale systems say they constantly tap into their clients' systems remotely to help maintain and adjust systems. Jacob Bilton, a sales manager at Value Systems, a Myrtle Beach, S.C., point-of-sale reseller, said the payment processor has security policies in place to provide a way to adjust transaction errors such as duplicate payments and other system glitches. The payment terminals and the point-of-sale software is certified by the manufacturer to be validated by the Payment Card Industry.
"The software is PCI-certified so it's as secure as it can possibly be," Bilton said. "We use industry standards and take steps to maintain security. That is what we tell the business owners."
NEXT: Details Emerge In Target Breach
New details in the Target breach point to remote management software as potentially one of the tools used by the cybercriminals. Attackers reportedly used stolen account credentials to tap into Target's remote HVAC systems to navigate through the company's network. In a statement, Ross E. Fazio, president and owner of Fazio Mechanical Services, said the company was targeted by attackers and is "fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections, making them less vulnerable to future breaches."
A Verizon analysis of 4,000 assessments across more than 500 enterprises found that most payment card breaches are not a failure of the technology or PCI standards, but a failure to implement them. The firm's analysis, revealed in a report released Tuesday, found that only 11.1 percent of companies met all the demands of PCI DSS 2.0 in 2013, an increase of 3.6 percentage points since the 2012 review. Many times businesses that are required to have an on-site assessment are certified PCI-compliant but then fail to maintain compliance, said Verizon's Reynolds.
"There are areas within PCI-DSS that touch on intrusion detection and prevention as well as file integrity monitoring and other processes that have to be done throughout the year," Reynolds said. "It's not a one-time thing; you're not doing it for the compliance, you're doing it to maintain vigilance over your systems."
The Verizon study found that more than 82 percent of organizations were compliant with at least 80 percent of the PCI standards in 2013. The analysis found retailers poorly carrying out steps required for the protection of cardholder data, failing to track and monitor access to network resources and cardholder data, and not being thorough on penetration testing and vulnerability scanning.
The Payment Card Industry Data Security Standards Council, which oversees both PCI-DSS and the PA-DSS guidelines, said the Verizon report was encouraging. The council has long reiterated that a PCI assessment is a snapshot in time and consistently encourages merchants to maintain an ongoing security program throughout the year.
’Ongoing deployment and maintenance of PCI standards as business-as-usual is the best way to protect payment card data," said Bob Russo, general manager, PCI Security Standards Council. ’PCI security is a strong combination of people, process and technology. The latest Verizon PCI report reinforces that businesses must not neglect one of these pillars in favor of another.’
The Verizon study urges merchants to think beyond technology and consider processes and policies when establishing a more secure environment. Compliance should not be treated as an annual fire drill, Reynolds said. A sustainable compliance program requires leadership that can establish a business culture to support risk management, he said.
PUBLISHED FEB. 11, 2014