A wake-up call for retailers
Boatner Blankenstein, senior director of solutions engineering, Bomgar Corporation
Earlier this month, it was reported that Information Systems & Supplies Inc. (IS&S), a food service point-of-sale (POS) and security systems provider, notified customers of a remote access breach that may have exposed card data from POS transactions.
In a letter to customers, IS&S said a LogMeIn account used by the company to remotely support customers was breached, and they have reason to believe that the data accessed could include credit card information.
The article notes, “IS&S is an independent reseller of POS products sold by software vendor Future POS Inc. Future POS customers named on IS&S's site include restaurant chains such as Dairy Queen and TacoTime.”
The POS vendor's president went on to confirm that his company's remote access credentials were compromised, possibly through a phishing attack.
While IS&S should be commended for immediately notifying customers about the potential breach and also taking steps to improve remote access security, this breach is yet another wake-up call for retail and hospitality chains to evaluate their third-party vendors.
The circumstances of this event are similar to the massive Target data breach that occurred late last year, in which hackers compromised an HVAC vendors' credentials to initially infiltrate the big box retailer's network.
Both underscore the security risks associated with allowing third-party vendors to access your network.
This revelation isn't all that surprising when reviewing the numerous studies that have called out how often security gaps are introduced by third-party vendors. For example, 63 percent of the 450 data breaches studied in the “2013 Trustwave Global Security Report” were “linked to a third-party component of IT system administrators,” meaning a third-party introduced security deficiencies easily exploited by hackers.
These third-party groups — including service providers, contractors and vendors — need access to corporate networks to conduct essential business and IT operations. However, this access should not be as simple as “on” or “off.” To protect against security threats, organizations must be in control of centralized vendor access pathways allowing them to enforce access control policies and monitor and record all third-party activity.
Even when an organization's vendors are utilizing modern remote access tools, central control over access remains essential.
Vendors will often use simple or shared login credentials with no multi-factor requirement making them an easy target for hackers with keystroke loggers. Once hackers have valid credentials for the remote access system, they can pose as a legitimate support technician and potentially gain direct access to the remote system available to that account. From there, experienced cyber criminals often know how to use malware and other tactics to navigate from that individual system to the rest of the corporate network. This puts the entire company at risk of a major data breach, which can be catastrophic for a brand.
Consolidating and centralizing remote access pathways means blocking access from any unapproved tools once a company-owned solution has been chosen. This includes web-based remote access tools, which are commonly used by vendors looking for an inexpensive — but often unsecured — way to access corporate systems.
Companies should also require that every individual who accesses the network use unique credentials and two-factor authentication. This will not only make it difficult for a hacker to use stolen vendor credentials, but also improve compliance with government regulations concerning payment information and personal data.
Of course, it's impossible to make any system entirely protected from a data breach, but companies must stop relying on vendors to protect their networks for them. By following the steps outlined above, organizations can take back control of their own security and reduce their risk of a data breach.