More: Target breach timeline of disclosures
CyberTruth asked Boatner Blankenstein, Sr., director of solutions engineering at enterprise software vendor Bomgar; Jeff Swearingen, CEO of SecureLink, and Dr. Lance Larson, information systems professor at San Diego State University to outline the implications.
CT: Is it surprising that an HVAC vendor had credentials that could get someone into Target's point-of-sale systems?
Swearingen: It's surprising but understandable. A large data center environment may have thousands of applications that work together, so enabling access to one application server may accidentally open a door to another.
Top 5 Oil Stocks For 2015
Larson: Access control and environmental monitoring systems now routinely integrate air conditioning, door access control systems, and fire and police alarm systems into one, so-called, smart system.
CT: What are other examples of this sort of access routinely given to partners and contractors?
Blankenstein: Software manufacturers that support their applications need access. This could include vendors who sell time card systems, multi-functions printers and copiers, or medical records software. A big retailer needs vendors to regularly monitor, patch and update their software.
Swearingen: Software vendors, contractors and other third parties are frequently given access to privileged, or administrative accounts. This type of access is very different than the access you give to your employees, but all too frequently managed the same way. Your employee can view a sales report. Your vendor can copy a database.
CT: Will companies have to tighten down?
Blankenstein: There are things companies should do to prevent this type of event. Require vendors to use a remote access solution that limits access to individual applications or servers, rather than giving them open VPN access. Use two-factor authentication to access your network. And capture a secure audit trail of any activity that vendor conducts.
Larson: Network Segmentation would only give network users access to the network areas they need to do their job. And least privileged access is the understanding that a network administrator only give a user the permissions required to do their job.
No comments:
Post a Comment