More information has been trickling out regarding the massive Target PCI breach that took place during the 2013 Christmas shopping season. Forensic researchers first learned that hackers penetrated Target’s network by means of a business transaction portal. It appears that Fazio Mechanical Services was the source. Fazio is a Pittsburgh-area nationwide mechanical contractor that services many large retailers. Now more details are emerging about the mechanism hackers used to infect the HVAC contractor. There are serious lessons here that businesses of all sizes need to learn. It’s safe to say the face of PCI compliance will forever be changed as a result of the findings.
According to security blogger Brian Krebs, a computer at the offices of Fazio Mechanical may have been infected by a simple ZeuS password-stealing trojan. Krebs writes:
Sources said the malware in question was Citadel – a password-stealing bot program that is a derivative of the ZeuS banking trojan — but that information could not be confirmed. Through a PR firm, Fazio declined to answer direct questions for this story, and Target has declined to comment, citing an active investigation.
For education purposes, a “trojan” is a bit of malicious software (a.k.a. “malware”) unintentionally installed on a user’s PC. This is usually accomplished by opening a maliciously-crafted email or by visiting an infected website. The malware installation is often helped along by the exploitation of unpatched (poorly maintained) software programs on the targeted PC. The term “trojan” harkens back to the tale of the subterfuge used by Greeks to enter the city of Troy and win their conflict. After a fruitless 10 year siege, the Greeks constructed a large wooden horse and hid select soldiers inside. It was delivered as a gift to the Trojans while the Greeks appeared to leave the conflict. The apparent victory trophy was pulled into the city gates and, after dark, the soldiers spilled out to take the city from inside the gates. The term “Trojan Horse” thus refers to a trick used to inject malicious software into an environment via a seemingly innocent email message or software installation.
As Krebs notes, the firm issued a statement saying they were themselves victims of a “sophisticated cyber attack operation”, and further that “our IT system and security measures are in full compliance with industry practices.” Yeah… I don’t think so. Krebs notes that the contractor was relying on commonly available free software to scan for the malicious software. The tool in question is admittedly an excellent tool in the war against malware, though it is normally used as a response to malware, not a defense against it.
Krebs further details the attack, saying the infection likely occurred two months prior to the beginning of the breach. It would be safe to assume the hackers were busy combing through massive amounts of data from their infected victims, at some point realizing they had hit the jackpot. Unnamed sources say the hackers likely captured the logon to the Ariba invoicing portal at Target’s corporate office and began burrowing for additional vulnerabilities to exploit. One thing led to another and behold, they were intercepting the card swipes of every Target customer in the busiest shopping season of the year. It was an epic hack.
So what are the lessons to be learned? First of all, Fazio would no doubt be considered an “SMB” (or small to medium business) company. Many of our clients fit this bill. Fazio clearly didn’t have a sufficient matrix of countermeasures to prevent the original malware infection from occurring, let alone detect its presence after the fact. Relying on free software is bad for business. Target erred by failing to adequately segment their interaction with outside vendors from their cardholder data environment. It’s also likely they failed to patch all of their systems. Time will tell if this contributed to the hack.
The take-home message for every SMB is this: Always deploy a multi-pronged approach to cyber security. Our standard countermeasures include (but are not limited to) the following:
- Managed (i.e. monitored) antivirus software from a trusted vendor
- Managed hosted email security to prevent malicious messages from appearing in the mailbox to begin with
- Managed unified threat management (UTM) firewalls to scan incoming and outgoing traffic for anomalies
- Managed DNS-level filtering to buttress the efforts of the UTM firewall
- Managed automated software patches
- Managed content filtering to block access to personal email accounts (SMB’s should provide a guest wireless network so visitors and employees can check their personal email on an isolated network segment)
You’ll notice a common thread… we believe the breach was a failure of management. Decisions were made, funds were not spent, vendors were not vetted. The bottom line is that multitudes of people were inconvenienced and billions of dollars will be spent cleaning up a mess that started with a single infected email message. Better decisions and a more thorough managed IT services vendor could have prevented the whole mess from occurring. We do it every day for our TotalCare clients.