Target's disclosure that credentials stolen from a vendor were used to break into its network and steal 40 million credit- and debit-card numbers highlights the fact that a company's security is only as strong as the weakest link in its supply chain.
No matter how strong Target's internal security was, if the breach started with a third-party vendor, then the weakness was in how the retailer managed the security risk all large companies face when partners and suppliers interact with their networks, experts say.
[ InfoWorld's Paul Venezia demands big fines for big breaches -- it's the only way to stop shoddy security. | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
"Hackers have reached a new level of mastery and companies are really struggling," Torsten George, vice president of marketing and products at risk management vendor Agiliance, said. "They're putting a lot of effort in protecting their own networks, but how do you really go after your suppliers and vendors? How do you assess the risk in doing business with them?"
Many companies will send out questionnaires to new suppliers to get a description of the security of the systems that will be used to conduct business. The questionnaires will also cover the suppliers' security processes, including regular audits and penetration testing.
In addition, some companies will require some type of certification that suppliers' systems are secure and may even use a third-party for penetration testing.
Unfortunately, the security check often happens only once.
"A lot of times, for the most part, that's where it ends. So, it's kind of a one-point-in-time type of view and they never look at it again," said Stephen Boyer, chief technology officer for BitSight Technologies, which measures companies' security effectiveness.
That kind of approach to supply chain security is changing, led by the financial services industry. Besides sending questionnaires out regularly, banks are hiring consultants to conduct security audits or hiring companies to monitor suppliers' systems for unusual traffic, experts say.
Outside of the banking industry, companies are becoming more aware of the importance of third-party risk management as they increasingly integrate their systems with cloud services, Renee Murphy, analyst for Forrester Research, said.
"The cloud made everybody think a little differently about their third parties, because that integration to that particular third party is drastic," Murphy said. "That made them rethink everything else that they were doing and now they're taking the whole thing a lot more seriously."
Beyond confirming the credential theft, Target provided no other details on how the information was stolen or which portal the hackers used to enter the retailer's network and eventually install malware in the company's electronic cash registers, called point-of-sale systems.
The blog KrebsonSecurity reported Tuesday that the hackers might have entered Target's network by breaking into an IT management software suite made by BMC Software. From there, the hackers might have moved laterally through the corporate network, eventually finding their way to the POS systems.
BMC has denied that its software was used in the break-in.
The hackers also managed to infect another system and steal personal data, such as email addresses and phone numbers, for 70 million people before Target shut down the breach Dec. 15, almost three weeks after the hackers planted malware in the POS systems.
The integration of so much technology in a large corporation makes it nearly impossible to plug every hole, Murphy said.
"The interconnectivity of this stuff makes it so supremely difficult to find (the vulnerability)," Murphy said.
So, a good risk management strategy would identify the most valuable information in an organization and regularly check the security in every system that could be used to gain access to that data, she said.