Three months after the massive Target attack that resulted in 110 million consumers’ credit card and personal data being stolen; we are finding out that company size is irrelevant in the data breach conversation; as consumer confidence, market presence, and brand recognition are absolutely critical to an organizations bottom line – profitability. Since customer confidence, market presence, and brand awareness are all critical elements of profitability; we must ask ourselves – What protections did Target have in place to safeguard “privileged” credentials? Privileged credentials are typically defined as an Administrator, Root, DBAdmin, etc. However, any user authenticated to Active Directory directly or indirectly via an integrated application should be considered a privileged user – privileged to authenticate to your network.
In this Krebs on Security article; a former member of Target’s security team who was considered a Target network expert theorized the following:
“I know that the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, and I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application”. Furthermore the source states, “Most, if not almost all, internal applications at Target used Active Directory (AD) credentials but that the internal administrators would use their AD login to access the system from inside. This would mean the server had access to the rest of the corporate network in some form or another.”
The simple answer is; yes. Target absolutely had all of these “perimeter” type solutions in place within their enterprise. However, these “perimeter” type solutions have a very difficult time addressing any weakness a trusted 3rd party organization may have within their organization.
In the case of Target; Fazio Mechanical, based in Sharpsburg, PA – a provider of heating, air conditioning and refrigeration services to Target, should have been classified to Target as a privileged user of Target’s network. This should have resulted in Fazio’s Active Directory access to Target applications and data being analyzed for appropriate access and permissions within Active Directory, what unstructured data of Target’s internal systems it should have, and monitored to determine what, if any, horizontal movement Fazio’s AD accounts were performing were to be considered an abnormal pattern vs. a normal pattern.
Learn About STEALTHbits’ Solutions
StealthAUDIT – Data Collection, Analysis, Remediation, and Reporting for Microsoft Infrastructure, Applications, and Beyond
StealthINTERCEPT – Real-time Monitoring and Control over Change and Access for Active Directory, Exchange, and File Systems