November 07, 2014//Ellen NeveuxLast Updated: April 30, 2020
By Jeff Swearingen, Co-founder and CEO of SecureLink
It’s 10 a.m. Do you know where your logins are?
In a not-surprising announcement yesterday, Home Depot reported: “Criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network.”
In addition to the previously published loss of 56 million credit cards, the thieves also helped themselves to 53 million email addresses. Phishing season opened early this year.
The same attack vector was used in the Target data breach, where credentials granted to an HVAC company was compromised, resulting in the loss of 40 million credit cards.
Why does this keep happening? Because of technical support’s dirty little secret. Read this article I published 11 years ago on how vendors connect to your network to deliver remote support.
In the cases of Home Depot and Target data breach, the bad guys apparently stole VPN credentials, paired with an administrative credential on the server running the vendor’s software. With network access and an elevated credential, it was only a matter of time for the thieves to move laterally through the network to get to the payload.
Over the last 11+ years, I’ve been in hundreds of software support centers. It was an accident, but I saw your logins. They’re written on sticky notes stuck to the side of monitors. They’re stored in clear text in Word documents circulated around the support center. They’re clearly visible in the vendor’s CRM system. Vendors aren’t bad people, they just play fast and loose with your credentials in order to meet the service level agreement (SLA) you asked them for.
Earlier this year, I published five golden rules for managing third-party remote vendor access.
Successful exploits attract more thieves probing for soft spots in your network. Exploiting third-party remote access has been successful at Jimmy John’s, Dairy Queen, Goodwill, Target, Home Depot and likely others.
If you’ve got third-party vendors supporting your software environment, I would strongly urge you to ask the question: “where are my logins?”