It’s impossible for any organization to work alone. No enterprise controls every aspect of its operations, so partners and suppliers are needed to survive.
But a security blogger says a heating, ventilation and air conditioning (HVAC) company is partly the reason why hackers were able to break into retailer Target Brands Inc.’s point of sales system.
How? The HVAC maintenance company had access to Target’s network to do remote monitoring of energy consumption and temperatures. The hackers reportedly stole a username and password from the maintenance firm.
The report was first carried by the Web site Krebs on Security by author Brian Krebs and expanded on by Computerworld U.S.
As Krebs points out, it’s not clear why the environmental system could link to Target’s payment system. But if the report is true it’s a prime warning to IT managers that certain parts of any network – and it won’t take much imagination to figure out which ones: Those dealing with personal information and finance — have to be segregated from the rest.
Outside suppliers and partners will for valid reasons want to have access to certain network elements from time to time. That can’t be stopped. But best practices in almost any industry should mandate network segregation.
Meanwhile the Washington Post reported that on Wednesday officials from Target and Neimen Marcus, which was also hit by hackers, told a U.S. congressional hearing they didn’t know exactly how their companies were victimized. Both companies insisted the attacks were very sophisticated.