Today we learned that the Target data breach may have started when hackers used stolen vendor credentials to access a Target web site or application. The application and vendor is not known at this point, but there are some lessons we can learn from this breach:
You should be sure that your vendor applications do not have fixed administrative passwords or backdoor passwords. Talk to your vendors and get their responses in writing. Don’t deploy any vendor solution that has fixed passwords that can’t be changed.
You should change any default passwords on installation of vendor solutions.
- Use strong passwords and regularly change them
- Use Dual Control and Separation of Duties for any highly privileged users such as system and security administrators
- Add additional security methods to protect against this type of attack (read on)
Is there anything we can do to mitigate this type of attack?
Yes, the use of Two Factor Authentication (sometimes called Multi Factor Authentication) authentication can go a long way towards preventing this type of attack. We know that passwords alone are a poor means of authenticating a user and providing protected access to applications. Passwords are easily guessed, are often very weak, and can be stolen from our systems or a from a third-party system. Two Factor Authentication (2FA) makes it difficult to use a stolen password to access a sensitive system.
How does Two Factor Authentication work?
Two Factor Authentication adds something new to your authentication process. In addition to providing a password (something you know) to access a system, you must also authenticate with something you have (such as a mobile phone or hardware token) or something you are (fingerprint or iris scan). By adding an additional authentication method that is not readily accessible to a hacker, you get much more security.
Mobile phones are ubiquitous and have become a common way to implement 2FA. After providing a password to a web site or application, a PIN code is sent to your phone via an SMS text message or voice phone call. You have to provide the correct PIN code in order to continue. This is the method that Google and Yahoo offer, and is a common feature in on-line banking web sites. A hacker may steal password credentials, but it is much harder to take control of your phone.
In recognizing the need for better access security we recently released our new Alliance Two Factor Authentication solution for the IBM i platform. It is intended to mitigate exactly this type of attack using mobile-based 2FA.