Exploiters Target Third Parties to Gain Access to Big Company Data

The risks associated with security breaches are an issue all organizations have to take seriously these days. As data processing and storage continues to steadily be converted to electronic systems, the risks related to accidental data exposure or digital theft increase. As in any other type of crime, hackers are going to go where the lucrative payouts will be.

These days cybercriminals are getting savvier in their schemes to steal data, and businesses have to increasingly try to stay ahead of them. The problem is, what happens when the bad guys come up with unique ways to infiltrate and exploit the businesses' systems? These days, cybercriminals aren't necessarily going in for the direct exploit, one technique they are using is targeting third-parties to gain access to a company's primary system. And they do this in a variety of ways, making it harder for businesses to keep ahead.

Target Data Breach

Perhaps one of the most well-known and recent examples of this trend is the massive Target breach that occurred towards the end of 2013 during the busiest shopping time of the year. More than 110 million consumers were affected. In March 2014, the U.S. Senate determined there were a number of issues that led to the huge breach of data security that occurred for several weeks, according to CBS News. However, one of the causes was a vulnerability in the system of one of Target's partnering vendors.

Target store
Credit: Leigh Goessl

Krebs On Security reported back in Feb. 2014 the hackers were able to infiltrate Target's system by sending a "malware-laced email phishing attack" to employees at Fazio Mechanical, the HVAC company that worked with the retail giant. The hackers allegedly began victimizing Fazio Mechanical months before they turned attention to Target. It seems Target's vendors were not completely isolated from the retailer's other systems, nor did not have an established two-factor authentication set up. As a result, hackers were able to successfully exploit the company's POS system. Additionally, Fazio Mechanical reportedly did not have real-time software protection, instead relying on a free version designed for individual consumers.

All of these issues, along with other events, seem to be contributors to what is now one of the biggest data breaches in history.

Sneaking in Through a Takeout Menu

In April 2014, the New York Times published a report about another sneaky method hackers employed to gain access to sensitive data. Reportedly, the hackers were not able to successfully break into the computer systems of a large oil company in California, so instead they used a different method to gain access. What the cybercriminals did was infect the menu of a local Chinese restaurant that many of the company's employees frequented. Any time an employee opened the menu online, they unknowingly downloaded malicious code. Once this code was on company machines, the hackers had the access they sought. Not exactly the most common way to exploit.

Credit Card TheftCredit: Don Hankins/Creative Commons-Attribution http://commons.wikimedia.org/wiki/File:Credit_card_theft.jpg

Other 'Back Door' Methods

These days businesses have to be far more vigilant as hackers up the ante and find other unusual methods to swipe valuable data. According to the New York Times' report, information security experts are having to look "in the unlikeliest of places" to find vulnerabilities.

"We constantly run into situations where outside service providers connected remotely have the keys to the castle," said Vincent Berk, chief executive of FlowTraq, a network security firm, according to the New York Times report.

Other less conventional methods include hacking printers, vending machines, videoconferencing equipment and thermostats. Third party vendors running these systems have access so they can update, or in the case of vending machines, restock as necessary. This leaves businesses vulnerable if they aren't thinking outside the proverbial box and looking at other potential security holes.

In 2013, 450 data breaches were analyzed by Trustwave, a Security firm, and it was found about two-thirds were related to third-party IT providers, according to Dark Reading.

As Microsoft cut off support for its popular Windows XP operating system in April 2014, many feared vendors would even further be at risk since many organizations still run on, and/or are dependent upon, the 13-year-old operating system for a number of reasons.

An Ongoing Issue

This trend continues. In October 2014, online services Dropbox and Snapchat also were exploited due to third party access. Dropbox says it was not hacked.

"These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts," according to Business Insider.

In all, about 7 million passwords were stolen from the service.  In the Snapchat incident the company itself was not hacked, but the servers of a third-party app were. This app was designed to save photos uploaded by users.

In all, dozens of major compromises took place in 2014. A number of them were not related to third party compromises, but directly, indicating a much higher need for attention to information security.

No Room for Complacency

Today's businesses cannot simply rely on basic security approaches. To keep data safe, a number of mechanisms are likely needed. Unfortunately, many managerial decision-makers still believe they aren't vulnerable with the "it can't happen to us" mentality and do not allocate enough money towards heightened security. Information security doesn't drive revenue, unlike marketing and sales, but these days it is just as important as an investment.

As evidenced by the evolving trend of hacking, combined with an increased level of corporate partnerships and dependencies, no company, large or small, is immune to a data breach. These days businesses need to include information security as a major part of their budgets. No longer can this process be viewed upon with a complacent attitude.