Both of those issues need to be addressed, but what really concerns me is that vendors have been allowed to download the VPN client and use it to connect to our network. Vendors are supposed to be restricted to a clientless VPN portal with links to needed applications. That keeps vendors' PCs off our network — PCs whose integrity we can't vouch for. But any PC using the VPN client is configured as a node on our network, just as if it were plugged into an Ethernet port in our office. That, of course, ups the chances that hackers can propagate malware or take advantage of an exploit and gain unauthorized access to our network.
To mitigate this issue, I've been pushing for the deployment of machine certificates to all company-owned PCs. No certificate, no remote access to our network.
There is some work to be done to tighten this process, but now, thanks to Target's pain, I have the perfect war story to gain traction for my plans.
Sign up for CIO Asia eNewsletters.