Insecure Connections: Enterprises hacked after neglecting third-party risks
By George V. Hulme, CSO | July 28th, 2014
It is said that an enterprise is only as secure as its weakest link. Today, that weak link often turns out to be partners, suppliers, and others with persistent network and application access.
These weak links have certainly placed third-party security into the spotlight. As we’ve seen this year, multiple breaches have been the direct result of security lapses at partners and third-party suppliers or vendors. Most notably, the Target breach was reportedly the result of a compromised contractor. While Target Corp. was the most visible, it certainly wasn’t the only breach this year involving the IT supply chain.
This spring, business research firm Deltek warned customers that it had faced a breach where the attacker gained access login credentials including, perhaps, the credit card information of 25,000 users. Also this spring, Houston-based offshore contract driller Rowan Companies reported that they detected that their systems were breached and that that breach affected information not only about its employees, but also vendors and contractors.
And so it goes, over and over — enterprise data is placed at significant risk through the security slips of trusted partners.
Yet, concern for third-party security dips
You wouldn’t think there was much to these third-party security risks when looking at the data within our 2014 U.S. State of Cybercrime Survey, which found third-party security slipping. The U.S. State of Cybercrime Survey is an annual survey by CSO Magazine with help from the U.S. Secret Service, the Software Engineering Institute at Carnegie Mellon University, and PwC. This survey is based on 500 US executives, security experts, and others from the private and public sectors.
The survey found fewer organizations — 44 percent this year compared to 54 percent last year — are bothering to put in the effort to vet the security of third party providers and others in their IT supply chain.
Interestingly, despite the steady news of third-party security breaches, roughly 70 percent of enterprises enter into contracts with external vendors without having conducted any security checks. Even supply-chain partners are not secured. A startling 92 percent of enterprises don’t have any supply chain risk management abilities in place. “Indeed, criminals have found that third-party partners may provide relatively easy access to confidential data. It’s an indirect path to criminal profit that is increasingly successful because most organizations make no effort to assess the cybersecurity practices of their partners and supply chains,” the report concluded.
That will only grow increasingly true as more data and more systems are connected. Jay Jacobs, vice president at the Society of Information Risk Analysts would agree. “What we are seeing speaks to the weakest link in the security chain,” says Jacobs. “The attackers don’t have to attack anyone directly. Many times they really aren’t even targeting any specific victim, they’re targeting any organization with anything of value. And when they find a weakness they will exploit it in an opportunistic way, and that can easily include attacking partners.”
An ounce of due-diligence goes far
Not all enterprises can afford to be so nonchalant when it comes to third-party risks, especially those that work in heavily regulated industries such as healthcare, payment processing, financial services, and others.
“You absolutely have to look at the security of your third party partners,” says Eric Cowperthwaite, former system director, enterprise security risk management and CISO at Providence Health and Services. “You don’t have to look at everyone at first, but you have to at least start with looking at those partners who could create the most risk for your organization.
“When trying to determine whether they were a high or a low risk, one of the primary tools we used was a really simple questionnaire that asked a set of questions that we thought were important things that would indicate a mature program was in place, such as having a designated security officer, a corporate security policy. Did they install antivirus on their computers?” says Cowperthwaite. Should the vendor fail any of those questions, then they’d earn themselves a much more thorough vetting, he explains.
Beyond questionnaires, the next step CISOs can take is to implement security controls to ensure more secure access to protected systems: does the vendor employ strong, two-factor authentication, do they monitor and log user activity, and encrypt their network traffic.
PCI DSS sets sights on third-party risks
The Payment Card Industry Data Security Council is taking steps to bolster third-party security. In the most recent version of the PCI Data Security Standard (PCI DSS), new requirements were added that aim to reduce third-party payment card risks from outsourced providers, including having security requirements detailed in contractual agreements between businesses that accept credit card payments that rely on outsourced payment processing.
Additionally, the PCI council’s Third Party Security Assurance SIG is currently finalizing an information supplement, Third Party Security Assurance. However, the supplement, already past due for release, is now scheduled to be released sometime this quarter.