In every arena, smart enemies choose the path of least resistance. In the data security realm, that path increasingly goes through third-party vendors and subcontractors. Sophisticated, determined hackers have done their homework on the best and easiest ways to attack organizations and exfiltrate data, cause business disruption, or in the case of SCADA attacks, spark catastrophic incidents, such as failure of supply events.
For Target, that meant that malware-laced emails opened by Fazio employees also opened the door to the corporate giantís network. Once hackers were into Targetís system, they prepared for attack by uploading malicious software to collect payment card information within a few registers. Once they confirmed that the malware performed properly, they infected hundreds of point-of-sale devices with malware.
The attack resulted in the exposure of nearly 110 million customers and their names, mailing addresses, phone numbers and credit card information. While the investigation continues, it is estimated that the damage of this data breach could cost Target up to $420 million.
Security questions to ask every third-party vendor
These kinds of third-party threats, while on the rise, have been widely overlooked. At first, that was due to lack of awareness. The Fazio effect should have solved that issue by now. The next step is to adopt greater vigilance about the security practices of third-party partners.
For example, if companies are shopping for a cloud service provider (CSP), modern security concerns should compel them to ask several critical questions before signing a service level agreement (SLA). In particular, they should question the CSP about their technical controls on three levels:
1. Application layer controls, which address whether apps are well written;
2. Data layer controls, where the last line of defense is often encryption; and
3. Access controls for the CSP and the client user-base, which addresses concerns regarding privileged use and access control strength/consistency.
Some of the questions that may fall under these technical controls include:
1. Is multi-factor authentication used?
2. What kinds of firewalls and anti-virus solutions are in place?
3. What are the encryption standards used for both data in transit and data at rest?
4. Has there ever been a significant cyber breach in the past?
5. If so, what was the cause?
6. What has been done to prevent similar events from happening again?
7. What type of vetting is done on new hires? When somebody is fired, what is done to ensure access paths and/or credentials are revoked?
8. Who and how many employees will have access to my data?
9. What types of physical security policies are in place at this location, in addition to the various sensors and controls such as fences, alarms, intrusion detection systems, and cameras?
10. To what extent is auditing performed on my account if changes are made?
When subcontractors send malicious messages
The above questions should help companies stay vigilant against accidental breaches via partners. But what about subcontractors and other third parties that purposefully attack? That was the case with Khosrow Zarefarid, a subcontractor working for three major banks in the Middle East.