Are your third-party vendors leaving the door open to hackers?
by Armond Caglar - Senior Threat Specialist, TSC Advantage - Friday, 20 June 2014.
By now, every security professional in the world should know the story about Fazio Mechanical Services. The Pennsylvania-based company specializes in heating, air conditioning and refrigeration services, and numerous large companies, including Target, trusted Fazio for its HVAC expertise. Fazioís level of security expertise, however, was another matter. Its reliance on a free version of a malware detection tool, plus its access to Targetís external billing system and online project management portals, plus a savvy attacker added up in 2013 to the fourth largest data breach of all time.

In every arena, smart enemies choose the path of least resistance. In the data security realm, that path increasingly goes through third-party vendors and subcontractors. Sophisticated, determined hackers have done their homework on the best and easiest ways to attack organizations and exfiltrate data, cause business disruption, or in the case of SCADA attacks, spark catastrophic incidents, such as failure of supply events.

For Target, that meant that malware-laced emails opened by Fazio employees also opened the door to the corporate giantís network. Once hackers were into Targetís system, they prepared for attack by uploading malicious software to collect payment card information within a few registers. Once they confirmed that the malware performed properly, they infected hundreds of point-of-sale devices with malware.

The attack resulted in the exposure of nearly 110 million customers and their names, mailing addresses, phone numbers and credit card information. While the investigation continues, it is estimated that the damage of this data breach could cost Target up to $420 million.

Security questions to ask every third-party vendor

These kinds of third-party threats, while on the rise, have been widely overlooked. At first, that was due to lack of awareness. The Fazio effect should have solved that issue by now. The next step is to adopt greater vigilance about the security practices of third-party partners.

For example, if companies are shopping for a cloud service provider (CSP), modern security concerns should compel them to ask several critical questions before signing a service level agreement (SLA). In particular, they should question the CSP about their technical controls on three levels:

1. Application layer controls, which address whether apps are well written;

2. Data layer controls, where the last line of defense is often encryption; and

3. Access controls for the CSP and the client user-base, which addresses concerns regarding privileged use and access control strength/consistency.

Some of the questions that may fall under these technical controls include:

1. Is multi-factor authentication used?

2. What kinds of firewalls and anti-virus solutions are in place?

3. What are the encryption standards used for both data in transit and data at rest?

4. Has there ever been a significant cyber breach in the past?

5. If so, what was the cause?

6. What has been done to prevent similar events from happening again?

7. What type of vetting is done on new hires? When somebody is fired, what is done to ensure access paths and/or credentials are revoked?

8. Who and how many employees will have access to my data?

9. What types of physical security policies are in place at this location, in addition to the various sensors and controls such as fences, alarms, intrusion detection systems, and cameras?

10. To what extent is auditing performed on my account if changes are made?

When subcontractors send malicious messages

The above questions should help companies stay vigilant against accidental breaches via partners. But what about subcontractors and other third parties that purposefully attack? That was the case with Khosrow Zarefarid, a subcontractor working for three major banks in the Middle East.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th