03-10-2014 12:28 PM
The security of third party vendor relationships is coming under increased scrutiny as the source of the Target breach has been identified as a HVAC service provider who had remote access into the Target network. While details are still scarce, it's clear that a connection used to allow access for billing can be all that's needed for an attacker to turn that innocuous entry into a data breach that is costing Target untold millions.
As businesses grow, they are forced to rely on third parties to provide services that require a trust in the provider to protect their networks and data at the same or greater level. Unfortunately, this is rarely the case. Security firm Trustwave analyzed 450 data breaches in 2013 that showed nearly two-thirds were related to third party IT providers.
With the increasing reliance on business-to-business connections, companies must protect themselves from the threats posed by allowing "trusted" third parties access to areas of their network. While trust can be made in a vendor to provide the services they're committing to, it's a blind leap of faith to assume they will take the same precautions in protecting the information and the access to your network they're trusted with.
Businesses need to protect themselves and treat the vendors accessing their network as untrusted entities and put in the controls to protect themselves and monitor all activity sourced from the vendors.
The following are tips that have come from my experience as a security consultant and countless conversations with companies who must allow access to third party vendors and the vendors themselves.
03-10-2014 06:14 PM
That target scare made my dad change his credit card!
03-10-2014 06:37 PM
03-10-2014 10:08 PM
I was surprised when I called my credit card company the day after the Target attack hit the news, they already had identified and closed accounts that had been exposed - thought this was a very proactive stance.
06-24-2014 09:51 AM
The following is a update how to protect against attacks via third party vendors
Quote/Despite Target, Retailers Still Weak On Third-Party Security
By/ Sara Peters posted on 6/24/2014
A new survey from TripWire shows mixed results about retailers' security practices.
The big Target breach last year was actually the second stage of an attack that began by breaching the retail giant's third-party HVAC subcontractor (although the general public seems to forget that fact). This should have taught companies a lesson about the risks of letting business partners run pell-mell around one's network without paying any mind to their own security posture. However, according to new research from TripWire, at least one-quarter of retailers have not yet learned that lesson.
On one end of the spectrum, 12% of retailers who responded say they require third-party partners to pony up regular reports on vulnerability scans on their network and Web applications. On the other end of the spectrum, 26% said, "We don't evaluate the security of our business partners."
DarkReading/ full read here/ http://www.darkreading.com/despite-target-retailer
01-29-2016 03:23 PM - edited 01-29-2016 03:24 PM
"The following article is a update on How to Protect Against Attacks via 3rd party Vendors"
By Darryl K. Taft | Posted 2016-01-29
What do many recent mega-breaches have in common? In most, hackers gained access to IT systems through a trusted third-party account, such as that of a vendor. A new Gartner report on remote privileged access for third-parties finds that nearly 75 percent of enterprises are significantly exposed to a cyber-attack due to unsafe privileged access processes. Two of 2015's mega-breaches—of health insurer BCBS Excellus and the U.S. Office of Personnel Management—show that the damage from these events can be long-lasting. But what can be done? Creating a virtual fortress around IT systems and networks won't likely offer an organization greater protection. In fact, such a response could cause further harm by preventing data, systems and people from functioning productively. Implementing granular access controls that can be tailored for each privileged user, rather than giving everyone all-or-nothing VPN access; this allows users to continue to be productive while reducing the potential impact of compromised credentials. Here are several common third-party access mistakes that organizations should avoid and alternative practices organizations should implement to shore up IT security.