03-10-2014 12:28 PM
The security of third party vendor relationships is coming under increased scrutiny as the source of the Target breach has been identified as a HVAC service provider who had remote access into the Target network. While details are still scarce, it's clear that a connection used to allow access for billing can be all that's needed for an attacker to turn that innocuous entry into a data breach that is costing Target untold millions.
As businesses grow, they are forced to rely on third parties to provide services that require a trust in the provider to protect their networks and data at the same or greater level. Unfortunately, this is rarely the case. Security firm Trustwave analyzed 450 data breaches in 2013 that showed nearly two-thirds were related to third party IT providers.
With the increasing reliance on business-to-business connections, companies must protect themselves from the threats posed by allowing "trusted" third parties access to areas of their network. While trust can be made in a vendor to provide the services they're committing to, it's a blind leap of faith to assume they will take the same precautions in protecting the information and the access to your network they're trusted with.
Businesses need to protect themselves and treat the vendors accessing their network as untrusted entities and put in the controls to protect themselves and monitor all activity sourced from the vendors.
The following are tips that have come from my experience as a security consultant and countless conversations with companies who must allow access to third party vendors and the vendors themselves.
03-10-2014 06:14 PM
That target scare made my dad change his credit card!
03-10-2014 06:37 PM
Helpful Webroot Links:
03-10-2014 10:08 PM
I was surprised when I called my credit card company the day after the Target attack hit the news, they already had identified and closed accounts that had been exposed - thought this was a very proactive stance.
06-24-2014 09:51 AM
The following is a update how to protect against attacks via third party vendors
Quote/Despite Target, Retailers Still Weak On Third-Party Security
By/ Sara Peters posted on 6/24/2014
A new survey from TripWire shows mixed results about retailers' security practices.
The big Target breach last year was actually the second stage of an attack that began by breaching the retail giant's third-party HVAC subcontractor (although the general public seems to forget that fact). This should have taught companies a lesson about the risks of letting business partners run pell-mell around one's network without paying any mind to their own security posture. However, according to new research from TripWire, at least one-quarter of retailers have not yet learned that lesson.
On one end of the spectrum, 12% of retailers who responded say they require third-party partners to pony up regular reports on vulnerability scans on their network and Web applications. On the other end of the spectrum, 26% said, "We don't evaluate the security of our business partners."
DarkReading/ full read here/ http://www.darkreading.com/despite-target-retailer