Credit card data of 40 million Target customers, 15,000 Boston Medical Center patients’ personal information, and payment card information of 868,000 Goodwill customers – all of this information was exposed as a result of data breaches not at the companies themselves, but at vendors with access to the companies’ systems.
A recent BitSight Technologies study found that one third of U.S. retailers that experienced a data breach within the past year were compromised via third-party vendors.
And it’s not a new problem.
Newfound Awareness of Vendor Risk
Michela Menting, practice director at ABI Research, said third-party vendors have always presented a security risk, but the massive publicity around high-profile events like the Target breach has greatly increased awareness of the issue.
"In fact, it has traditionally been much easier to go through third-party vendors, especially where there are smaller firms and contractors, than trying to attack a behemoth itself," Menting said. "If you consider the services industry – insurers, law firms, consultancies – these have been vectors for infiltration into much larger client companies."
No company is immune, Menting said. "Whereas a smaller company, perhaps one that offers janitorial, concierge, gardening, provisioning or other maintenance services, might not have been considered good vectors five or six years ago, today any will do," she said. "This is because increasingly even these small companies will make use of connected mobile devices, a small IT system, a Web presence."
In many cases, that’s all a hacker needs to get into your systems. "There’s no point in building a great perimeter defense and robust internal procedures if you’re going to let the front door wide open to a company that has neither," Menting said.
Tim Erlin, director of IT security and risk strategy at Tripwire, said it’s crucial to consider which data and business systems your vendors can access.
"In some cases these are explicitly shared, such as a marketing relationship that involves shared customer data," he said. "In other cases, they’re implicit, such as an IT admin who performs database maintenance on a server storing sensitive data. The implicit access can be much harder to understand, and therefore harder to manage."
Regardless of their area of expertise, Erlin said, any vendor inevitably brings a huge set of unknowns into a relationship.
"While a vendor may do a great job providing a specific service, they may unnecessarily expose themselves to risk in other ways, and that risk may transfer to you as a customer," he said. "For example, a point-of-sale vendor may do a great job managing those systems, but run a vulnerable Web application for their own corporate website."
Access Control, Authentication and Monitoring
Gartner research director Lawrence Pingree said remote access is one of the most critical aspects to consider in any third-party relationship. "This is common among third parties that perform infrastructure management, and because these third parties often have privileged access, this can represent a significant vulnerability to an enterprise environment if not properly protected," he said.
Pingree said the best methods of protection lie in well-defined access control, strong authentication and monitoring.
"In the authentication space, we are seeing security technologies evolve to increase their adaptive capabilities through contextual awareness such as an understanding of where, what, who and why aspects of the users," he said. "For example, geolocation can trigger additional vetting of the user, such as asking for details about the user."
Rapid7 chief research officer HD Moore said it’s also advisable to require that any vendor with access to your environment use two-factor authentication, and to ensure that vendors only have access to the resources they need to do their jobs.
"Many vendors are small businesses that are typically ill-equipped to respond to threats and may be lacking in common security precautions like the use of two-factor authentication and full-disk encryption," he said.
Network segmentation and event monitoring can help reduce the risk of a breach caused by third-party access, , Moore said. If possible, it’s also advisable to provide dedicated systems for the vendor to work from, and to prevent vendors from connecting their systems directly to your network, he added.
While service providers rarely offer much visibility into what’s happening within their environments, Moore recommends requesting that your data be hosted on a dedicated group of systems, that only senior staff be allowed to manage those systems, and that an activity log be provided for any access to the environment.
"The best time to add these requirements is during the initial sales process or a subsequent renewal," he said.
Yes to Testing, No to Trust
Moore said service providers should also be able to demonstrate that they’ve had regular penetration tests performed by qualified security firms, and they should be able to show you the executive summary from their most recent penetration test. From your end, he said, consider conducting your own regular security assessment of their service, or include them in the scope of your next security assessment or penetration test.
Ultimately, said HyTrust Vice President Michele Borovac, trust no one.
"The phrase 'I trust my team' doesn’t cut it with distributed computing, cloud providers, and third party partners that introduce greater points of access into your cloud environment," Borovac said. "If you are running sensitive applications or data in the cloud, encrypt them. If you have vendors accessing your data center for any reason, make sure you can control, monitor and audit what they are doing."
When evaluating any new vendor, Borovac said, make a basic security survey a key part of that process. "Ask some honest questions about the organization’s access control policies, physical security measures and password procedures," she said. "Is their software up to date and patched? Ask if they have ever been involved in a security breach. Having some documentation will at least give you some legal standing in the event that you are breached."
Carefully auditing a vendor’s security before hiring them, Rapid7’s Moore said, is the best way to reduce your risk of a third-party breach. "Red flags such as lack of security awareness or poor software development practices can often be inferred through a brief questionnaire during the sales process," he said.
And make your expectations regarding security as clear as possible to any new vendor before you start working together. "Consider the same policies you apply to your own organization around data classification and protection, identity and authentication, and best practice security processes," said Tripwire’s Erlin. "Why wouldn’t these same requirements apply to your third party vendors?"
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at email@example.com.