Security of third party and gaps in security are affecting major retailers and hospitals, and the numbers of those affected stay to grow. And thus, Third Party/Vendor/Supplier Security risk governace is very important. Larger organizations uses third parties/supplier to provide goods and services, where these third parties gets connectivity to organization IT systems through partner networks or through other connection types like (FTP, VPN, e-mail.. ). Third parties IT systems when connected to organization IT system then it creates one more entry point for hackers. Third parties IT security may not have same level of rigor like the big organization and due to this now hackers are considering third parties as soft targets to launch the attacks on bigger organization. Third parties IT security loopholes are used steal data of these larger organizations. The focus on stealing personally-identifiable information via third party systems continues to plague companies, and continues to receive media attention.
Data Breach Examples
Security breach has happened in retail, in hotels, in healthcare, and in many other verticals with many suppliers or partners. A large company’s network is gravely breached and, after weeks of investigation, a finger is pointed at a minor vendor whose own system was breached.
Target data breach—which was attributed to a breach of one of the retailer’s HVAC contractors.
In case of Target data breach, intrusion happened through stealing account credential of HVAC vendor IT system which was interfaced with Target’s IT system. Home Depot, Lowe’s and other retailers have observed breaches which were done via third-party vendors. This form of attack is only expected to increase. One of the reasons for the increase in vendor-based attacks (soft targets) is due to increased security at sourcing organizations.
Target was attacked by computers at Fazion Mechnical, a company that maintains the refrigerators for the giant retailer. The two companies’ networks are associated, since Fazion Mechnical needs to maintain those refrigerators. In the case of the Target hack, the service provider was using free home grade antnivirus software. Target gave many of its suppliers access credentials that may enable direct access to Target’s payment-processing system. This system was not sufficiently portioned from the rest of Target’s systems. Once the intruder had access to one part of Target’s system, they had access to other system as well.
Walmart’s photo center website is operated by a third-party service provider. The business use case of the Walmart Photocentre website is to enable customers the ability to upload digital photographs through the web interface. Image gallery upload misuse is one of the more common forms of web application attacks, whereby the attackers take advantage of misconfigured upload form. Intruder will try to upload malicious code instead of an image, and attempt to get the code to execute
The Army National Guard
The Army National Guard reports that the data of 850,000 current members have been exposed due to an improper data transfer to a third party non DoD-qualified data center for a data analysis. The servicemen and women may have had their names, home addresses, Social Security numbers, and dates of birth exposed when that data was transferred to a non-Department of Defense-accredited data center by a contract employee as part of a budget analysis.
Service Systems Associates (SSA)
Service Systems Associates (SSA), a company that serves gift shops and eateries at zoos and cultural centers across the United States, has acknowledged a breach of its credit and debit card processing systems. SSA was investigating a breach involving point-of-sale malware. The violation occurred in the PoS systems located in the gift shops.
Data breach alert: the rising threat of contractors
With the increasing number of contractors being employed by organisations, it's vital that their access rights are regularly reviewed. Research from PwC has revealed that contractors account for 18 percent of the most serious breaches in UK firms of varying sizes. Businesses must be smart about protecting against the potential risks that contractors bring into the virtual workplace.
- Business speed. Some organization feel screening a vendor will slow them down
- Most companies do not have a process for assessing security third-party partner capabilities before they do business with them.
- Security processes are standard on paper, but they tend to fail in practice
- Weak vendor security posture
- Misalignment of vendor security plans
- Inability of vendor organization to address security concern
- Vendor’s un willingness to modify security measures as per sourcing organization specific requirements
- Lack of sub vendor due diligence
- Data privacy ownership
- Vendor staff security awareness
- Vendor security due diligence before taking their services
- Validate Vendor Risk Management with a Security Checklist ( Example SIG frame work)
- A vendor’s systems can be a threat to you when both parties’ systems are connected together. This can be via an application interface, a remote connection, or the vendor’s employees connecting to the customer’s network when its employees walk in the door.
- Self-protective security posture
- Timely fixing of security holes in vendor’s IT systems
Check following vendor security aspects
- Access, password and log governance process
- Risk based strong authentication
- System hardening
- Security Awareness
- Mobile computing management
- Secure interfacing with vendor IT system
- Data center security
- Email Spam detection
- Antivirus / Malware monitoring
- IT system decommissioning process
- Patching management
It is very important to have security due diligence done of third party IT security system before giving connectivity to organization network. The due diligence should be in line with type of service provided and type of data access third party has.
Authored by Satish Kulkarni