By now, every security professional in the world should know the story about Fazio Mechanical Services. The Pennsylvania-based company specializes in heating, air conditioning and refrigeration services, and numerous large companies, including Target, trusted Fazio for its HVAC expertise. Fazio’s level of security expertise, however, was another matter. Its reliance on a free version of a malware detection tool, plus its access to Target’s external billing system and online project management portals, plus a savvy attacker added up in 2013 to the fourth largest data breach of all time.
In every arena, smart enemies choose the path of least resistance. In the data security realm, that path increasingly goes through third-party vendors and subcontractors. Sophisticated, determined hackers have done their homework on the best and easiest ways to attack organizations and exfiltrate data, cause business disruption, or in the case of SCADA attacks, spark catastrophic incidents, such as failure of supply events.
For Target, that meant that malware-laced emails opened by Fazio employees also opened the door to the corporate giant’s network. Once hackers were into Target’s system, they prepared for attack by uploading malicious software to collect payment card information within a few registers. Once they confirmed that the malware performed properly, they infected hundreds of point-of-sale devices with malware.
The attack resulted in the exposure of nearly 110 million customers and their names, mailing addresses, phone numbers and credit card information. While the investigation continues, it is estimated that the damage of this data breach could cost Target up to $420 million.
Security questions to ask every third-party vendor
These kinds of third-party threats, while on the rise, have been widely overlooked. At first, that was due to lack of awareness. The Fazio effect should have solved that issue by now. The next step is to adopt greater vigilance about the security practices of third-party partners.
For example, if companies are shopping for a cloud service provider (CSP), modern security concerns should compel them to ask several critical questions before signing a service level agreement (SLA). In particular, they should question the CSP about their technical controls on three levels:
1. Application layer controls, which address whether apps are well written;
2. Data layer controls, where the last line of defense is often encryption; and
3. Access controls for the CSP and the client user-base, which addresses concerns regarding privileged use and access control strength/consistency.
Some of the questions that may fall under these technical controls include:
1. Is multi-factor authentication used?
2. What kinds of firewalls and anti-virus solutions are in place?
3. What are the encryption standards used for both data in transit and data at rest?
4. Has there ever been a significant cyber breach in the past?
5. If so, what was the cause?
6. What has been done to prevent similar events from happening again?
7. What type of vetting is done on new hires? When somebody is fired, what is done to ensure access paths and/or credentials are revoked?
8. Who and how many employees will have access to my data?
9. What types of physical security policies are in place at this location, in addition to the various sensors and controls such as fences, alarms, intrusion detection systems, and cameras?
10. To what extent is auditing performed on my account if changes are made?
When subcontractors send malicious messages
The above questions should help companies stay vigilant against accidental breaches via partners. But what about subcontractors and other third parties that purposefully attack? That was the case with Khosrow Zarefarid, a subcontractor working for three major banks in the Middle East.
Zarefarid, a software manager at the company operating the banks’ networks, was good at his job. He discovered a potentially serious security flaw, and he wrote a formal report to notify the CEOs of each of the three banks that they were at risk of cyberattack. A year passed. The banks took no action, and Zarefarid saw that his work had been ignored. The frustrated subcontractor decided to make a point.
The result was the compromise of 3 million bank accounts and thousands of card numbers and PINS, which Zarefarid exported and posted on his personal blog. Consequently, the CEOs and the banks they represent are being ridiculed for their disregard of information security practices, causing their customers to question their reliability.
This banking breach is a different security issue than the one that affected Target, but the commonality of a third-party player is important and not limited to U.S. corporations only. As this and other incidents have demonstrated, it is hard enough to prevent against an infraction and breach from one’s own company; protecting against a partner’s security flaws and malice is even more difficult.
Companies must protect themselves against the third-party threat
Whether they’re unsuspecting portals for cyberattackers or the originators of such assaults, vendors and subcontractors now represent a growing, frequent and serious risk to organizations. Security professionals continue to overlook that risk, however, even as high-profile cases crop up in the U.S., the Middle East, Europe and the Asia Pacific region.
As the customer, a company has the ability to choose which vendors it wants to hire. A significant part of that decision should hinge on the vendor’s answers to questions about security policies, as outlined above. Further, if a vendor will need access to the company network, it is hugely important that security leaders articulate the importance of and verify basic data security measures such as network segmentation of sensitive information. Fazio, for example, had access to Target’s payment cardholder data when, in reality, it should not have. Additionally, SLAs or any other agreement with a vendor can specifically include a clause in the contract that allows companies the right to terminate the relationship if a breach occurs.
Despite the frequency of news regarding cyberattacks, security professionals continue to overlook the fact that more than 75 percent of data theft inside organizations occurs as a result of the actions of a human being with access and privileges to systems, networks and other sensitive data. The insider threat can be a bit of a misnomer in these instances, since suppliers, sub-suppliers, vendors and even satellite offices – essentially any entity outside of the main HQ location – can introduce these vulnerabilities.
In this environment, companies need to ensure they have a holistic approach to enterprise security in place to cover their entire corporate ecosystems. Such an approach should assess points of vulnerability with special emphasis on the role of external dependencies: suppliers, sub-suppliers, joint ventures, vendors. By identifying trends, patterns and areas of elevated risk, companies can find, fix, and protect their most critical problem areas and shut the door on cyberattacks coming in from third-party partners.