Third-party vendors and others who are not employed by your company can pose significant security risks to your network and data, even if you have the most robust, up-to-date security infrastructure. In fact, you are only as secure as your least secure contractor.
Back in 2013, a massive data breach at Target resulted in the exposure of 40 million Target credit and debit card numbers and another 60 million customer personal information records. As a result, the CEO and CIO resigned, and it cost the company millions of dollars in remediation, lawsuits, and lost business.
Security researchers discovered that the hackers had gained access to the Target network through a compromised user account at a third-party HVAC vendor.
Ensuring that your third-party vendors are using security best practices is not just a nice to have but an essential ingredient in a comprehensive security program. Your job could be on the line.
A more recent data breach involving a third-party vendor was the theft and early release of the Netflix series “Orange is the New Black.” A hacker group known as the Dark Overlord exploited a vulnerable computer running Windows 7 at Larson Studios, a small audio production company used by Netflix and other TV and film studios, and stole season five of the popular Netflix series and other shows.
After being informed of the hack by Dark Overlord in a Christmas Day email, David Dondorf, chief engineer at Larson Studios, and Chris Unthank, director of digital systems, rushed to the studio to examine the hackers’ claims.
“Once I was able to look at our server, my hands started shaking, and I almost threw up,” Unthank recalled in an interview with Variety. The company contacted the FBI, which proved to be of little help initially.
Larson decided to pay the ransom of 50 bitcoins, hoping to keep the news of the breach private. But Dark Overlord contacted Netflix and other studios about the breach because Dondorf and Unthank had notified the FBI, which apparently violated the “agreement” the company had with cybercriminal group.
Dark Overlord then released the first episode of “Orange is the New Black” and threatened to release the entire season unless Netflix paid a similar ransom.
Netflix refused to pay the ransom and issued the following statement: “We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.” Following Netflix’s refusal, Dark Overlord released the remaining episodes.
After the breach, Larson invested heavily in new security measures, some of which were recommended by their studio customers. These measures included encrypting any data leaving the company, segmenting networks, separating audio and video files, and locking down computers.
But the damage was done. The studios could have saved themselves time, money, and embarrassment if they had looked after the security of Larson Studios before the breach occurred.
In another data breach caused by a third-party vendor, Dutch technology multinational Philips discovered confidential payroll data on 4,000 Philips employees had been published on text storage site Pastebin.
The breached data included payroll and bank IDs, Dutch national identifications (driver’s licenses and passport numbers), home addresses, and other information that could be used to steal employees’ identity.
After informing the Dutch Data Protection Authority, Philips set up a crisis response team, which filed take down notices with Pastebin and a number of search engines.
Security operation center analysts scanned the Philips’ networks to find out whether the data leaked from inside the company and whether additional breaches from the payroll system could occur. Overall, the process took a month.
Eventually, Philips was able to determine that the breach occurred at a downstream payroll processor and informed the processor about the breach. But again the damage was done.
Another area of concern, particularly for retailers and restaurants, is data breaches caused by point-of-sales (POS) systems supplied by third-party vendors. In 2014, fast-food chains Chick-fil-A, Dairy Queen, and Jimmy Johns all admitted to breaches that exposed credit and debit card information of customers.
Related post: ATM and POS Fraud: Preventing Bank Card Hacks
These breaches resulted from card skimmer malware that had compromised the third-party POS systems the restaurants used, explained security blogger Brian Krebs.
"The stores impacted were franchises that outsourced the management of their point-of-sale systems to specific third-party companies," wrote Krebs.
More recently, fast-food restaurant Sonic Drive-In and grocery store chain Whole Foods reported breaches of their POS systems and the theft of customer credit and debit card information. Sonic Drive-In said in a statement that its credit card processing vendor had been compromised. Although the company did not disclose the number of customers affected, Krebs was able to identify around 5 million card numbers up for sale on the cyber black market that appeared to be from the Sonic breach.
Whole Foods became aware of a breach of credit and payment card information used at taprooms and restaurants in more than 100 of its stores. The company stressed that these venues used a different POS system than the grocery store checkout systems, which were not compromised.
The problem with many POS systems is that they often have minimal security controls in place and often run older operating systems like Windows Embedded, Windows XP, or even DOS, which are extremely vulnerable to hacking.
In addition, the companies using these systems often employ poor security practices. “We hear of breaches where all the POS terminals were on the company's one-size-fits-all network, making it easier for crooks to find weak spots and traverse all the POS systems. We hear of breaches where one remote access password served hundreds of separate branches, even separate customers, and where no two-factor authentication was used,” Paul Ducklin, senior security advisor at Sophos, told SecurityWeek.
These breaches highlight the risks posed to companies by third-party vendors, and the need for you to use security best practices and to work with your vendors to improve their security as part of your overall IT security program.
Security best practices include keeping current on software updates and patches, maintaining adequate perimeter defenses, using strong authentication, educating employees, regularly backing up data, and monitoring user behavior both of employees and third-party vendors.
A comprehensive discussion of security best practices can be found in the National Institute of Standards and Technology’s Cybersecurity Framework, which organizes best practices into five functions:
In addition, managed security solutions providers (MSSP) can help take the burden off of your IT security team in securing your systems.
An MSSP uses high-availability security operation centers to provide 24/7 services designed to reduce the number of operational security personnel your need to hire, train, and retain to maintain a robust security posture, freeing them up for other tasks, such as implementing and monitoring security arrangements with vendors.
A combination of implementing security best practices and seeking help from a MSSP is the best way to keep your organization safe from data breaches caused by third-party vendor negligence.
Ultimately, executives who have turned their focus back to their business, customers, and employees and pushed many of the complex parts of their security function to specialists have found that the overall risk of the business was reduced and the competitive advantages increased.
