Home page logo

dataloss logo Data Loss mailing list archives

Tech Toolkit: How to prevent a subcontractor security breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 5 Mar 2014 20:07:48 -0700


Investigations into Minneapolis-based Target Corp.'s massive data breach
are ongoing, but a recent report by security reporter Brian Krebs
highlights the potential role of one of the retailer's subcontractors,
Fazio Mechanical Services, an HVAC company that provides heating and
ventilation services.

Krebs reports that the breach "appears to have begun with a malware-laced
email phishing attack sent to employees" at Fazio, which then used
credentials that Target gave to the HVAC purveyor for network access.

This is a wake-up call that companies can't ignore. In other words, if you
employ any type of subcontractor or allow client access to your system, and
the two paragraphs above didn't just make your stomach lurch, then you're
not paying attention.

Subcontractor and client access is extremely common, and the Fazio story
illustrates the way that attackers can find their way into major companies
by using smaller ones as pathways. Are you at risk? Definitely. But can you
mitigate that risk? Fortunately, that answer is also yes. Here are some
tactics for strengthening your security, to block those malware paths into
your system.

Recognize the issue

Enterprises tend to shore up their defenses against outside threats, but
many fail to recognize threats arising from employee, client and
subcontractor access, according to David Poarch, vice president of Security
Solutions at Illinois-based technology consulting firm Forsythe, which has
a local office in Bloomington.

"Many organizations fall down with the people they trust," Poarch says.
"They don't have much of a plan for how to treat these third-party business
relationships because they're so focused on keeping 'the bad guys' out."

So, the first step in implementing better security is to recognize the risk
levels that each type of user presents, whether that's an HVAC supplier or
your best client.

Start with due diligence

Before granting access and exchanging data, the third party's information
security practices should be evaluated to find security gaps that could
affect data confidentiality, according to Jeremiah Talamantes, founder and
managing partner of Minneapolis-based consultancy RedTeam Security.

"The task itself is certainly not a glamorous one, but it goes a long way
in the evaluation of the third party's overall security posture and
practices," he says. This type of assessment typically consists of a visit
to the subcontractor's facility, and an evaluation of their information
security program, including security policies and guidelines.

Use the principle of 'least privilege'

A subcontractor shouldn't have the same level of access into an enterprise
network as the company CEO, yet some businesses adopt practices that grant
exactly that. Talamantes advises companies to employ the principle of
"least privilege," which mandates that people, processes, and devices
should be assigned the fewest access privileges consistent with their
assigned duties and functions.

"For example, an HVAC subcontractor who requires remote network access to
monitor the organization's cooling system should be provided access to the
system, but only to a [specific part] of the system, and only from the
subcontractor's network," says Talamantes. "Additional access constraints
should be implemented as well, such as time of day, number of simultaneous
connections and connection protocols."

Invest in monitoring systems

When it comes to better security, some cost will be involved and companies
need to recognize that. Jeremy Wunsch, CEO at Minneapolis-based computer
forensics company LuciData, thinks that frugality sometimes plays a role in
access issues. It can be expensive to bring in a third party for a complete
audit, he says, and there's little incentive to discover new security holes
in one's own company. It can also be costly to fix those gaps because it
might require an alteration of existing practices to implement some

But developing a monitoring system is worth expanding the IT budget. Proper
monitoring solutions and regular audits are critical, Wunsch says. These
can establish a baseline for user access and discover anomalous behavior
that can signal the start of a problem.

Audits also help to find potential issues throughout a security system.

"Grant IT security professionals enough autonomy to do their jobs, but also
bring in an outside group to audit their work," Wunsch states. "As good as
you think your team is, there are flaws in every system."
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 


Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!

  By Date           By Thread  

Current thread:
  • Tech Toolkit: How to prevent a subcontractor security breach Audrey McNeil (Mar 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]