Strengthening Third-Party Contracts To Lower Breach Risks

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.darkreading.com/database-security/167901020/security/news/232601293/strengthening-third-party-contracts-to-lower-breach-risks.html

By Ericka Chickowski
Contributing Writer
Dark Reading
Feb 22, 2012

Details emerged this week that showed that recent Anonymous hacks of 
Federal Trade Commission (FTC) websites could potentially have been 
prevented had the FTC not dispensed with security provisions in a contract 
with the third-party vendors who hosted the sites. As organizations 
continue to divide labor in IT?particularly in development of 
public-facing websites?the incident could prove a good lesson in the 
importance of shoring up contract language and SLAs to ensure third 
parties are not adding undue risks of data breaches in the future.

In the case of the FTC, the federal agency suffered two embarrassing 
breaches within the last two months. In January, Anonymous attacked the 
FTC?s OnGuardOnline.gov site and this month it again hacked the FTC?s 
Bureau of Consumer Protection site. The websites in question were open to 
attack due to a failure to patch the server operating systems and 
applications associated with the site, a weakness that Anonymous took 
advantage of to publicize its distaste for the Anti-Counterfeiting Trade 
Agreement (ACTA) backed by the federal government.

?Even more bothersome than your complete lack of competence in maintaining 
your own f***ing websites and serving the citizens you are supposed to be 
protecting, is the US federal government?s support of ACTA,? Anonymous 
wrote about its most recent attack.

The sites in question were developed by public relations firm 
Fleishman-Hilliard, which hosted the sites on resources provided by 
hosting and cloud services provider Media Temple. The two firms are 
currently duking it out in a very public finger-pointing spat reported by 
Ars Technica, which also brought to light the fact that the $1.5 million 
contract to develop the sites initially included security provisions 
during the acquisition process but then dropped those requirements.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/