By: Tara Condon & Henry Gold
Last fall, John Gainor, President and Chief Executive Officer of DQ, posted a memo for Dairy Queen and Orange Julius customers regarding a recent data hack. At its centerpiece, was the revelation that a third party vendor compromised account credentials and gained access to customer data. DQ should be applauded for its thorough investigation following the attack and its forthright communication to customers regarding the same. However, the question remains for CISOs everywhere: Can this type of hack be prevented?
Third parties regularly access networks for legitimate reasons.
Companies regularly allow third party access to internal systems. Common reasons for enabling this access include systems administration and programming. Increasingly more common is the granting access of to information technology and communication service providers who troubleshoot, fix, and maintain computers, web sites, networking resources, and voice systems. Often, these third parties require administrator-level access to complete their work. Many times, access to these systems are not secured or well implemented using simple password authentication which is easily breached.
But, companies often have little control over third party activity on the network.
Companies typically control the front-end of vendor access with passwords or more robust security measures, such as software tokens or PKI based authentication (two-factor). However, once the third party is on the network, they typically have unmonitored, and often unfettered access, to a variety of systems. Here is where the risk of data theft or system breach is significantly increased. Even if the company ends its relationship with a third party, this risk is often undiminished as backdoors can be opened to a variety of network resources.
Companies spend a good deal of time and money to vet and hire employees. One hopes their third party vendors do the same, but that is not always the case. Companies may never meet or even see the wide network of third party employees who regularly work on their system. As such, gauging risk becomes nearly impossible.
A system that offers control and visibility is good for companies and third parties.
The ideal system provides controlled third party access along with visibility and monitoring. The good news is that these systems are available today. A company should be able to define and control who is on the network, what they may access, and what they are permitted to do. The system would then provide visibility into activities on the network and alert company representatives in the case of suspicious activity.
One would think that third parties bristle about added controls. However, many third parties have wholeheartedly embraced the concept. Having a third party access system in place makes their jobs easier: These third parties can focus on service delivery instead of concerning themselves with network access. Furthermore, the added visibility lets third parties demonstrate – in real time – the value they provide.
For more information on this and other security-related topics, follow our Secure Systems & Information Assurance (SSIA) team on LinkedIn.
About the Authors:
Tara Flynn Condon (@api_taracondon) is a published writer and Vice President of API Technologies Corp.
Henry Gold is an expert and frequent speaker on security topics and General Manager of SSIA North America for API Technologies Corp.