Can Certain Third Party Data Hacks be Prevented?

by Tara Condon 14. October 2014 13:03

By: Tara Condon & Henry Gold

 

Last fall, John Gainor, President and Chief Executive Officer of DQ, posted a memo for Dairy Queen and Orange Julius customers regarding a recent data hack. At its centerpiece, was the revelation that a third party vendor compromised account credentials and gained access to customer data.  DQ should be applauded for its thorough investigation following the attack and its forthright communication to customers regarding the same. However, the question remains for CISOs everywhere: Can this type of hack be prevented?

 

Third parties regularly access networks for legitimate reasons.

Companies regularly allow third party access to internal systems. Common reasons for enabling this access include systems administration and programming. Increasingly more common is the granting access of to information technology and communication service providers who troubleshoot, fix, and maintain computers, web sites, networking resources, and voice systems. Often, these third parties require administrator-level access to complete their work. Many times, access to these systems are not secured or well implemented using simple password authentication which is easily breached.

 


But, companies often have little control over third party activity on the network.

Companies typically control the front-end of vendor access with passwords or more robust security measures, such as software tokens or PKI based authentication (two-factor). However, once the third party is on the network, they typically have unmonitored, and often unfettered access, to a variety of systems. Here is where the risk of data theft or system breach is significantly increased. Even if the company ends its relationship with a third party, this risk is often undiminished as backdoors can be opened to a variety of network resources.

 

Companies spend a good deal of time and money to vet and hire employees. One hopes their third party vendors do the same, but that is not always the case. Companies may never meet or even see the wide network of third party employees who regularly work on their system. As such, gauging risk becomes nearly impossible.

 

A system that offers control and visibility is good for companies and third parties.

The ideal system provides controlled third party access along with visibility and monitoring. The good news is that these systems are available today. A company should be able to define and control who is on the network, what they may access, and what they are permitted to do. The system would then provide visibility into activities on the network and alert company representatives in the case of suspicious activity.

 

One would think that third parties bristle about added controls. However, many third parties have wholeheartedly embraced the concept. Having a third party access system in place makes their jobs easier: These third parties can focus on service delivery instead of concerning themselves with network access. Furthermore, the added visibility lets third parties demonstrate – in real time – the value they provide.

 

For more information on this and other security-related topics, follow our Secure Systems & Information Assurance (SSIA) team on LinkedIn.

 

About the Authors:

Tara Flynn Condon (@api_taracondon) is a published writer and Vice President of API Technologies Corp.

Henry Gold is an expert and frequent speaker on security topics and General Manager of SSIA North America for API Technologies Corp. 

Tags: , ,

Secure Systems & Information Assurance

INFOGRAPHIC: The Evolution of Secure Mobile Computing

by Karen Gait 16. September 2014 11:30

Secure mobile computing has changed dramatically over the last two decades. Technology has rapidly advanced from the slow cumbersome, and unwieldy devices of the 1990s to the powerful, ultra-secure, and highly portable laptops available today. The new SST Secured Venue Tablet is at the forefront of this advanced technology, combining the portability of a tablet with the ability to manage data to IL5/IL6 within the high performing Dell Venue 11 Pro Tablet.

Learn more about the Secured Venue Tablet and SST's other TEMPEST, rugged, and bespoke products at www.sst.ws

Tags:

Infographics | Secure Systems & Information Assurance

Meet the Team: James Cook, Senior Design Engineer

by Karen Gait 17. February 2014 11:27

About Me
My name is James Cook, I’m 31 and I’ve been working as a Senior Design Engineer in API’s SSIA-UK (Secure Systems & Information Assurance) group, which makes the SST product line, for just over seven years.

Likes:

  • Nights out with friends
  • WW2 vintage aircraft
  • James Bond movies
  • Indie/pop music
  • Squash (I'll be turning semi-pro next year)
  • Skiing/snowboarding
  • Scuba diving, trekking & hiking

Dislikes:

  • Chinese food
  • Daytime TV
  • Cricket


Having been inspired in my childhood by my grandfather who flew with the RAF for 27 years, I grew up fascinated by aircraft, especially the design and operation of them. I took a degree in Aerospace Engineering but realised that although my interest in aircraft was unchanged, a design role within an aerospace company would not necessarily lend itself to the design creativity that I enjoyed.  I found that creative outlet seven years ago when I joined SST, and since then I've been lead in a number of design projects.

One of the advantages SST has is the confidence that our key customers have in our design abilities. I have been able to get involved from the start of a project, working with the customer to identify and prioritise their requirements, and then interpreting these into a robust, attractive, and commercially viable design.

I am always mindful of cost to the customer but also cost to SST!  For one of my projects, I took a commercially available rugged laptop and modified it to accommodate specific connectors and interfaces. Knowing that I have designed equipment that helps to protect data and aid communication, sometimes in difficult environments, is very rewarding.

Contact us to learn more about API's SST line of products.

Tags: , ,

Meet the Team | Secure Systems & Information Assurance

API's Most Exciting New Products of 2013: SST's TEMPEST Level A Laptop

by Karen Gait 20. December 2013 10:41

2013 was an exciting year at API.  Across divisions and across the world, the API team has introduced diverse new products ranging from tactical power supplies and microwave amplifiers to TEMPEST laptops and circular connectors.

This post is the first in a series looking back at some of the new and innovative products that API has launched over the past year.

..................................................

In order to be eligible to enter the competitive tendering process for a European MOD organisation, API's SST divison needed to offer a TEMPEST level A laptop. During the tender process it was discovered that our current OEM was End of Life, and should we win would not be available for this tender.

The tender criteria meant that cost was equally as important as technical compliance, and whilst the SST ethos is to produce the most aesthetically pleasing unit which exceeds the customer’s expectations with regards to functionality as well as appearance, this had to be tempered with a real focus on the unit cost of the laptop as European tenders are highly competitive.

 

Our design department was tasked with providing an attractive solution that met the target price identified by our sales team. I am proud that Sales and Engineering worked well together and compromised and cooperated to formulate a solution, ultimately resulting in the creation of the SN6570TF TEMPEST SDIP-27 Level A Laptop.

SST won the tender, and because of all the good work done when we produced the laptop, we came in under budget on material costs, the production team was able to meet the original anticipated build time, and we were able to send the customer an attractive, technically-compliant solution on time!

To me, this laptop highlights the benefits of a company like SST within an organisation like API.  We are small enough to be able to form close teams that work well and recognise each other’s skills and strengths, yet we have the backing of such a strong brand name as API which provides additional confidence to our customers during the tendering process.

Tags: , , ,

Secure Systems & Information Assurance

Meet the Team: Greg Dussek, SST Design Engineer

by Karen Gait 14. November 2013 10:14

About Me
My name is Greg Dussek and I’ve been working as a Design Engineer at SST for just over 2 years since graduating from Bournemouth University with a first class degree in Product Design.   

Likes:

  • Motorbikes
  • Formula 1
  • MotoGP
  • Nights out with friends
  • Drum and Bass music
  • Cinema
  • Italian food

Dislikes:

  • Miranda Hart
  • Dumplings
  • Rainy days (can’t go fast on the bike!)

Thin Client SV510TF Design
Detailed below is an overview of my latest project and how I managed to fulfil the design brief and meet the cost expectations of the Sales Department.

The project brief was to design a TEMPEST Level A Thin Client using the HP510 OEM with the main objective being to keep the unit as small and good looking as possible. My utilisation of right angled connectors and small back shells meant that I was able to keep the final size not much bigger than the OEM donor unit. A risk when striving to minimise the product size is that assembly may prove impossible. I found that the best way to ascertain if production grade assembly would be possible was by using the triad point on parts in Solid Works and manuvering them into position as they would be done on the shop floor. Once all components are mated in position the Interference Validation test is a useful tool which highlights any parts which are touching or overlapping.

We are always trying to produce the most attractive products possible but I was also mindful of the cost associated with doing so. Often in our line of work aesthetics very much come second to function but on this occasion the SV510TF Thin Client was a great opportunity to design a stylish yet cost effective product. By adding an oversize radius on the top front of the box I was able to give it a more interesting form – but still maintaining a simple stylish look.

Adding this feature did increase the manufacturing cost, however by working with our supplier I was able to reduce costs in other areas to compensate. The welds were moved inboard to make it easier and quicker to manufacture and the silk screen was merged onto one screen to halve the cost.

In the design of TEMPEST products cooling is paramount. A wave guide beyond cut off strategy is adopted with our hole sizes/position relative to each other to allow for cooling. I then shaped these holes on the top and front faces to arrow like shapes pointing centrally down the unit giving a symmetric effect. These “arrow” shapes also point towards the user interaction with the product, mainly the power button and USB ports.

The entire unit is made from 3 sheet metal parts and one simple machining. Reducing component quantities is a great way to reduce build time and save money. Where ever possible larger, heavier items were kept at the bottom of the unit (PSU, fibre optic transiver, IEC) to try and make the unit more stable. As a further option I designed a simple stand, this is unobtrusive to the design but provides even better stability.

All in all it’s a nice clean simple product. It looks brilliant and does the job required of it. The SV510TF is now CFTCS certified to TEMPEST level A and available through www.sst.ws with a variety of options.

Tags: , , ,

Meet the Team | Secure Systems & Information Assurance

New SST™ Capabilities Overview

by Jaymie Murray 12. September 2013 15:43

Learn about all of API's SST™ division's capabilities in this brand new brochure! It includes updated info on our newest products, services, and other secure communications offerings.

Click the image to download the pdf version of the SST Capabilities Overview.

Tags: ,

Secure Systems & Information Assurance

Fall Trade Show Preview: DSEI

by Jaymie Murray 8. August 2013 11:48

DSEI: September 10-13 at the ExCel London, Stand No S8-100
DSEI is the largest fully integrated defence and security show in the world, featuring Air, Naval, Land and Security show content.  Every two years, nearly 30,000 visitors flock to the ExCel in London to see the latest and greatest advances in defence and security technology.  API will once again be showcasing our newest and most exciting products at this year’s event.  Products to be featured include the AESA Scalable AAAU and a variety of TEMPEST, rugged, and secure communications solutions from our expanded line of SST / EMCON laptops, tablets, printers, thin clients, and enclosures.

API’s team loves to talk about our products and what they can do for our clients.  They will be available throughout the event and we invite you to schedule a one-on-one meeting with them.  Just complete this form and we will contact you to confirm a meeting time.  We'll see you in London!

[INFOGRAPHIC]:Meet the ION™SA5600-SAL: Avaya® SAL Edition

by Andrew DiCecco 27. June 2013 10:24

Tags: ,

Infographics | Secure Systems & Information Assurance

Month List

Tag cloud