Threats From Third Party Vendors Demand Vigilance

by B.K. DeLongWikileaks’ decision this week to post the first of five million emails from Texas-based strategic intelligence firm Stratfor shone a spotlight on what experts say is a serious and growing problem: lax data, network and physical security at third party vendors and service providers.  But organizations that think they can wash their hands of the security mess caused by business partners and contractors may be in for a rude awakening.

by B.K. DeLong

B.K. DelongWikileaks’ decision this week to post the first of five million emails from Texas-based strategic intelligence firm Stratfor shone a spotlight on what experts say is a serious and growing problem: lax data, network and physical security at third party vendors and service providers.  But organizations that think they can wash their hands of the security mess caused by business partners and contractors may be in for a rude awakening.

On Monday, the whistle blower and information leak Web site posted the first of what it claims are 5 million pilfered emails from Texas-based strategic intelligence firm Stratfor. The data, allegedly taken in a hack by the hacking group Anonymous, includes client details from such companies as Dow Chemical, Coca-Cola, Lockheed Martin, Northrop Grumman, Raytheon, government agencies and the military. We don’t know yet what the consequences of the breach will be for Stratfor, but in a public statement, the company’s CEO has apologized for the incident and for the damage caused to its customers. There’s every reason to believe that he’ll need to do more than offer apologies.

More than ever, private and public sector organizations rely on complex webs of third party vendors to operate. Those include IT based services, such as providing support and managing data backup and storage activities. But they also extend to critical functions such as payroll services, human resources, health insurance, bill collection, relocation services and more. The advent of cloud based computing has added legions of cloud computing vendors to the list with Infrastructure as a Service (IaaS) or Software as a Service (SaaS) offerings. The risks posed by third parties is a hot topic of conversation at the RSA Security Conference in San Francisco this week, where sessions have addressed everything from the security of outsourcing firms to supply chain partners to consumer-focused application markets like Apple’s App Store. 

Today, third party suppliers and business partners may have a direct connection or feed between them and their customer’s network and often play a critical role in the success of that client’s business operations. Even where logical access is absent, the failure of third party providers can have a big impact on an organizations’ risk posture.

In just one example, in January, contractor SAIC was hit with its second $4.9B class-action lawsuit (the first was in October of last year, also seeking $4.9B) for the theft of backup tapes from an employee’s car containing 4.9 million TRICARE customer medical records – the organization is the health insurer for the Department of Defense.

The 2011 Verizon Data Breach Investigations Report (DBIR) found that “most assets encountered during their  investigations were hosted internally, but half were fully or partly managed by a third party” and “overall, both hosting and management were a little more likely to be handled by external parties in 2010 compared to prior years”. Trustwave’s 2012 Global Security Report found that 76% of data breach investigations found that the third-party responsible for system support, development or maintenance introduced the security deficiencies exploited by attackers.

The more critical the assets third party vendors have access to, the value of those assets and their relative security in the third party’s hands is what truly helps determine the risk ranking for each vendor. Sadly, many firms rely on questionnaires for 3rd party assessments due to time limitations. This lets their vendors merely say they perform security best practices and have controls for VPN access, access, encryption, intrusion detection / prevention, termination of access & privilege review, and web application security. The question arises as to whether what is on the questionnaire as response is, in truth, fact. Many times the only way to find out is when a breach occurs.

Our nation’s financial regulators have put in place controls that require organizations to do due diligence for third party vendor risk. These regulations include the Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley. Similarly, The Department of Health and Human Services uses HIPAA to regulate protection of an individual’s health data. Add to those federal regulations the many state “data breach” laws, such as the Commonwealth of Massachusetts 201 CMR 17.

As of March 1, 2012, any business in the U.S. with customers in the Commonwealth will be required to have their own third party suppliers or service providers sign contracts stating they will “maintain appropriate security measures to protect such personal information consistent” with 201 CMR 17, as well as “any applicable federal regulations” according to section 17.03(2)(f)(2).

In the financial services sector, The Office of the Comptroller of the Currency (or “OCC” – regulator of all U.S .banks) issued “Cease & Desist” orders against eight of the nation’s largest mortgage bankers. These included Bank of America, PNC, Wells Fargo and Goldman Sachs, citing “unsafe and unsound” practices and requiring those institutions to show policies in place within 60 days and implemented within 120 days that ensure due diligence on potential and current Third-Party Provider qualifications. Those include the provider’s expertise, capacity, reputation, complaints, information security, document custody practices, business continuity, and financial viability, and to ensure adequacy of Third-Party Provider staffing levels, training, work quality, and workload balance.

Despite this evidence of a tougher stance by state and federal regulators, the unfortunate truth is that many third party providers are able to achieve compliance with little more than a pen and paper: submitting copies of SAS 70/SSAE 16 self-attestations of their regulatory compliance. These are often good enough to meet what the regulations require, even when the risk warrants an on-site visit.

The companies they serve often choose not to press their vendors for more information because of a lack of time and money.

An example: one security executive from a Fortune 500 firm who was attending The RSA Conference talked to me about a managed services provider that had contracted with his company. The MSP was compliant with account management system policies on paper. But they apparently became so concerned with high turnover among its support team that the MSP had gamed the password reset setup to keep accounts of former employees active and by choosing the same challenge questions and answers. The vendor continued to use the accounts to access their customer’s network, making the size of the managed support staff seem larger than it was, and creating an incredible threat to their client’s risk posture.

What’s missing? Too few industries have mechanisms to determine whether a service provider’s “vendor risk” program is up to standards. This is why an extra degree of vigilance and diligence are needed when calculating  each third party’s true risk score and following through with on-site visits when needed is key to a more successful program. Don’t let a vendor leave your business exposed. Its time to take control.

 

–B.K. DeLong is an Risk Engagement Specialist with KLC Consulting, Inc. working in the Boston, MA.-area.

 

 

Suggested articles

Discussion

  • Anonymous on

    I have some third parties that will not listen to my concerns no matter how valid they are. They refuse to deal with and admit the problem is there because they do not want to spend the money. 

  • B.K. DeLong on

    Without more information it's hard to give further insight but if they are refusing to deal with the problem and admit there is one but are still vendors, then it appears you need their services or are tied into some sort of challenging contractual relationship. Do you have the backing of company management with regards to your concerns?

    Either way, you may be able to make use of the provision in MA 201 CMR 17 that states they have to sign a contract that they will "maintain appropriate security measures to protect such personal information consistent" with 201 CMR 17 (meaning be in compliance with the regulation), as well as "any applicable federal regulations" that may apply to your company or theirs.

    If your company or they have customers in the Commonwealth of MA and any of your concerns fall under "appropriate security measures" in the state data privacy law then perhaps this may be a way to bring some attention to the matter.

     

  • lrlucas on

    Just goes to show that OUTSOURCING is, in most cases, a bad decision!  I've seen many companies start down this road only to disappear or be sold off in pieces to ever consider outsourcing ANYTHING!  They usually fall into this trap because a paid consultant sells them on the idea of "core competencies" and the corollary of oustsourcing anything that is not a "core competency".  The truth is that anything critical to the running of a company is a core competency with the exceptions of janitorial service or food service.

  • Anonymous on

    You hit it on the head B.K. good old contract. I received an email today from a case I have had open since August that they are working on securing the product. I have my doubts that it will be band aides and work arounds so i asked for the details of what they are changing because I do not trust them. Have to see what happens from this point only took me seven months to prove something needs to be changed. 

  • B.K. DeLong on

    Let me know how use of the new contract-enforcement effort goes. Many don't know/realize that the regulation just had that rule go into effect yesterday so I suspect we'll be hearing more about it.

  • Poornima M on

    Let me know if any conferences or trainings available on cyber security

  • Jack Anderson on

    Your article is very timely.  We work in the healthcare industry supplying HIPAA HITECH compliance services with a SaaS model.  HHS estimates that there are 1.5 million business associates and another 1.5 million sub-contractors of these business associates that handle PHI from the covered entities.  These BAs and Subs have been responsible for 62% of the the patient records breached including the 4.9 million breached by SAIC.The covered entities have been relying on business associate agreements which have turned out to be useless since the BAs will sign anything, file it, and forget it.

    The subject of BA monitoring is becoming a hot issue and we are developing services to address the concerns.

  • Anonymous on

    Well done on your blog.  I always find it informative and useful. It really keeps me up to date.

    A really  BIG THANK YOU :)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.