by B.K. DeLong
Wikileaks’ decision this week to post the first of five million emails from Texas-based strategic intelligence firm Stratfor shone a spotlight on what experts say is a serious and growing problem: lax data, network and physical security at third party vendors and service providers. But organizations that think they can wash their hands of the security mess caused by business partners and contractors may be in for a rude awakening.
On Monday, the whistle blower and information leak Web site posted the first of what it claims are 5 million pilfered emails from Texas-based strategic intelligence firm Stratfor. The data, allegedly taken in a hack by the hacking group Anonymous, includes client details from such companies as Dow Chemical, Coca-Cola, Lockheed Martin, Northrop Grumman, Raytheon, government agencies and the military. We don’t know yet what the consequences of the breach will be for Stratfor, but in a public statement, the company’s CEO has apologized for the incident and for the damage caused to its customers. There’s every reason to believe that he’ll need to do more than offer apologies.
More than ever, private and public sector organizations rely on complex webs of third party vendors to operate. Those include IT based services, such as providing support and managing data backup and storage activities. But they also extend to critical functions such as payroll services, human resources, health insurance, bill collection, relocation services and more. The advent of cloud based computing has added legions of cloud computing vendors to the list with Infrastructure as a Service (IaaS) or Software as a Service (SaaS) offerings. The risks posed by third parties is a hot topic of conversation at the RSA Security Conference in San Francisco this week, where sessions have addressed everything from the security of outsourcing firms to supply chain partners to consumer-focused application markets like Apple’s App Store.
Today, third party suppliers and business partners may have a direct connection or feed between them and their customer’s network and often play a critical role in the success of that client’s business operations. Even where logical access is absent, the failure of third party providers can have a big impact on an organizations’ risk posture.
In just one example, in January, contractor SAIC was hit with its second $4.9B class-action lawsuit (the first was in October of last year, also seeking $4.9B) for the theft of backup tapes from an employee’s car containing 4.9 million TRICARE customer medical records – the organization is the health insurer for the Department of Defense.
The 2011 Verizon Data Breach Investigations Report (DBIR) found that “most assets encountered during their investigations were hosted internally, but half were fully or partly managed by a third party” and “overall, both hosting and management were a little more likely to be handled by external parties in 2010 compared to prior years”. Trustwave’s 2012 Global Security Report found that 76% of data breach investigations found that the third-party responsible for system support, development or maintenance introduced the security deficiencies exploited by attackers.
The more critical the assets third party vendors have access to, the value of those assets and their relative security in the third party’s hands is what truly helps determine the risk ranking for each vendor. Sadly, many firms rely on questionnaires for 3rd party assessments due to time limitations. This lets their vendors merely say they perform security best practices and have controls for VPN access, access, encryption, intrusion detection / prevention, termination of access & privilege review, and web application security. The question arises as to whether what is on the questionnaire as response is, in truth, fact. Many times the only way to find out is when a breach occurs.
Our nation’s financial regulators have put in place controls that require organizations to do due diligence for third party vendor risk. These regulations include the Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley. Similarly, The Department of Health and Human Services uses HIPAA to regulate protection of an individual’s health data. Add to those federal regulations the many state “data breach” laws, such as the Commonwealth of Massachusetts 201 CMR 17.
As of March 1, 2012, any business in the U.S. with customers in the Commonwealth will be required to have their own third party suppliers or service providers sign contracts stating they will “maintain appropriate security measures to protect such personal information consistent” with 201 CMR 17, as well as “any applicable federal regulations” according to section 17.03(2)(f)(2).
In the financial services sector, The Office of the Comptroller of the Currency (or “OCC” – regulator of all U.S .banks) issued “Cease & Desist” orders against eight of the nation’s largest mortgage bankers. These included Bank of America, PNC, Wells Fargo and Goldman Sachs, citing “unsafe and unsound” practices and requiring those institutions to show policies in place within 60 days and implemented within 120 days that ensure due diligence on potential and current Third-Party Provider qualifications. Those include the provider’s expertise, capacity, reputation, complaints, information security, document custody practices, business continuity, and financial viability, and to ensure adequacy of Third-Party Provider staffing levels, training, work quality, and workload balance.
Despite this evidence of a tougher stance by state and federal regulators, the unfortunate truth is that many third party providers are able to achieve compliance with little more than a pen and paper: submitting copies of SAS 70/SSAE 16 self-attestations of their regulatory compliance. These are often good enough to meet what the regulations require, even when the risk warrants an on-site visit.
The companies they serve often choose not to press their vendors for more information because of a lack of time and money.
An example: one security executive from a Fortune 500 firm who was attending The RSA Conference talked to me about a managed services provider that had contracted with his company. The MSP was compliant with account management system policies on paper. But they apparently became so concerned with high turnover among its support team that the MSP had gamed the password reset setup to keep accounts of former employees active and by choosing the same challenge questions and answers. The vendor continued to use the accounts to access their customer’s network, making the size of the managed support staff seem larger than it was, and creating an incredible threat to their client’s risk posture.
What’s missing? Too few industries have mechanisms to determine whether a service provider’s “vendor risk” program is up to standards. This is why an extra degree of vigilance and diligence are needed when calculating each third party’s true risk score and following through with on-site visits when needed is key to a more successful program. Don’t let a vendor leave your business exposed. Its time to take control.
–B.K. DeLong is an Risk Engagement Specialist with KLC Consulting, Inc. working in the Boston, MA.-area.
