I was performing a risk assessment for a small company several months before the Target breach went public.
While scanning the external perimeter of the company's network, I discovered a Web server that was controlling its heating, ventilation and air conditioning systems. The Web server was rife with vulnerabilities and allowed easy access into the company's internal systems. I contacted the company and disclosed what I had found and recommended that the system be taken off the Internet immediately. My contact at the company didn't understand the risk at first, but eventually took the system off the Internet. We talked again after the Target incident went public about the role the HVAC contractor played in the breach. The company finally realized how close it had come to being a data breach statistic.
Compartmentalized remote access could have limited the Target attack to only its HVAC systems, and that would likely have been much less serious.
This HVAC issue is just one small example of a problem that has quickly grown to epic proportions in information security. All too often vendors that need remote access for maintaining and supporting customers' internal systems do not consider the security implications. Time and again, we've seen vendors build their systems with only their convenience and ease of maintenance in mind. Their systems are sometimes even built with software that is no longer supported and therefore is full of vulnerabilities and impossible to patch.
Perhaps even worse is that third-party vendors use poorly conceived, insecure business processes to manage these systems. It is common to find vendors using the same administrative passwords on systems installed at all of their customers' sites. They will put Post-it notes up around their cubicles with passwords to a company's systems.
These situations sound bleak, but fortunately this is one area where information security professionals can utilize existing technologies and tactics to make dramatic improvements to third-party vendor management without additional expenses. That's what we'll discuss in this tip.
There are four key steps to improving the security of third-party vendor management:
Standardize remote access methodologies
Every vendor uses a different method to access their devices on a network. Some use Cisco WebEx, or a similar Web conferencing tool, while others prefer a site-to-site VPN connection. It can become difficult to manage all these types of remote access technologies securely, so the organization needs to define a few remote access methodologies that it will allow. This will simplify the environment and allow easier inventorying of the connections made to the organization's network.
Detect and block unauthorized remote access technologies
More Web-based remote access tools become available on the Web every day, and vendors take advantage of them. Don't assume that a vendor will always use the same port or protocol -- it's necessary to actively monitor how vendors and partners access the network. Information security teams can monitor and block unauthorized connections using existing tools like Web filters or next-generation firewalls (NGFWs). These systems usually have updated categories of applications, including remote access tools, that can be blacklisted. Intrusion detection systems (IDSes) can also be tuned to look for these types of connections, alerting on those being initiated from inside the network perimeter. Workstation management tools can search for remote access software installed on the organization's computers and then uninstall it.
Segregate remote access into firewalled zones
Building a secure network is similar to building a submarine. Submarines are compartmentalized so that flooding can be contained and not allowed to spread to all areas of the ship. A secure network can be built with the same type of design mentality. A vendor should get remote access to only a specific segment of the network that is kept firewalled from other network assets. This limits the damage that can be done if the vendor is compromised. Target must not have followed this access method, since its point-of-sale systems were accessible via its HVAC systems. Compartmentalized remote access could have limited the Target attack to only its HVAC systems, and that would likely have been much less serious.
Contracts and auditing
Vendors that access an organization's network should be required to sign contracts or other agreements that mandate their compliance with organizational security policies. There should be language in these agreements that allow the organization the right to audit the vendor for compliance with these security policies. This can be difficult to execute in some organizations since it requires information security teams to have a seat at the table during purchasing and contract discussions, but it goes a long way toward setting the tone of the discussion about the seriousness of information security at the organization. It can also be beneficial for vendors to be required to go through the organization's security awareness training.
It is critical that organizations manage the risk involved with remote access for third party vendors. Target certainly won't be the last company that falls victim to this type of security threat. Organizations can manage these risks using existing information security technologies, such as Web filters and NGFWs, to enforce standard remote access methodologies. They can also limit any damage from a vendor compromise by compartmentalizing the network and limiting vendor access. Finally, contracts can mandate vendor compliance with information security policies through auditing and potential penalties.
For some organizations, implementing these changes will seem like a daunting task. However, taking a lesson from Target, it's far better to put the work in now to secure third-party vendors before a breach ever occurs, than to work overtime later to clean up a breach that could have been avoided.
About the author:
Joseph Granneman is SearchSecurity.com's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in healthcare information technology. He is an active independent author and presenter in the healthcare information technology and information security fields. He is frequently consulted by the media and interviewed about various healthcare information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade, with many different implementations in the medical and financial services industries.
Third-party security tools
Creating a third-party security policy to prevent a software exploit
FDIC guidance for managing third-party risk