Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are you putting information at risk by using contractors?

Contractors can become the source of a security breach. This feature looks at the risk management steps, including access control and policies, that organizations should take when hiring contractors. A sidebar examines how a health care company uses NAC to control contractor access.

The contractor you Hire can become the source of a security breach unless you take precautions.

Contractors and consultants are commonplace and often embedded in many organizations. The use of third parties to augment capabilities adds tremendous flexibility to an organization. Contractors are vital resources that can help companies meet short-term demands and infuse skills and energy to help tackle even the most complex problems. At the same time, they pose tremendous risks to the organization.

To do the job they've been hired for, contractors need connectivity to an organization's internal network services and data. Oftentimes they have access to very sensitive corporate data, including trade secrets, strategic plans and other intellectual property. And an organization--in a rush to hire a third party for help on a project or simply shorthanded--might not have time for due diligence or the resources to provide adequate supervision. All that adds up to increased risk for either accidental loss or malicious theft of data.

But organizations don't have to shy away from hiring outside experts who can help and advance their business. There are many steps organizations can take to offset the risks, including oversight, access controls, implementing and enforcing sound policies, and technical solutions. Taking these precautions can help ensure contractors don't become a liability to your business.

When Contractors go Bad
Here is a sampling of incidents involving contractors either losing, stealing or accidentally exposing client data.
Source: Privacy Rights Clearinghouse

  • February 16, 2006
    Blue Cross and Blue Shield of Florida:
    Contractor sends names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies.
  • May 30, 2006
    Texas Guaranteed Student Loan Corp.:
    Employee at Hummingbird, a subcontractor for Texas Guaranteed, loses a piece of equipment containing names and Social Security numbers of TG borrowers.
  • June 2, 2006
    Ahold USA:
    During a commercial flight, an EDS employee loses a laptop that contains pension data of former employees of Ahold's supermarket chains, including Social Security numbers, birth dates and benefit amounts.
  • July 29, 2006
    Sentry Insurance:
    Personal information on workers' compensation claimants is stolen, and some later sold on the Internet. Thief was a lead programmer-consultant who had access to claimants' data.
  • August 4, 2006
    Toyota plant in Texas:
    Laptop belonging to contractor and containing personal information of job applicants and employees is stolen. Data includes names and Social Security numbers.
  • September 5, 2006
    Transportation Security Administration (TSA):
    Accenture, a contractor for TSA, mails documents containing former employees' Social Security numbers, dates of birth and salary information to the wrong addresses due to an administrative error.
  • October 23, 2006
    Sisters of St. Francis Health Services:
    A contractor working for medical billing records firm Advanced Receivables Strategy misplaces CDs containing unencrypted personal information of 266,200 St. Francis patients, employees and physicians.
  • December 14, 2006
    Bank of America:
    A former contractor for Bank of America accesses--without authorization--the personal information of an undisclosed number of customers in order to commit fraud.

Too Close for Comfort
While an organization may have a robust and effective perimeter security architecture, it becomes of little value when we hire contractors and allow them access into the network either onsite or remotely. Once inside the security perimeter, they can freely navigate company systems and networks, often with little monitoring.

In many cases, contractors are employed for only a short time and not always subject to the same scrutiny as new employees, and are often hired because of inadequate internal resources or competencies. In either scenario, the contractor is immediately placed in a potentially powerful position because their expertise is probably superior to anyone on staff.

Compounding this, contractors are often hired to perform extremely sensitive work, such as programming, systems administration and network security.

In addition, a trend toward longer-term arrangements with third parties can compound the risk, says Pete van de Gohm, CISO of Bayer, North America: "Longer-term contractors can be mistaken to be corporate employees by both outsiders and insiders." This familiarity tends to result in a company giving a contractor even more access to sensitive information.

Over time, continued reliance on an individual contractor will increase the risk to an organization and the consultant becomes more difficult to replace or terminate--a phenomenon that can be called "dependency risk." As the contractor becomes more entrenched, there is a tendency to provide less oversight. As dependency grows, unscrupulous contractors may exploit the company's overreliance by intimidating it with threats of sudden departure or worse.

And of course, there is always the threat of thieves who work under the guise of short-term employment in order to purposefully infiltrate an organization and steal data or conduct corporate espionage.

ISO Outlines Guidelines
Organizations can look to an industry standard for help in securing contractor relationships.
By Jonathan Gossels

Section 8 of the ISO 17799/27002 standard provides guidance about IT controls for contractors. The underlying principle is that organizations should handle security of their contractors and third-party users the same as they do their regular employees:
    Prior to employment
  • Security roles and responsibilities should be defined and documented in accordance with the organization's information security policy.
  • Background verification checks on all candidates should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, classification of the information to be accessed, and perceived risks.
  • As part of their contractual obligation, employees, contractors and third-party users should agree and sign the terms and conditions of their employment contracts, which should state their and the organization's responsibilities for information security.
    During employment
  • Management should require employees, contractors and third-party users to apply security in accordance with established policies and procedures of the organization.
  • All employees of the organization and where relevant, contractors and third-party users, should receive appropriate security awareness training and regular updates in organizational polices and procedures, as relevant for their job function.
  • There should be a formal disciplinary process for those who have committed a security breach.
    Termination or change of employment
  • Responsibilities for performing employment termination or change in employment should be clearly defined and assigned.
  • All employees and contractors should return all of an organization's assets in their possession upon termination of their employment, contract or agreement.
  • Access rights to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.
Jonathan Gossels is president of SystemExperts.

The most logical first step in addressing contractor risks is to perform a risk assessment. This should include identification of the threats, vulnerabilities, impact and likelihood of a security breach associated with contractors.

The best mitigation of the risks is knowledge--knowing who you're hiring through screening such as background searches and references checks--and oversight. Who is watching the contractor and do they understand in detail what the contractor is supposed to be doing? In other words, does the manager have technical competency in the area that is outsourced? The ability to observe and understand the third party's work helps reduce risks.

In addition, oversight should include system usage monitoring, regular status reporting, and establishment of goals and milestones. Actual oversight, however, depends on the nature of the contractor's job and sensitivity of the data he or she is handling.

Make sure you don't open the door to additional risk by not providing adequate secure file-transfer capabilities--it could encourage contractors to handle sensitive data in unsecured ways by downloading large amounts of data to their local hard drives, or by sending information via clear text email. Both such actions would expose the organization; however, without an alternative the contractor will do something like that in order to complete an assigned task.

Access Control
Access controls are key to contractor security. Third-party access to critical systems and data must be limited to the minimum required to perform the assigned job. This concept of "least privileges" is central to limiting the contractor's view, thereby controlling the risk of unauthorized information access.

However, unstructured information, such as data in email, is notoriously harder to protect because of the lack of traditional database access controls and the ease with which information can be forwarded to others within and outside of the organization. Consequently, access controls should also be viewed from an information perspective, not just a system perspective. This means not just controlling access to systems, but restricting access to specific data sets. For example, don't give a contractor access to the credit system but rather allow access to specific accounts he will service.

This need for controlling information access may be especially true when it comes to application development, according to Dan Kennedy, vice president of information security for Pershing LLC, a subsidiary of The Bank of New York. "The big concern in development is using offshore contractors. ...By the nature of the job, they will have a lot of access," he says.

Some organizations don't give contract developers access to production data, yet the data in the test or development systems is none other than a complete copy of the production data.

"It's very common for some [organizations] to copy production data to create test data," says Tony Meholic, vice president of security and business continuity officer for BSC Services. "If you are going to use contractors, you need to develop some test data. You can copy the production data and then modify the personal customer information so that it cannot be used for anything other than testing."

In addition to limiting access, organizations should establish user accounts for contractors that automatically expire at short intervals, forcing the hiring manager to reapply for the contractor's access rights.

Recertification of all access privileges is a technique to force systems administrators to remove privileges no longer needed. Contractors in large organizations frequently rotate to different departments once assignments are completed, but often retain the same level of system access, says Bayer's van de Gohm.

"Forcing hiring managers to reapply for access is a control that ensures long-term contractors that move from manager to manager are periodically re-evaluated," and only have access to the information they need for their current role, he says.

A NAC for Securing Contractors
A network access control appliance helps a health care company manage contractors' access to corporate resources.
By Marcia Savage

On any given day, accountants, IT contractors and vendors come into the Florham, N.J., headquarters of Managed Healthcare Associates needing network or Internet access. To control these outsiders--and protect corporate assets--MHA uses a network access control appliance from Vernier Networks.

With Vernier's EdgeWall, contractors and other third parties at MHA--a provider of contract purchasing services to long-term care pharmacies--are granted access to the network resources appropriate for their roles. For example, an accountant might get a certain amount of Internet bandwidth and printer access but no access to file shares.

"You know you're doing as much as possible to be flexible--assign someone a policy, or a permission set, that allows them access to the network but in a controlled fashion," says Gregory Thomas, vice president of IT at MHA.

EdgeWall, which doesn't require client-side software, allows the company to authenticate not only users but their machines, and screens machines for viruses, worms and spyware before allowing them onto the network.

The appliance also acts as a monitoring and reporting tool, tracking when a contractor is logged in, and what he or she accessed or was denied access to, or copied. If a contractor is downloading more data than his role allows, the device gives MHA the ability to block the activity or issue an alert.

Marcia Savage is features editor of Information Security.

An organization can create and enforce IT policies and procedures to prescribe the best ways to protect data, detect inappropriate data access, respond to suspected incidents, and govern the recruiting and hiring of contractors, such as requiring levels of screening for all contractor staff.

Policies should also define the concept of data custodian within the organization and make it clear to contractors that the role applies to them. A data custodian has access and some supervisory authority over data but no ownership of it. Policies should enumerate specific responsibilities of the data custodian, including keeping information confidential and not copying or redistributing it. Other policies might include using antivirus and other safeguards when downloading or transferring corporate information, and not sharing passwords.

Barbara Buechner, manager of IT information security engineering for Verizon Wireless, points out that agreements with contractors should include special provisions to ensure they recognize, accept and will adhere to company policies.

"Your two most important tools are the terms and conditions that you place in your contracts, and your ability to periodically recertify access privileges," adds van de Gohm.

Technical Solutions
There are significant benefits to leveraging controls over network facilities. Pershing's Kennedy recommends organizations create a virtual desktop environment via remote access in order to limit and control contractor activities on the network. Such a system is an extension of the concept of role-based access control, he says.

The marketplace has provided a range of tools to help tackle the challenge of managing contractor activities on the network and protect intellectual property. For example, network access control (NAC) products like CounterACT by ForeScout Technologies provide capabilities that can help control contractor access while giving them the freedom needed to complete assignments. CounterACT operates without a software agent to let administrators create a virtual visitor network without adding infrastructure. CounterACT can quarantine users and limit their access to a defined set of services, such as outbound Internet access.

Similarly, Symantec's Network Access Control provides capabilities to block or quarantine users on the network, and performs host integrity checking to verify patch levels and antivirus updates. Other NAC products include F5 Networks' FirePass, and StillSecure's Safe Access.

Meanwhile, data leakage prevention tools such as Tablus' Content Alarm suite can help an organization control sensitive files. Content Alarm allows users to establish policies to identify sensitive data files and designate them as "private" to prevent them from being copied or printed. This is a valuable control to prevent contractors from copying data to USB flash drives and other portable media that can be easily lost or stolen. Content Alarm can also automatically encrypt private files when they are sent via email.

Other vendors in the data leak prevention market include PortAuthority Technologies (acquired earlier this year by Websense), which offers software and appliances that control data on workstations and hosts, data in transit, and controls copying to external media including USB flash drives.

However, the solution to contractor security is probably going to require more than technology for most organizations. Meholic of BSC Services warns, "No matter what the problem is within information security, never rely solely on the technology. You need policies and procedures for verification, and notification of attempts to circumvent security."

Continuing Challenge
Risks associated with the use of contractors can't be eliminated entirely. As probably can be said about most technical controls, they are effective at preventing a large portion of the population from doing what we don't want them to do for a time. Unfortunately the worst bad actors can ultimately find ways to circumvent even the best controls given the right amount of time, computing power and/or money.

Changes in technology will continue to make this a challenging problem. Emerging trends such as the growing availability of inexpensive, pervasive wireless broadband provides contractors with high-speed connectivity while on your premises that you will be unable to monitor or restrict. The pace of technology change and the never-ending discovery of vulnerabilities in our basic computing platforms place continuous pressure on information security managers to re-evaluate risks and refine controls.

Dig Deeper on Security Awareness Training and Internal Threats-Information