11:20 AM
Connect Directly
Repost This

Enemy At The Loading Dock: Defending Your Enterprise From Threats In The Supply Chain

The suppliers, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check

In mid-May, Lockheed Martin notified law enforcement and government authorities that one of its systems had been breached. The defense contractor later confirmed that attackers used information stolen from RSA, Lockheed's security technology provider, to gain access to Lockheed's system.

RSA wasn't the only third party involved. The attackers first compromised the systems of an unnamed contractor with which Lockheed works and that had access to Lockheed systems, according to The New York Times. Then they used information obtained from the RSA breach--data on RSA's SecurID one-time password technology--to enter Lockheed's network via the compromised contractor's systems.

Like Lockheed, which declined to comment on the RSA incident, many businesses are tying themselves closer together with contractors, partners, cloud service providers, and other third parties, giving attackers new entry points to those businesses' networks and data. Attackers aren't just on the prowl for vulnerable servers; they're also hunting for vulnerable contractors and suppliers. And their victims often know little about the security arrangements of those suppliers.

If you think the Lockheed incident is an exception, consider the case of email marketing firm Epsilon, which in March revealed a breach involving the data of more than 100 major companies, including Citibank, JPMorgan Chase, Kraft, supermarket chain Kroger, Marriott International, and Visa. Those companies ended up having to warn their customers that their names and email addresses might be compromised.

"What happened at Epsilon is an issue where having your data in somebody else's network or freely available to another network can have all sorts of dire consequences, if they don't play to a reasonably high level of skill," says Mike Lloyd, chief scientist from security analysis firm RedSeal.

Know Your Suppliers

Security threats posed by suppliers are more difficult to deal with and prevent, in part because suppliers aren't easy to identify. Suppliers today don't just provide raw materials and products--they include outsourcers and technology service providers. Some suppliers provide cloud services that let companies store data outside their network firewalls. Others provide deliverables, such as software programs and technology. A number of suppliers provide expertise for specific projects and have internal access to systems.

There are three categories of supplier threats. First are dangers from compromised products in the supply chain, such as software that contains back-door access and compromised point-of-sale terminals. Second are risks introduced when insecure suppliers access a customer's network and data; they can bring malware and compromised hardware into your network. A third risk is when customers export sensitive data into cloud providers' systems, in which case security hinges on the providers' practices and policies. Moreover, cloud providers could increase the threat to companies' data because a single service provider--such as Epsilon--ends up storing a great deal of its customers' data.

Don't Let Thieves In Through Your Web Apps

Become an InformationWeek Analytics subscriber and get our full report on protecting against SQL injection, free for a limited time.

What you'll find:
  • The methods attackers use to take advantages of SQL injection vulnerabilities
  • Secure coding techniques that eliminate vulnerabilities
  • Top 25 most dangerous software errors
Get This And All Our Reports

1 of 5
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web