Enemy At The Loading Dock: Defending Your Enterprise From Threats In The Supply Chain
The suppliers, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check
RSA wasn't the only third party involved. The attackers first compromised the systems of an unnamed contractor with which Lockheed works and that had access to Lockheed systems, according to The New York Times. Then they used information obtained from the RSA breach--data on RSA's SecurID one-time password technology--to enter Lockheed's network via the compromised contractor's systems.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- State of Cloud 2011: Time for Process Maturation
- Research: Federal Government Cloud Computing Survey
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Client Windows Migration: Expert Tips for Application Readiness
Like Lockheed, which declined to comment on the RSA incident, many businesses are tying themselves closer together with contractors, partners, cloud service providers, and other third parties, giving attackers new entry points to those businesses' networks and data. Attackers aren't just on the prowl for vulnerable servers; they're also hunting for vulnerable contractors and suppliers. And their victims often know little about the security arrangements of those suppliers.
If you think the Lockheed incident is an exception, consider the case of email marketing firm Epsilon, which in March revealed a breach involving the data of more than 100 major companies, including Citibank, JPMorgan Chase, Kraft, supermarket chain Kroger, Marriott International, and Visa. Those companies ended up having to warn their customers that their names and email addresses might be compromised.
"What happened at Epsilon is an issue where having your data in somebody else's network or freely available to another network can have all sorts of dire consequences, if they don't play to a reasonably high level of skill," says Mike Lloyd, chief scientist from security analysis firm RedSeal.
Know Your Suppliers
Security threats posed by suppliers are more difficult to deal with and prevent, in part because suppliers aren't easy to identify. Suppliers today don't just provide raw materials and products--they include outsourcers and technology service providers. Some suppliers provide cloud services that let companies store data outside their network firewalls. Others provide deliverables, such as software programs and technology. A number of suppliers provide expertise for specific projects and have internal access to systems.
There are three categories of supplier threats. First are dangers from compromised products in the supply chain, such as software that contains back-door access and compromised point-of-sale terminals. Second are risks introduced when insecure suppliers access a customer's network and data; they can bring malware and compromised hardware into your network. A third risk is when customers export sensitive data into cloud providers' systems, in which case security hinges on the providers' practices and policies. Moreover, cloud providers could increase the threat to companies' data because a single service provider--such as Epsilon--ends up storing a great deal of its customers' data.