Analytics
1/6/2012
10:10 AM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: What To Do When Your Business Partner Is Breached

Vendors and contractors play an important role in your business. But what happens when a partner’s systems are compromised? Here are a few tips

A breach in your own organization is bad enough, but a breach at a third-party vendor or contractor that is tightly connected to your organization can be even more frustrating. The key to minimizing the chaos is to work closely with your vendors, contractors, and service providers so that you’ll be able to respond quickly when a compromise happens.

When a compromise occurs at a partner site, the first step is to understand what occurred, assess potential damage, and set a game plan. Verbally discuss the incident with the partner, ask as many questions as you can, and instruct them to send you their official statement in writing. This information will help you craft your own organization’s statement and begin documentation.

During this initial conversation, be sure to document all of the facts as given to you. Email your notes to the vendor and request review and confirmation of accuracy. As the incident progresses, your organization will want as much information as possible to address any questions that arise from other partners, customers, or internal staff. It’s important to get these answers quickly -- and in writing -- for future reference if the matter escalates and legal action is required.

As you’re starting to piece together what occurred, it’s time to understand your organization’s exposure. You’ll need to fully understand what service the partner provides to your organization, the data it possesses, and how you are connected to each other. A breach of a third-party email provider has a different impact than breach of a two-factor authentication vendor. Understanding the total exposure will help you define the risk associated with the breach, the actions you must take, and how fast you must move.

Once the risk is identified, continue to communicate with your vendor and discuss your rights. Continuous communication is critical -- you want your organization to stay top of mind when hundreds of clients begin calling, and that you will get high-priority notification when something new is known. Don’t give up if you leave messages and emails that go unreturned. Your persistence will pay off, just as it does for the salesperson who leaves you 22 messages.

Once you’re in contact, discuss your rights. Hopefully, buried in the contract with your partner, there is language that outlines your rights in the case of a breach or other security incident. These clauses typically include timing for notification of the breach, the right to audit after a security incident, financial penalties, and the right to cancel the contract. Understand these well and use them to your advantage. In most cases, it won’t be necessary to be heavy-handed -- it’s in everyone’s best interest to cooperate and resolve the matter once it has been disclosed. But knowing your rights and options will give you some alternatives if they are needed.

[Sensitive company data is often leaked via Google, Bing, and other search engines -- find it before the bad guys can. See Analyzing Data To Pinpoint Rogue Insiders.]

As more information becomes known, continue to evaluate the risk to your organization. You need as much information as possible before you notify affected parties. This can be tricky -- some in your organization will want to hide it since it wasn’t a breach of your systems, but others will want to send out notifications as soon as possible. Full disclosure is usually the right thing to do -- no matter where the breach occurred -- and the breached partner generally should issue a disclosure, as well.

The trickiest part is timing. Disclose too early and you risk communicating bad or incomplete information. Wait too long and the public will balk at you waiting so long. Typically, it’s a good idea to disclose as early as you can, as long as there’s enough information to identify affected parties and the data affected. This can provide the basis for later communications.

Once the dust has settled and the partner has fixed the immediate problems, it’s time to make sure this doesn’t happen again. Work with the vendor to understand how it’ll prevent this issue from occurring again, how it’ll assess its systems for other potential problems, and how you’ll be informed of the assessment results. Use this incident to insert your organization into your partner’s security processes, and require annual assessment reports or gain the right to audit their operations. At this point, you have some leverage -- use it to your advantage.

Partners are important to your business, but they can also be a liability. Implementing partner risk reviews and vendor management processes can reduce risk and help your organization identify vendors that are less likely to fall victim to a breach. No partner is impenetrable. Knowing the risk associated with each partner, having good communication, and working together to resolve a breach helps everyone -- including customers and other third parties.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.