Analytics
1/6/2012
10:10 AM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: What To Do When Your Business Partner Is Breached

Vendors and contractors play an important role in your business. But what happens when a partner’s systems are compromised? Here are a few tips

A breach in your own organization is bad enough, but a breach at a third-party vendor or contractor that is tightly connected to your organization can be even more frustrating. The key to minimizing the chaos is to work closely with your vendors, contractors, and service providers so that you’ll be able to respond quickly when a compromise happens.

When a compromise occurs at a partner site, the first step is to understand what occurred, assess potential damage, and set a game plan. Verbally discuss the incident with the partner, ask as many questions as you can, and instruct them to send you their official statement in writing. This information will help you craft your own organization’s statement and begin documentation.

During this initial conversation, be sure to document all of the facts as given to you. Email your notes to the vendor and request review and confirmation of accuracy. As the incident progresses, your organization will want as much information as possible to address any questions that arise from other partners, customers, or internal staff. It’s important to get these answers quickly -- and in writing -- for future reference if the matter escalates and legal action is required.

As you’re starting to piece together what occurred, it’s time to understand your organization’s exposure. You’ll need to fully understand what service the partner provides to your organization, the data it possesses, and how you are connected to each other. A breach of a third-party email provider has a different impact than breach of a two-factor authentication vendor. Understanding the total exposure will help you define the risk associated with the breach, the actions you must take, and how fast you must move.

Once the risk is identified, continue to communicate with your vendor and discuss your rights. Continuous communication is critical -- you want your organization to stay top of mind when hundreds of clients begin calling, and that you will get high-priority notification when something new is known. Don’t give up if you leave messages and emails that go unreturned. Your persistence will pay off, just as it does for the salesperson who leaves you 22 messages.

Once you’re in contact, discuss your rights. Hopefully, buried in the contract with your partner, there is language that outlines your rights in the case of a breach or other security incident. These clauses typically include timing for notification of the breach, the right to audit after a security incident, financial penalties, and the right to cancel the contract. Understand these well and use them to your advantage. In most cases, it won’t be necessary to be heavy-handed -- it’s in everyone’s best interest to cooperate and resolve the matter once it has been disclosed. But knowing your rights and options will give you some alternatives if they are needed.

[Sensitive company data is often leaked via Google, Bing, and other search engines -- find it before the bad guys can. See Analyzing Data To Pinpoint Rogue Insiders.]

As more information becomes known, continue to evaluate the risk to your organization. You need as much information as possible before you notify affected parties. This can be tricky -- some in your organization will want to hide it since it wasn’t a breach of your systems, but others will want to send out notifications as soon as possible. Full disclosure is usually the right thing to do -- no matter where the breach occurred -- and the breached partner generally should issue a disclosure, as well.

The trickiest part is timing. Disclose too early and you risk communicating bad or incomplete information. Wait too long and the public will balk at you waiting so long. Typically, it’s a good idea to disclose as early as you can, as long as there’s enough information to identify affected parties and the data affected. This can provide the basis for later communications.

Once the dust has settled and the partner has fixed the immediate problems, it’s time to make sure this doesn’t happen again. Work with the vendor to understand how it’ll prevent this issue from occurring again, how it’ll assess its systems for other potential problems, and how you’ll be informed of the assessment results. Use this incident to insert your organization into your partner’s security processes, and require annual assessment reports or gain the right to audit their operations. At this point, you have some leverage -- use it to your advantage.

Partners are important to your business, but they can also be a liability. Implementing partner risk reviews and vendor management processes can reduce risk and help your organization identify vendors that are less likely to fall victim to a breach. No partner is impenetrable. Knowing the risk associated with each partner, having good communication, and working together to resolve a breach helps everyone -- including customers and other third parties.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio