Enemy At The Loading Dock: Defending Your Enterprise From Threats In The Supply Chain

In mid-May, Lockheed Martin notified law enforcement and government authorities that one of its systems had been breached. The defense contractor later confirmed that attackers used information stolen from RSA, Lockheed's security technology provider, to gain access to Lockheed's system.

RSA wasn't the only third party involved. The attackers first compromised the systems of an unnamed contractor with which Lockheed works and that had access to Lockheed systems, according to The New York Times. Then they used information obtained from the RSA breach--data on RSA's SecurID one-time password technology--to enter Lockheed's network via the compromised contractor's systems.

Like Lockheed, which declined to comment on the RSA incident, many businesses are tying themselves closer together with contractors, partners, cloud service providers, and other third parties, giving attackers new entry points to those businesses' networks and data. Attackers aren't just on the prowl for vulnerable servers; they're also hunting for vulnerable contractors and suppliers. And their victims often know little about the security arrangements of those suppliers.

If you think the Lockheed incident is an exception, consider the case of email marketing firm Epsilon, which in March revealed a breach involving the data of more than 100 major companies, including Citibank, JPMorgan Chase, Kraft, supermarket chain Kroger, Marriott International, and Visa. Those companies ended up having to warn their customers that their names and email addresses might be compromised.

"What happened at Epsilon is an issue where having your data in somebody else's network or freely available to another network can have all sorts of dire consequences, if they don't play to a reasonably high level of skill," says Mike Lloyd, chief scientist from security analysis firm RedSeal.

Know Your Suppliers

Security threats posed by suppliers are more difficult to deal with and prevent, in part because suppliers aren't easy to identify. Suppliers today don't just provide raw materials and products--they include outsourcers and technology service providers. Some suppliers provide cloud services that let companies store data outside their network firewalls. Others provide deliverables, such as software programs and technology. A number of suppliers provide expertise for specific projects and have internal access to systems.

There are three categories of supplier threats. First are dangers from compromised products in the supply chain, such as software that contains back-door access and compromised point-of-sale terminals. Second are risks introduced when insecure suppliers access a customer's network and data; they can bring malware and compromised hardware into your network. A third risk is when customers export sensitive data into cloud providers' systems, in which case security hinges on the providers' practices and policies. Moreover, cloud providers could increase the threat to companies' data because a single service provider--such as Epsilon--ends up storing a great deal of its customers' data.

Stop SQL Injection

Don't Let Thieves In Through Your Web Apps
Become an InformationWeek Analytics subscriber and get our full report on protecting against SQL injection, free for a limited time.

What you'll find:

• The methods attackers use to take advantages of SQL injection vulnerabilities
• Secure coding techniques that eliminate vulnerabilities
• Top 25 most dangerous software errors

Get This And All Our Reports