Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

2/22/2012
06:10 PM
50%
50%

Strengthening Third-Party Contracts To Lower Breach Risks

FTC breach, contract deficiencies highlight importance of including security provisions within technology contracts

Details emerged this week that showed that recent Anonymous hacks of Federal Trade Commission (FTC) websites could potentially have been prevented had the FTC not dispensed with security provisions in a contract with the third-party vendors who hosted the sites. As organizations continue to divide labor in IT—particularly in development of public-facing websites—the incident could prove a good lesson in the importance of shoring up contract language and SLAs to ensure third parties are not adding undue risks of data breaches in the future.

In the case of the FTC, the federal agency suffered two embarrassing breaches within the last two months. In January, Anonymous attacked the FTC’s OnGuardOnline.gov site and this month it again hacked the FTC’s Bureau of Consumer Protection site. The websites in question were open to attack due to a failure to patch the server operating systems and applications associated with the site, a weakness that Anonymous took advantage of to publicize its distaste for the Anti-Counterfeiting Trade Agreement (ACTA) backed by the federal government.

“Even more bothersome than your complete lack of competence in maintaining your own f***ing websites and serving the citizens you are supposed to be protecting, is the US federal government’s support of ACTA,” Anonymous wrote about its most recent attack.

The sites in question were developed by public relations firm Fleishman-Hilliard, which hosted the sites on resources provided by hosting and cloud services provider Media Temple. The two firms are currently duking it out in a very public finger-pointing spat reported by Ars Technica, which also brought to light the fact that the $1.5 million contract to develop the sites initially included security provisions during the acquisition process but then dropped those requirements.

According to John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP, these days such contract omissions are pretty rare, but they still happen.

“It's unusual, particularly these days when sensitivity to security and privacy is high, but gaps in functionality like this aren't unheard of,” he says. “When dealing with cloud / hosting agreements, any time the supplier isn't responsible for the end-to-end service, and the integration of all of the subsidiary functions provided by third parties, things like this can happen.”

Nicholson believes that while the FTC hacks were not necessarily as devastating as others elsewhere that exposed large repositories of personally identifiable information, they do highlight some of the issues posed by contracting for technology services.

“Given the way that functions at different levels of the stack are being disaggregated, it can be complicated to figure out who's responsible for what and where they are,” he says. “The physical servers hosting a site might be in a server-hotel data center run by one party, while the entity who is responsible for the websites themselves might be another party, and the websites might call to applications or databases that are hosted and managed by entirely different companies. Without someone responsible for the overall integration, things can slip through the cracks and important details can be missed.”

He believes that outsource projects need to include the same risk assessment considerations that any in-house IT project should be weighed against. The key, he says, is to think of the risks and tie them to requirements before the work is scoped.

“Security needs to be baked into the requirements for the service because the level of security you get is part of the cost-benefit/risk analysis for the deal. If you want a solution that is highly secure, there are design choices that need to be made that have cost implications, but they reduce overall risk,” Nicholson says. “On the other hand, if you're not that worried about security, or if the thing you’re dealing with doesn't need a lot of protection, then it doesn't make sense to pay for a Bradley Assault Vehicle when you need Volvo-level safety.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.