Three Steps To Safer Connections With Your Business Partners

Among the speculation surrounding the spread of the Stuxnet worm -- the first cyberattack that targets industrial control systems -- is this likely scenario: Attackers might have spread the worm to a Russian technology provider in an effort to infect Iran's nuclear industry. Unknown to the Russian company, its workers were compromising facilities in multiple countries with a program designed to hide within the code of industrial controllers.

If true, the scenario would not be the first time that suppliers have been used to attack their customers. In a handful of recent instances, attackers have used contractors and other third parties as a bridge to their targets. While many companies are very watchful of their connection to the Internet, many times they are not so vigilant of their partners' connections to their own networks, says Eddie Schwartz, chief security officer of NetWitness, a data and network protection firm.

"While the Internet connectivity, many times, is naturally constrained by everyone's desire to firewall off the Internet and give it limited access to corporate networks, partner connections often have extensive access to things like customer databases and other types of critical assets within the organization," Schwartz says.

The attraction of sneaking behind the firewall has made suppliers and partners a popular target of attackers, but less so in recent years, according to Verizon's 2010 Data Breach Investigations Report. In the 2010 study, suppliers were implicated in 11 percent of breaches, down from nearly 40 percent in 2008.

Still, companies that take a few preparations in working with suppliers will have far fewer problems, experts say. Let's look at three of those recommendations.

1. Sign agreements and audit regularly.
While larger companies are used to complying with regulations and submitting to regular audits, partners -- many times small and midsize businesses -- do not have experience in securing their networks and systems and regularly validating their network security, says Srini Subramanian, director of security and privacy for consulting firm Deloitte.

In a recent report on the security status of state governments, the National Association of State CIOs and Deloitte found that nearly a quarter of state IT departments did not know the security measures implemented by their partners -- and less than half had actually assessed or tested their third-party partners' security.

Having service agreements and the ability to assess a partner's security can help keep out the threats, Subramanian says.

"Just simply relying on their contractual controls and confidentiality agreements will not work in the long run," he says.

2. Find and recognize corporate assets.
Before letting a partner have access to your network, figure out what computers, printers, storage, and networking equipment you own. Trying to keep out attackers is much harder if companies do not understand what equipment belongs in their network, says Rick Leclerc, co-founder and sales engineering manager for Bradford Networks, a network security firm.

"Building that inventory is a huge step," Leclerc says. "If I want to do friend-or-foe, I have to identify who all my friends are first. I have to make sure that it is a friend and not someone who spoofed a computer's MAC address."

When Bradford enumerates a customer's network during the initial prototyping phase, the company typically finds that 10 to 20 percent of devices on the network were not known. While such devices could be an employee bringing an iPad into work, it could also be a rogue access point or a worker who has circumvented corporate security in some other way.

3. Monitor partners as much, if not more, than the Internet.
Because partners have privileged access to some parts of a company's network, traffic to and from partner networks should be scrutinized as closely, if not more closely, than the company's Internet gateways, NetWitness' Schwartz says.

"No matter what we do, we have to assume that the partner connection may not be as trusted, and may be as untrusted, as the Internet in many cases," he says. "We should apply the same strength of effort in terms of process and technology to those connections."

Companies should use perimeter defenses to restrict traffic into the network, limiting partner access. They should apply intrusion detection measures to spot attacks before they can damage the internal network, Schwartz says.

"We have all of these contracts and do all of this work leading up to the partner connection, but at the end of the day we still have to view the partner connections as hostile -- not because we don't like or don't believe in our partners, but because ultimately organizations have responsibility for their data," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.