I love living in the Tampa area for a lot of reasons, among them getting to regularly use one of the best airports in the US – Tampa International Airport (TIA). Unfortunately for the folks who run TIA, they had a spot of trouble that was reported earlier this month by the Tampa Tribune and others. Like a lot of places these days, TIA experienced an IT security breach. Unlike a lot of places—because it's an international airport—TIA has to do a lot of explaining.
Here is what we know from what has been reported -- and it reads like an information security “Don’t Do List.” TIA hired an individual (and apparently his wife) to work on an Oracle project. That person shared their VPN logins and (privileged) accounts and passwords with almost a dozen other people and some others working for a staffing firm, “who logged into the system dozens of times from places like Mumbai and Pradesh, India, United Arab Emirates and Kashmir, India.”
This episode brings into clear view the unfortunate collision of insecure VPNs, open vendor access, and lack of best practices in password management. That collision has led to multiple people losing their jobs, including the IT Director, an IT manager, and others. It's also led to TIA being forced to cripple their business processes by taking the drastic, but at this point probably necessary, step of only allowing the airport's computer network to be accessed from equipment issued by the aviation authority, not from personal electronic devices.
So as a result of the breach, because TIA didn’t setup access correctly to start, they now have to go back to how we did things 20 years ago.
There is a better way. Here are five lessons that any company bringing third parties into their security environment should take into account.
1. Never trust your vendors when it comes to YOUR information security. Properly vet the third parties, contractors, and consultants who are working for you. “Body shops” in IT services are not known for their cutting edge information security. They may have some consultants for hire, but it doesn’t equate to them having a mature security posture of their own. Be sure to understand how they screen the temps they’re giving you and see if they include security awareness training as part of how they handle their stable of workers.
2. When you must allow third-party access into your environment, you don’t have to use a legacy solution such as a VPN and hope that everyone behaves in how they use it. A solution using a brokered connection that allows you to control the Who, What, Where, When, and How of their connection to you gives you real control. As the The Offspring song goes, “You gotta keep ‘em separated!” And you can -- and still have third parties working on your projects, without giving them an IP-enabled grappling hook into your internal network.
3. Don’t give blanket access. Your vendors should be part of a mature workflow process that tracks everything from their need for access to granting it to revoking it. This gives you attribution and accountability.
4. Monitor the access you are granting them. Have the ability to “peek over their shoulder” whenever you want. Record all the activity. A pretty disturbing note in the TIA hack is the fact that even after security auditors investigated the breach, they were “unable to determine specifically what data may have been transferred.” Recording what is going on when your vendors are accessing your networks and systems makes sure you always know exactly what they did or didn’t do. This is good practice for everything from project tracking and billing to completing an annual security audit to having to respond to a breach such as the one that occurred at TIA.
5. Secure passwords. Another element that stands out here is that there seems to have been a complete lack of control over password policy at TIA. This can be remedied quickly and completely by using a password/credential vaulting solution. In this way, you mitigate the risk of weak, shared, and duplicate passwords as well as the dangers posed by embedded system accounts or shared accounts.
As with most breaches, this is a very good learning opportunity for others, and in the long run for Tampa Airport as well.
- How To Succeed At Third-Party Cyber Risk Management: 10 Steps
- 8 Signs Your Security Culture Lacks Consistency
- Security Lessons from C-3PO, Former CSO of the Millennium Falcon