If Target got breached because of third party access, what does that mean for you?

Take action with conversation structured from insights into managing third party access with proven practices and a four-part model for stronger relationships and better outcomes

The Target data breach is the gift that keeps on giving. It continues to capture attention with new revelations and insights.

The real opportunity for security professionals is to side-step speculation and use the coverage to spark productive conversations. The kinds of discussions that help others understand your value and set the stage for necessary changes.

The latest development was the potential compromise through a third party HVAC contractor. 

Now the details around Target, an ongoing investigation, are still a bit murky. Brian Krebs is on the case and providing a valuable service to the industry. Let’s leave investigation to Brian and take the opportunity to build on his work to improve our organizations.

Why attackers like third-parties, too

The concern over connecting vital networks with third-parties isn't new. However, the trend has accelerated in recent years. I know of one organization that went from a handful of connections five years ago to over 100 in the last two years.

Attackers know this, too. If they can't get what they want through you directly, perhaps the third-party is the right vector. No more crawling through vents or dumpster-diving. Now they focus on remote access.

Access starts with authentication. That means that attackers seek credentials. Anything that allows them access to systems and information is valuable.

When you say remote access, what do you mean?

The bulk of third party access is remote. The concept of remote access actually encompasses the access itself and then three additional elements (commonly referred to AAA):

  • Access: how the third party actually connects to the network
  • Authentication: the process of verifying they are who they claim to be
  • Authorization: what they are allowed to do
  • Auditing: the record of what they did

Access, itself, is not normally a challenge. Listing it, however, allows us to discuss the discrete parts when explaining the challenge of getting third party remote access right. Especially how it tends to be a bit more involved than most consider at first glance.

Authentication: how many factors do you require?

Nick Owen of WiKID Systems points out that two-factor authentication for remote network access is required under PCI and offers some additional insights on how to accomplish it here

Ken Ammon, Chief Strategy Officer of Xceedium, suggests that regardless of PCI, "Third-party access minimum standard should be two-factor. Traditional 'VPN' access permissions do not enforce adequate security controls necessary to deal with insider and advanced threat vectors."

The key: who controls the password authentication?

As the concept of remote access continues to evolve, our methods of handling it need to shift, too.

Ken Ammon "strongly recommends that if an outsourced provider requires your network for access to their systems, they must turn over password management to you."

For most, this is an area for improvement. This likely requires discussion during contract negotiation or modification to existing contracts. Use the model outlined below to keep everyone on the same page and focused on the same outcomes.

If questioned, point out that attackers are increasingly focusing attention on the sometimes easier-to-breach third parties. As Ken notes, "the technology exists to provide this level of proxy-access to 3rd party systems." 

A model for managing third party access

Ken shared the basic outline of a four-part model for working with third party providers. This facilitates discussions with providers to determine a clear and documented understanding of shared responsibilities.

Minimally, the agreement needs to meet the following requirements:

  • Contained: provide least privilege; they get only the access they need -- including protocols, network segments, applications, and systems -- to do their job within a specified window.
  • Controlled: enforce containment through available tools and concepts like whitelisting, blacklisting, and the use of advanced solutions. 
  • Audited: violations should generate alerts; exceeding defined thresholds immediately suspends access until a security review is completed. _Think about the power of getting this part right._ 
  • Recorded: capture all third-party access sessions to allow for quick reviews. This is especially useful during incident response. Further, if terminated for cause, Ken recommends an immediate review of the last two weeks of session recordings.

Aside: I took a few pages of notes speaking with Ken, and plan to share more insights about managing privileged access in the coming weeks. Hopefully before the next notable password breach. 

This is the time to act; start with a conversation

Use the insights shared here to frame a conversation with executives, and the teams responsible for prevention, detection, and response. Take a look at how partners are granted access to networks, systems, and information.

Explore what would happen is someone compromised them; could they then breach you?

Keep in mind that framing the problem in terms of the solution is risky. Instead, consider the current situation, potential risks, and the steps to make agreed-upon changes.

In addition to ensuring existing processes are enforced (link: ask Coke), work to develop a reasonable plan to improve capabilities across prevention, detection, and response.

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline