The Target data breach is the gift that keeps on giving. It continues to capture attention with new revelations and insights.\tThe real opportunity for security professionals is to side-step speculation and use the coverage to spark productive conversations. The kinds of discussions that help others understand your value and set the stage for necessary changes.\tThe latest development was the potential compromise through a third party HVAC contractor.\u00a0\tNow the details around Target, an ongoing investigation, are still a bit murky. Brian Krebs is on the case and providing a valuable service to the industry. Let\u2019s leave investigation to Brian and take the opportunity to build on his work to improve our organizations.\tWhy attackers like third-parties, too\tThe concern over connecting vital networks with third-parties isn't new. However, the trend has accelerated in recent years. I know of one organization that went from a handful of connections five years ago to over 100 in the last two years.\tAttackers know this, too. If they can't get what they want through you directly, perhaps the third-party is the right vector. No more crawling through vents or dumpster-diving. Now they focus on remote access.\tAccess starts with authentication. That means that attackers seek credentials. Anything that allows them access to systems and information is valuable.\tWhen you say remote access, what do you mean?\tThe bulk of third party access is remote. The concept of remote access actually encompasses the access itself and then three additional elements (commonly referred to AAA):\t\t\tAccess: how the third party actually connects to the network\t\t\tAuthentication: the process of verifying they are who they claim to be\t\t\tAuthorization: what they are allowed to do\t\t\tAuditing: the record of what they did\tAccess, itself, is not normally a challenge. Listing it, however, allows us to discuss the discrete parts when explaining the challenge of getting third party remote access right. Especially how it tends to be a bit more involved than most consider at first glance.\tAuthentication: how many factors do you require?\tNick Owen of WiKID Systems points out that two-factor authentication for remote network access is required under PCI and offers some additional insights on how to accomplish it\u00a0here.\u00a0\tKen Ammon, Chief Strategy Officer of Xceedium, suggests that regardless of PCI, "Third-party access minimum standard should be two-factor. Traditional 'VPN' access permissions do not enforce adequate security controls necessary to deal with insider and advanced threat vectors."\tThe key: who controls the password authentication?\tAs the concept of remote access continues to evolve, our methods of handling it need to shift, too.\tKen Ammon "strongly recommends that if an outsourced provider requires your network for access to their systems, they must turn over password management to you."\tFor most, this is an area for improvement. This likely requires discussion during contract negotiation or modification to existing contracts. Use the model outlined below to keep everyone on the same page and focused on the same outcomes.\tIf questioned, point out that attackers are increasingly focusing attention on the sometimes easier-to-breach third parties. As Ken notes, "the technology exists to provide this level of proxy-access to 3rd party systems."\u00a0\tA model for managing third party access\tKen shared the basic outline of a four-part model for working with third party providers. This facilitates discussions with providers to determine a clear and documented understanding of shared responsibilities.\tMinimally, the agreement needs to meet the following requirements:\t\t\tContained: provide least privilege; they get only the access they need -- including protocols, network segments, applications, and systems -- to do their job within a specified window.\t\t\tControlled: enforce containment through available tools and concepts like whitelisting, blacklisting, and the use of advanced solutions.\u00a0\t\t\tAudited: violations should generate alerts; exceeding defined thresholds immediately suspends access until a security review is completed. _Think about the power of getting this part right._\u00a0\t\t\tRecorded: capture all third-party access sessions to allow for quick reviews. This is especially useful during incident response. Further, if terminated for cause, Ken recommends an immediate review of the last two weeks of session recordings.\tAside: I took a few pages of notes speaking with Ken, and plan to share more insights about managing privileged access in the coming weeks. Hopefully before the next notable password breach.\u00a0\tThis is the time to act; start with a conversation\tUse the insights shared here to frame a conversation with executives, and the teams responsible for prevention, detection, and response. Take a look at how partners are granted access to networks, systems, and information.\tExplore what would happen is someone compromised them; could they then breach you?\tKeep in mind that framing the problem in terms of the solution is risky. Instead, consider the current situation, potential risks, and the steps to make agreed-upon changes.\tIn addition to ensuring existing processes are enforced (link: ask Coke), work to develop a reasonable plan to improve capabilities across prevention, detection, and response.