SolarWinds Survey Showcases the DevOps Disconnect

SolarWinds Survey Showcases the DevOps Disconnect

Survey Showcases the DevOps Disconnect The increasingly distributed nature of today’s tech environments has amplified the demand for DevOps practitioners in the workplace. But are DevOps teams, developers, and web product managers (WPMs) doing the work their job titles intend? SolarWinds Cloud Confessions: The Trouble
/
Leading Multicloud Strategies

What’s Ahead for Cloud in 2019

The Cloud In 2019 2018 was an incredible time for cloud. Its impact on customer experiences, business processes and models, and workforce innovations was undeniable. We saw more and more use cases where customers started leveraging multiple clouds to enable innovation than ever before. But
/

Addressing Third-Party Security Vulnerabilities in 2019

Third-Party Security Vulnerabilities

Organizations and businesses often spend a lot of time worrying about internal security, both online and off. Infrastructure is often put in place with security front and center, as a means to mitigate potential risks and data breaches.

Unfortunately, it doesn’t matter how secure a network or infrastructure is, because there are still ways companies can be attacked.

Third-Party Security Vulnerabilities

 

Third-party products and services are integral to a lot of businesses and are included in a wide variety of processes.

Auditing, compliance monitoring, vendor and partner support, hardware and software monitoring, maintenance and troubleshooting — all these applications may require the use of third-party tools and services. Unfortunately, every single one of them is vulnerable to an outside attack, which means companies involved with them are, too. That also extends to customers and clients.

With each organization or service provider that is involved with business operations, the risks grow exponentially. In many cases, however, companies have to rely on a third party as there’s no other option. That’s where the idea of a third-party risk mitigation strategy or approach comes into play.

It’s necessary to identify, assess and mitigate certain risks associated with third-party dealings and services.

Why Do Third-Party Breaches Matter?

During April and May in 2018, it was revealed that a small group of retailers was compromised by a massive breach, including Best Buy, Sears, Kmart and Delta Airlines. In terms of goods and services, these companies are hardly related. However, they all relied on a third-party brand called [24]7.ai, which offers chat and customer service tools.

It turned out that [24]7.ai had been compromised via a particularly nasty strand of malware resulting in the breach of incredibly sensitive customer information. Some of the stolen data included credit card numbers, expiration dates, CVV info, customer addresses, names and much more.

Thousands of customers from each of the different companies — and then some — were affected by the breach, which was essentially out of the hands of said retailers.

The company was a third-party vendor that all these retailers were doing business with, and yet the breach affected them as if their own systems or networks had been compromised. It shows that third-party breaches can be just as damaging for organizations as internal ones, if not worse.

The [24]7.ai breach wasn’t the only one that occurred last year, however. Additional high-profile attacks were carried out on brands like Saks Fifth Avenue, Lord & Taylor, MyFitnessPal, Universal Music Group, Applebee’s and many others.

Follow the Six-Step Plan

To mitigate the risks associated with third-party vendors and services, it’s always a good idea to follow a strict plan or strategy — ideally one that is set in place before striking up partnerships or signing contracts.

1) First, establish a vendor management or vetting program. Begin with an introductory assessment that reviews how secure a platform is and whether or not there has been a breach in the past. While looking at a new credit card processor, for example, it’s crucial to check if its systems were affected by a data breach before, and if it was, how things have been improved or updated since.

2) Rank all vendors and partners according to risk. Catalog them based not only on the risk they pose, but also the data they handle. If a vendor is riskier than the others on the list but does not deal in sensitive customer information, it may warrant ranking them higher. Furthermore, update this list regularly and often to ensure priorities remain in order.

3) When striking a new partnership or agreement, cover all the bases by ensuring the third party understands what security protocols should be followed, and what that means for general operations. Ultimately, a third party’s security solutions should be considered too, in order to get a grasp on how protected data will be after it’s exchanged.

4) Endpoint security is an absolute must when working with third parties. Ensure it’s been properly deployed and that core business systems are protected at all times.

5) Stay informed about industry events, especially third-party attacks and breaches. The National Vulnerability Database is an excellent resource for checking up on what’s happening.

6) Develop a plan for dealing with a potential breach or attack before something happens. Even if there are no sensitive details lost, it’s important to take proper action. Ensure that a network or access point is under control and no longer compromised. Secure existing data and any incoming information from further attacks. Lock down systems so any intruders who have yet to be identified cannot cause more damage. Watermark’s response to the infamous Spectre and Meltdown vulnerabilities has been exceptional and serves as an example of how to deal with third-party security vulnerabilities in the aftermath of discovery.

Organizations should always have a full understanding of the data available to them and within their reach. Where is it stored? Who has access to the systems and information? How is it protected, and are there ways around the security? How sensitive is the information and what kind of damage will occur if it’s stolen?

These are all critical components of understanding what, how and where certain data is being used, and how to better protect it.

By Kayla Matthews

Kayla Matthews

Kayla Matthews is a technology writer dedicated to exploring issues related to the Cloud, Cybersecurity, IoT and the use of tech in daily life.

Her work can be seen on such sites as The Huffington Post, MakeUseOf, and VMBlog. You can read more from Kayla on her personal website, Productivity Bytes.

View Website
Kayla Matthews

5 Cybersecurity Trends Defining 2019

5 Cybersecurity Trends The cybersecurity industry continually evolves to meet changing needs and adopt new technologies. As such, it's appropriate to take a look at ...
Mobile security

It May Not Be Sexy, But Strict Compliance Delivers The Freedom To Innovate

Compliance and Business Innovation When the U.S. based non-profit organization RHD | Resources for Human Development decided to move its operations into the cloud, one ...
Survey results reveal the biggest Artificial Intelligence challenges

Survey results reveal the biggest Artificial Intelligence challenges

Biggest Artificial Intelligence Challenges We’ve been told countless times over the past few years what an impact Artificial Intelligence (AI) is going to have on ...
How Can We Use Artificial Intelligence When We Can't Handle Real Intelligence?

How Can We Use Artificial Intelligence When We Can’t Handle Real Intelligence?

Artificial Versus Real Intelligence In this article we will be discussing the pitfalls of societal disillusionment with facts, and how this trend may become troubling ...
MIT tech review

A new microchip aims to stump hackers with a constantly moving target

/
Morpheus repeatedly changes key parts of its code to foil cyberattacks Last year’s revelations of security holes that affect billions of chips have spurred researchers to seek more effective ways ...
Wired

Everyone Wants Facebook’s Libra to Be Regulated. But How?

/
Everyone from President Trump to Representative Maxine Waters (D-California) says Libra, Facebook's planned cryptocurrency, should be heavily regulated. But nobody seems to know how—including Facebook. That much was clear in ...
Reuters news

Daimler, Bosch get approval to test driverless valet parking

/
BERLIN (Reuters) - Daimler and auto supplier Bosch will start valet parking using autonomous driving technology in Stuttgart, Germany, after local authorities gave the carmaker permission to start testing the ...