Most organizations are aware of the risks and threats facing their networks and data, and they strive to adequately defend themselves. Many organizations also allow third-parties like partners, vendors, or suppliers to access their networks, or maintain permanent connections to their internal networks, and they have no idea whether or not those third-parties are secure at all. That sort of trust can come back to bite you.
That is what happened when Target was breached. The initial compromise was actually at a heating and cooling contractor that worked with Target. Because the HVAC contractor had access to the Target network, the attackers were able to infiltrate, and the damage was done.
I wrote about the role trust often plays in security breaches in this RSA blog post:
Recent security breaches have been attributed to a compromise at a third-party contractor. Attackers were able to exploit the trust between the two organizations to attack the larger company. [inlinetweet prefix=”” tweeter=”” suffix=””]You have to be cautious about whom you trust, and whom they trust.[/inlinetweet]
It’s actually a sort of variation on the age-old bank robber strategy. In old Westerns and gangster movies, the crooks would set up shop next door or across the street and tunnel under the bank to get to the vault. It is certainly less overt than walking through the front door, but highly tedious and impractical. The cyber equivalent, however, is much easier to execute.
Your organization may have best-of-breed security tools in place, follow security best practices, and have employees who understand and follow established security policies. But if your network is connected to partners, vendors, or third-party contractors, hackers can leverage those relationships to gain access to your systems. The weakest link in your security chain may be the trust you have with companies and networks outside of your company.
The question, then, is how you’re supposed to defend yourself. Well, there are a couple of strategies you should adopt.
First, you should have policies and minimum security requirements in place for any company you choose to trust and grant access to your network. You need to do some due diligence and ensure that the companies you trust have security controls in place that meet your standards, since, by association, their network will be an extension of yours. For greater security, you should go a step further and require the organizations you trust to vet their third-party trusts in the same manner, and/or let you have some oversight or input into any trust relationships they establish.
Read the full article for more information: Trust Is the Root Cause of Many Security Breaches.