By Ally Orlando, contributing writer
Security breaches possible through third-party sources connected to business networks
Security experts have speculated that the recent uptick in cyber attacks could be related to remotely monitored third-party sources such as vending machines and air conditioners, a New York Times article reports.
Such security breaches are possible when a company’s devices are managed by software directly connected to its network — such as air conditioning that can be monitored or managed remotely. If hackers are able to access one system, then they have the potential to access all other connected systems. This was the case in the recent Target security breach.
Billy Rios, director of threat intelligence at security firm Qualys, tells the New York Times that it is common for companies to connect their air conditioning systems to the same network as their databases containing sensitive information— including customer credit cards.
George Kurtz, chief officer of security firm Crowdstrike, explains that hackers choose third-party sources as targets because companies generally don’t think to look there for evidence of an attack. These sources are also targeted because they often operate on older systems, such as the no-longer-supported Microsoft Windows XP software, allowing hackers to gain access through weak spots and remain undetected. Security experts say that, in many cases, these devices are delivered with security settings defaulted to “off.”
Experts estimate that anywhere between one to three quarters of security breaches occur when companies do not take proper security measures for these third-party sources. The Ponemon Institute, a security research firm, revealed in a February 2013 study that 23 percent of respondents’ breaches were attributed to “third-party mistakes or negligence.” Arabella Hallawell, vice president of strategy at network security firm Arbor Networks, told the New York Times that she estimates 70 percent of the company’s reviewed breaches were related to third-party suppliers.
Similarly, a Bloomberg Businessweek investigation of the Target breach published last month reported that Target’s security team neglected alerts that identified suspicious activity.
In addition to negligence of third-party security, some victims are not able to find the source of these attacks. According to the Ponemon survey, this was the case in 28 percent of respondents’ security breaches.
If you do not manage connections to third-party systems for your client, ask if adequate security measures have been taken — or investigate, if your client doesn’t know. You might close a vulnerable, overlooked way in for cybercriminals.