Your Vendors: Cold Beer or Malicious Attack Vector?

Your Vendors: Cold Beer or Malicious Attack Vector?

  • By Jeff Swearingen
  • Feb 04, 2014

Your Vendors: cold Beer or Malicious Attack VectorThe word vendor may be most frequently associated with a guy selling beer or tossing bags of peanuts at your local stadium. Good times. Back at the office, there’s an entirely different kind of vendor: the one whose software is the backbone of your business operation.

Vendors are an important and potentially devastating population of users that should be handled with extreme care. Even a mid-size hospital will have 100 or more third parties that require remote access to service and support the MRI machine, the patient billing system and/or the electronic medical records platform.

Target disclosed that a vendor credential was a key component of its breach. A compromised administrator login was used to install malware that scooped credit card data and transferred it to a remote server. How did the attackers get network access to exploit the login? This story begins much earlier than what’s being reported.

There are two key things that make vendors very different than employees. First, one vendor may have thousands of individual technicians. Without the right controls, a login given to Tom on Tuesday may be used by Wendy on Wednesday. Credentials are not only stored in the vendor’s CRM system, they’re written on sticky notes affixed to monitors around the world.

Secondly, vendors require admin rights to their systems. As we learned in the Target breach, the network privileges granted to an admin are extremely powerful.  Your employees can view a sales report; your vendors can copy a database.

So, what to do? Here are my five golden rules for managing vendor access:

  1. Be aware. Vendors are not typical users and should be treated as very special guests.
  2. Have a realistic policy. Insist on individual logins and demand accountability, but don’t expect a technician to send you a copy of her passport. It’s not going to happen.
  3. Integrate policy in your purchasing process. Remote access should be negotiated before the vendor needs it. If your POS system is down, your IT staff (or someone else) is going to open a door that may be left open. The best time to negotiate access methodology is when the software is being purchased (amazing how accommodating the salespeople are at that time) or when your maintenance/subscription agreement is being renewed.
  4. Control the platform. If left to their own devices, a vendor may choose a remote support method (often a simple screen-sharing tool) that meets their needs more than yours. Your platform should support multi-factor authentication, provision granular access privileges, keep credentials private and audit all activity at the individual user level.
  5. Monitor vendor activity. While it may not be practical to track every keystroke, a consistent audit of vendor remote access should create alarms when a server is accessed repeatedly or large files are being transferred outside the network.

Managing vendor access is a critical component of any network security strategy. With awareness, proper policy and the right platform, it’s possible to avoid a malicious visit from these very special guests.

About the Author

Jeff Swearingen is co-founder and CEO of SecureLink, an Austin, TX-based software company that helps manage the chaotic space between enterprise technology vendors and their customers.

Featured

  • The Evolution of IP Camera Intelligence

    As the 30th anniversary of the IP camera approaches in 2026, it is worth reflecting on how far we have come. The first network camera, launched in 1996, delivered one frame every 17 seconds—not impressive by today’s standards, but groundbreaking at the time. It did something that no analog system could: transmit video over a standard IP network. Read Now

  • From Surveillance to Intelligence

    Years ago, it would have been significantly more expensive to run an analytic like that — requiring a custom-built solution with burdensome infrastructure demands — but modern edge devices have made it accessible to everyone. It also saves time, which is a critical factor if a missing child is involved. Video compression technology has played a critical role as well. Over the years, significant advancements have been made in video coding standards — including H.263, MPEG formats, and H.264—alongside compression optimization technologies developed by IP video manufacturers to improve efficiency without sacrificing quality. The open-source AV1 codec developed by the Alliance for Open Media—a consortium including Google, Netflix, Microsoft, Amazon and others — is already the preferred decoder for cloud-based applications, and is quickly becoming the standard for video compression of all types. Read Now

  • Cost: Reactive vs. Proactive Security

    Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after. Read Now

  • Achieving Clear Audio

    In today’s ever-changing world of security and risk management, effective communication via an intercom and door entry communication system is a critical communication tool to keep a facility’s staff, visitors and vendors safe. Read Now

  • Beyond Apps: Access Control for Today’s Residents

    The modern resident lives in an app-saturated world. From banking to grocery delivery, fitness tracking to ridesharing, nearly every service demands another download. But when it comes to accessing the place you live, most people do not want to clutter their phone with yet another app, especially if its only purpose is to open a door. Read Now

Most   Popular

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.