Your Vendors: Cold Beer or Malicious Attack Vector?

Your Vendors: Cold Beer or Malicious Attack Vector?

Your Vendors: cold Beer or Malicious Attack VectorThe word vendor may be most frequently associated with a guy selling beer or tossing bags of peanuts at your local stadium. Good times. Back at the office, there’s an entirely different kind of vendor: the one whose software is the backbone of your business operation.

Vendors are an important and potentially devastating population of users that should be handled with extreme care. Even a mid-size hospital will have 100 or more third parties that require remote access to service and support the MRI machine, the patient billing system and/or the electronic medical records platform.

Target disclosed that a vendor credential was a key component of its breach. A compromised administrator login was used to install malware that scooped credit card data and transferred it to a remote server. How did the attackers get network access to exploit the login? This story begins much earlier than what’s being reported.

There are two key things that make vendors very different than employees. First, one vendor may have thousands of individual technicians. Without the right controls, a login given to Tom on Tuesday may be used by Wendy on Wednesday. Credentials are not only stored in the vendor’s CRM system, they’re written on sticky notes affixed to monitors around the world.

Secondly, vendors require admin rights to their systems. As we learned in the Target breach, the network privileges granted to an admin are extremely powerful.  Your employees can view a sales report; your vendors can copy a database.

So, what to do? Here are my five golden rules for managing vendor access:

  1. Be aware. Vendors are not typical users and should be treated as very special guests.
  2. Have a realistic policy. Insist on individual logins and demand accountability, but don’t expect a technician to send you a copy of her passport. It’s not going to happen.
  3. Integrate policy in your purchasing process. Remote access should be negotiated before the vendor needs it. If your POS system is down, your IT staff (or someone else) is going to open a door that may be left open. The best time to negotiate access methodology is when the software is being purchased (amazing how accommodating the salespeople are at that time) or when your maintenance/subscription agreement is being renewed.
  4. Control the platform. If left to their own devices, a vendor may choose a remote support method (often a simple screen-sharing tool) that meets their needs more than yours. Your platform should support multi-factor authentication, provision granular access privileges, keep credentials private and audit all activity at the individual user level.
  5. Monitor vendor activity. While it may not be practical to track every keystroke, a consistent audit of vendor remote access should create alarms when a server is accessed repeatedly or large files are being transferred outside the network.

Managing vendor access is a critical component of any network security strategy. With awareness, proper policy and the right platform, it’s possible to avoid a malicious visit from these very special guests.

About the Author

Jeff Swearingen is co-founder and CEO of SecureLink, an Austin, TX-based software company that helps manage the chaotic space between enterprise technology vendors and their customers.

Featured

  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3