Your Vendors: Cold Beer or Malicious Attack Vector?

Your Vendors: Cold Beer or Malicious Attack Vector?

  • By Jeff Swearingen
  • Feb 04, 2014

Your Vendors: cold Beer or Malicious Attack VectorThe word vendor may be most frequently associated with a guy selling beer or tossing bags of peanuts at your local stadium. Good times. Back at the office, there’s an entirely different kind of vendor: the one whose software is the backbone of your business operation.

Vendors are an important and potentially devastating population of users that should be handled with extreme care. Even a mid-size hospital will have 100 or more third parties that require remote access to service and support the MRI machine, the patient billing system and/or the electronic medical records platform.

Target disclosed that a vendor credential was a key component of its breach. A compromised administrator login was used to install malware that scooped credit card data and transferred it to a remote server. How did the attackers get network access to exploit the login? This story begins much earlier than what’s being reported.

There are two key things that make vendors very different than employees. First, one vendor may have thousands of individual technicians. Without the right controls, a login given to Tom on Tuesday may be used by Wendy on Wednesday. Credentials are not only stored in the vendor’s CRM system, they’re written on sticky notes affixed to monitors around the world.

Secondly, vendors require admin rights to their systems. As we learned in the Target breach, the network privileges granted to an admin are extremely powerful.  Your employees can view a sales report; your vendors can copy a database.

So, what to do? Here are my five golden rules for managing vendor access:

  1. Be aware. Vendors are not typical users and should be treated as very special guests.
  2. Have a realistic policy. Insist on individual logins and demand accountability, but don’t expect a technician to send you a copy of her passport. It’s not going to happen.
  3. Integrate policy in your purchasing process. Remote access should be negotiated before the vendor needs it. If your POS system is down, your IT staff (or someone else) is going to open a door that may be left open. The best time to negotiate access methodology is when the software is being purchased (amazing how accommodating the salespeople are at that time) or when your maintenance/subscription agreement is being renewed.
  4. Control the platform. If left to their own devices, a vendor may choose a remote support method (often a simple screen-sharing tool) that meets their needs more than yours. Your platform should support multi-factor authentication, provision granular access privileges, keep credentials private and audit all activity at the individual user level.
  5. Monitor vendor activity. While it may not be practical to track every keystroke, a consistent audit of vendor remote access should create alarms when a server is accessed repeatedly or large files are being transferred outside the network.

Managing vendor access is a critical component of any network security strategy. With awareness, proper policy and the right platform, it’s possible to avoid a malicious visit from these very special guests.

About the Author

Jeff Swearingen is co-founder and CEO of SecureLink, an Austin, TX-based software company that helps manage the chaotic space between enterprise technology vendors and their customers.

Featured

  • New Gas Monkey Garage Venue Uses AI-Enhanced Video Technology

    Gas Monkey Garage, the automotive custom shop and entertainment brand founded by Richard Rawlings of Fast N’ Loud TV fame, has opened a vibrant new restaurant and bar in South Dakota, equipped with advanced, AI-enhanced video tech from IDIS Americas. Read Now

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

Most   Popular

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.