May 30, 2018//Jeff SwearingenLast Updated: June 16, 2021
AMC’s Halt and Catch Fire has been one of my favorite binge-watches, but a recent episode made me appreciate it even more.
If you aren’t familiar with the show- it chronicles the good, bad, and the ugly of the evolution of technology. Familiar archetypes (the visionary, the engineer, the venture capitalist, the prodigy, etc.) negotiate their way through the dawn of the computer era.
Most of the backdrops are the major developments in technology. It’s fun to know the outcome of a trend (e.g. “It’s the Internet, you’re missing it!”) and watch while the players team up, break up, fight, compete, negotiate, double-cross, and sleep with one another. I’m only midway through season 3, so please no spoilers!
Season 3, episode 4 touched on a trend that I didn’t expect to surface: the dangers of third-party remote access.
In the event you missed the third-party data-breach mega-trend, simply look to what was arguably the seminal security event of the decade: the Target breach, where a compromised third-party credential resulted in the loss of about 100 million credit cards. Then Equifax and Home Depot, and more followed. According to the 2017 Trustwave Global Security Report, third-party remote access was the cause of 63% of data breaches in 2016–2017 and shows no sign of decreasing.
Back to Halt and Catch fire: In the fourth episode of season 3, Joe MacMillan learns that he has been fired as a contractor for General Atomics, a third party vendor doing work for the Department of Defense. Joe is one of the series protagonists who you can’t help but love and hate. He is an astute and ruthless businessman with a showman’s bravado; but struggles with self-esteem and confidence that makes him volatile and untrustworthy. At around minute 39 of the episode he discloses to a partner that, despite losing his contract, he still has valid Department of Defense credentials for remote access. How did he get them? Just like every other third party, they were given to him by the customer who required his services. He and his co-conspirator plot to use these credentials to gain access to DoD technology, in Joe’s words, “before they figure out my credentials still work.”
Is this far-fetched drama? Absolutely not! Larger organizations may have 100 or more third party vendors that require secure, remote access to their networks, often with elevated or administrative credentials. Multiply the 100 third party vendors by the number of support technicians or professional service engineers or other types of users at each vendor, and you can quickly be dealing with ten thousand individual credential holders that you don’t control, hire, or fire. Think about that—you may have more “outsiders” with privileged access than internal employees; and, like Joe MacMillan, because they are not your employee, you have no way of knowing when they get fired.
The TV industry may use this as a plot point in their show, but to those of us in the cybersecurity world this is something we strive to make the world aware of on a day-to-day basis. Organizations rely on third-parties to provide their product or service, but often these relationships aren’t regulated. Without the right secure, remote access software, your credentials are likely in the hands of someone who no longer works for one of your third parties. In other words, your organization could have tons of Joe MacMillan types accessing your network with nefarious intent.
It’s a small part of the series plot line, but the writers accurately portray the threat of poorly managed third-party remote access 25 years before the trend became part of the technological zeitgeist. Today, many of us have had to swap out our credit cards from the Target, Home Depot or other high-profile breaches caused by improperly managed third-party remote access.
Since I co-founded SecureLink in 2003 we have been focused on developing uncompromising remote access solutions for enterprises and the third-party vendors that serve them. For companies in secure and highly regulated industries, SecureLink creates win/win/win solutions that ensure compliance with security policies, industry regulations, and business processes.
If you’re not watching Halt and Catch Fire, I’d highly recommend it to anyone interested in a drama based on the technology industry’s evolution. And if you’re not securing your third-party access credentials, beware that a vendor you rely on may have recently fired their own version of Joe MacMillan.