January 11, 2019//Ellen NeveuxLast Updated: April 29, 2019
Network security has been tested in increasingly aggressive ways, particularly in the past five years. Bad actors and risky user behavior have brought new challenges and vulnerabilities. With each new year, it’s important to review the incidents and missteps that had the biggest impact. This promotes stronger and more intelligent security protocols.
A major indicator of enterprise security is how vendor access is managed. Last year there was a sharp rise in the number of breaches that involved a third-party component. In fact, according to a study done by IBM, in 2018 the average impact of data breaches on enterprises was up to $1.23 million; this is a 24% increase from 2017. If we look at some of the biggest breaches of 2018, third-party access was a significant factor and there are critical lessons to learn for both enterprises and vendors.
An unsecured POS system leaves parent companies and subsidiaries open to attack:
Saks Fifth Avenue and Lord & Taylor were hit by a well-known cybercriminal ring that took advantage of an unsecured POS system by infecting it with software that hijacked credit card numbers and other sensitive customer data, exposing 5 million records. The affected POS systems happened in-store at their well-known clothing retailer, Hudson’s Bay Company.
This breach illustrates the need for parent companies to consider each subsidiary as part of their third-party ecosystem and that cybersecurity needs to be managed cohesively between parent companies and their subsidiaries. Cybersecurity awareness training and vulnerability management of POS systems are key to thwart attackers.
A cloud server leaks confidential information after a third-party contractor leaves it unprotected:
A contractor at Universal Music Group failed to protect an Apache Airflow server, leaving copious amounts of confidential data exposed to the public. The FTP credentials, AWS Secret Keys, passwords, and SQL root passwords were all exposed to the open internet. Universal Music Group has thousands of interactions with third parties daily, but it only takes one mistake to wreak havoc on an enterprise.
In this case, a single contractor simply forgot to password protect a server, but it left vital information open for anyone to find. Enterprises need to prioritize least privileged third-party access in order to mitigate these kinds of simple-mistake breaches. Ensuring all contractors are trained on risk management and limiting contractor access to vital systems can go a long way in preventing unnecessary exposures.
Restaurant giants Applebee’s and Chili’s taken down by malware:
It was discovered that POS systems at more than 160 Applebee’s restaurants were infected by malware, exposing the credit card information of their customers. Later in the year, Chili’s suffered a similar breach when malware infected weak POS systems and exposed more customer credit card information.
Restaurant giants like these rely on third-party vendors to provide POS systems, inventory management solutions, and other critical services. It is important that giants such as these ensure that every vendor implements best-in-class security, especially in POS systems where sensitive customer data is collected.
Major third-party provider exposes data from Fortune 500 firms:
Corporation Service Company (CSC) reported a breach in which attackers stole the personal information of over 5,600 customers. CSC provides domain registration and other services for large clients. Routine security monitoring detected unauthorized access to CSC’s network by a third-party that stole a database table.
CSC and companies like it collect sensitive, personal information on behalf of their clients and should ensure that the security controls of vendors and other third parties don’t leave weaknesses ripe for attackers to exploit. Implementing multi-factor authentication and stronger password protocols must be part of those best practices.
The largest breach of the year was due to a third-party archive:
MyHeritage Genealogy Site was reported to have 92 million records exposed by a third-party server that contained an archive of the personal information of MyHeritage users. The data that was exposed included hashed passwords and emails. Prior to the breach, the site had implemented some critical security practices that prevented a more significant loss and separate third-party servers were used to store payment and DNA information remained protected.
As enterprises grow, so does the need to bring in third parties to fulfill specific business needs. The more third-party vendors and partners that are added to a digital ecosystem, the more vulnerable an enterprises’ systems become. Even trusted vendors with long-established relationships can come under attack.
This biggest takeaway from last year’s challenges is that it’s critical to approach risk management collaboratively while protecting your network through strict access controls and comprehensive monitoring.