Vendors Still Need to be Monitored
With time, the vulnerabilities from aps continue to grow. As these became known, patches are created and pushed. This has tended to be a rather straightforward process.
Beginning with the Target attack from a few years ago, a new vector began to become more of an issue. The vendor, who have access to the host system, provides a new avenue of attack. All of the vulnerabilities and malware infections of the vendor has the potential of passing it onto the host every time the vendor logs in or connects to the system to diagnose an issue or configure an asset.
The Target breach headlined the issue. This coupled with the timing of the incident, just before the holidays, certainly made an impression. With the additional breaches using this avenue of attack, this was well-known. Seemingly the vendors would be placed under additional scrutiny due to the potential loss. This has not been the case. The environment has not learned from its oversights.
The CHI Franciscan Health Highline Medical Center announced in September 2016 due to an oversight with the vendor patient records may have been exposed. They were also notifying the potentially affected patients. The issue here was a vendor notified the host on July 22, 2016. The exposure period was from April 21, 2016 to June 13, 2016. The data which could have been exfiltrated included the usual PII encountered with healthcare facilities, including patient names, dates of service, health insurance information, and of course the SSN. All of these have a clear value in the dark web.
This is enough of an issue to manage in itself. The underlying problem, in comparison to the symptoms, is the lack of appreciation of the past. We are still making the same errors.
About the Author
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.