3rd Party and Vendor Lack of Security Still is Creating Vulnerabilities
No business is an island. At times, they require outside services from vendors to complete their mission. An organization, as a rule of thumb, is not able to have every employee available that is a subject matter expert (SME) on everything that affects a business. The networks and systems are simply too complex with too many parts moving in tandem to have a labor force of experts. It is just not a viable endeavor. To secure third parties who have their expertise in these areas tend to be much more cost effective.
Although this is a positive aspect and assists the business in improving their income statement, this also has the potential for a significant issue. When the vendors plug into the client’s network, any malware or issues on their system have the opportunity to cross onto the clients with the connection. If the vendor’s laptop was connected to local coffee shop’s free and open Wi Fi, a thumb drive that was used at the employee’s high school is plugged later into the laptop, or if this was connected to the airport’s free and open Wi Fi, any malware encountered, including ransomware, would be available for the client’s system.
In the Navy
The armed forces are no different than a business in that these both have the technical needs and potential to not have the depth or breadth of staff to accomplish everything they need. In this specific instance, the Navy contracted with Hewlett Packard Enterprises (HPE) for a project or function. HPE had their contractors working with the Navy and their data. Seemingly this would be an acceptable relationship. In this recent case, the contractual relationship did not work as well. HEP notified the Navy on October 27, 2016 one of their laptops had been compromised.
The Navy has a vast number of members all working across the panet at any particular time. In this case, 134,386 current and former Navy personnel had their SSN and names compromised. This data was part of the Career Waypoints (C-WAY) database, which is used by sailors for career planning functions. This set of compromised data was due to data on the third party’s laptop being compromised. Whether the laptop was stolen or lost, or hacked was not reported. With any method, the data was not secured.
With most breaches and compromises, there tends to be a lesson to be learned and applied to other circumstances and business. Although each incident is different, there are still the same issues encountered and seen repeatedly. Although these seemingly re-appear frequently, there are still the lessons to apply with the new environments.
There are many actions to be taken to harden your system from the application to the hardware. These are applied based on the requirements and needs of the business and users. There is a balancing act between the confidentiality, integrity, and accessibility (CIA). One aspect though that continues to plague business that is not still addressed are the risks from the third parties.
Granted the third parties are separate entities standing along, with unique ownership. With certain third parties and projects, they require access to the client’s network, system, and nodes. If the third party does not have an adequate cyber/InfoSec program to ensure as much as possible their systems are without malware, each and every time the third party vendor’s representative connects to the system there is the distinct opportunity for malware to cross onto the client’s enterprise. The client may attempt to push the liability for any breach or compromise to the vendors, however this act may not be that easily accomplished.
There are opportunities to defend against this. One step used is to require vendors and contractors to complete a cyber/InfoSec questionnaire. Although this is a questionnaire, it provides insight into their practices that may have been previously unknown. It also provides the opportunity to ask follow-up questions and possibly ask for their latest pen test or vulnerability assessment. With this data in hand, it would be possible to gauge better their focus, or lack thereof, on security, which may act as guidance for the client when working through the contracts.
This attack is not an anomaly. The security for the suppliers or vendors connecting to the client’s network continues to be a problem. Although this is known, the testing of this vulnerability is lightly applied. Prior incidences include but are not limited to:
Target in 2013: An air conditioning supplier had been phished.
PA Consulting in 2008: Lost the data for 84,000 prisoners, which were placed on an unencrypted thumb drive.
Goodwill Industries from February 2013 to August 2014: Malware on a third party supplier’s system stole credit card and debit card ata from 330 stores in 19 states in the US.
Home Depot in 2014: Suppliers username and password had been compromised, leading to the credit card detail theft.
Wendy’s in 2016: Compromised third party credentials allowed malware to be introduced into their enterprise which was coded to steal their client’s credit card details in 20% of the US stores.
Lockheed Martin in 2011: Data stolen from RSA was utilized to attack Lockheed Martin.
This will have a long-term effect on the sailors whose information has been compromised. The Navy has stated these affected personnel will be taken care of. This would, at this point, would take the form of client monitoring services. The sailors were also told they should monitor their bank accounts, credit card accounts, and watch for phishing attempts. The credit monitoring services would be also offered. There had been no evidence of misuse of the data.
Bearing this in mind, the Navy and many others have missed the long-term implications of this. The SSN for the sailors will not change over time. This is permanent. There is no shelf life for the data to be sold. The data may be sold in one or three years, and sold two or three times. The sailors would need to monitor their personal credit for years.
Ashford, W. (2016, November 25). US Navy breach highlights third-party cyber risk. Retrieved from http://www.computerweekly.com/news/450403530/US-Navy-breach-highlights-third-party-cyber-risk
Bevan, K. (2016 November 24). ‘Compromised’ laptop implicated in US navy breach of 130,000 records. Retrieved from https://nakedsecurity.sophos.com/2016/11/24/compromised-laptop-implicated-in-us-navy-breach-of-130000-records/
Department of the Navy. (2016, November 28). OPM breach. Retrieved from http://www.secnavy.navy.mil/OPMBreachDON/pages/default.aspy
Fiveash, K. (2016, November 24). US Navy warns 134,000 sailors of data breach after HPE laptop is compromised. Retrieved from http://arstechnica.com/security/2016/11/us-navy-warns-134000-sailors-/data-breach-hpe-laptop-compromised/
Larter, D.B. (2016, November 23). Personal data for more than 134,000 sailors was breached, Navy says. Retrieved from https://www.navytimes.com/articles/data-breach-exposes-more-than-100-000-sailors-information
Lee, D. (2016), November 24). US Navy sailor’s data breached. Retrieved from http://www.bbc.com/news/technology-38090234
Lemarque, K. (2016, November 23). Personal data for more than 130,000 sailors breached, Navy announces. Retrieved from http://www.foxnews.com/tech/2016/11/23/personal-data-for-more-than-130000-sailors-brached-navy-announces.html
Perez, R. (2016, November 24). US Navy suffers data breach. Reetrieved from http://www.scmagazineuk.com/us-navy-suffers-data-breach/article/575161
Thomson, V. (2016, November 25). Navy members affected by data breach. Retrieved from http://www.itechpost.com/articles/58335/20161125/navy-members-affected-data-breach.htm
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.