While you may think your organization has all of the appropriate technical, physical and administrative security in place to guard against a data breach, what about your third-party vendors and additional web-based software that you use on your website or internally to support your company’s workflow processes?
This question is one raised after the recent hack by external forces in Syria that took down CNN, Time and the Washington Post on Thursday. Instead of directly targeting their websites, hackers had launched a phishing email attack to the employees of an ad content company that provided services to all three of the media outlets.
According to Outbrain.com, the affected ad content company, they were a victim of a social engineering attack in which employees received an email purporting to be from their CEO. The email included a link from a news source that redirected to a page asking for Outbrain credentials. Someone complied and the hackers were then able to gain access to their widget configuration tools.
The ad content network supplies links to related, external websites and articles that are similar in content to the one any user is currently reading, often titled “Other stories from around the web.” TheAtlanticWire.com reports that hackers were able to manipulate code on the articles to redirect readers to the SEA (Syrian Electronic Army) website.
One important takeaway is that your level of security is only as strong as your third-party vendors’ security. As Reuters.com states, hackers increasingly choose to go after third-party providers because their security is likely to be more lax than that of their customers (often larger companies with more IT or security budget). This is true of any complex business model or infrastructure that support interdependency on other companies for any aspect of their operations, even if not mission-critical.
The first step to ensuring complete security and decreasing your risk of a data breach involves properly vetting all third-parties of their internal security practices. If you’re a healthcare organization, you know they need to meet HIPAA compliance to be as secure as you are. Or PCI DSS compliance if you deal with credit cardholder data. Certain audits and reports on compliance (ROCs) can provide more assurance that your vendors have invested in security.
In this particular case, staff training may have given employees valuable security knowledge and prevented giving out credentials to an unknown website. Although social engineering attacks are difficult to completely avoid since they often cleverly disguised, standard security policies for employee behavior may help.
Also, third-party transparency and effective communication is extremely important, particularly during a crisis. Outbrain posted timely and informative updates on their investigation and then outlined their steps:
- What steps they took to guarantee there would be no further system breaches
- What made them confident it was ok to relaunch the service
- What steps they were taking to prevent further attacks
The last step involved a few key actions and employing new technical security tools, straight from their blog:
- Required employee email access to use two-factor authentication
- Contracted with a forensic firm to review the incident
- Removed functionality to prevent future script injections
- Vulnerability scanning every hour to verify code base was not modified
- Staff training on how to detect and avoid similar scams
Look for similar traits in your third-party vendors and you may avoid a similar fate. Or check out our technical security tools that can help strengthen your company’s overall security.