Another reminder of the importance of managing third party vendor relationships…
The Commodity Futures Trading Commission fined AMP Global Clearing (an electronic trading firm) $100,000 for a disclosure of 97,000 files containing customer information to an unauthorized third party due to a misconfigured network attached storage device.
AMP had outsourced parts of it information systems security program to a third party provider who had failed to detect the exposed data during three successive vulnerability audits of AMP’s systemes.
Outsourcing can be a really effective tool for augmenting a firm’s infosec program, but business leaders and CSOs need to remember that the ultimate responsibility for protection of corporate and customer data still remains with them. However, when the firm is a regulated entity, the risks of relying on an outsider to perform critical parts of the infosec program without adequate supervision outweigh the (admittedly attractive) cost savings.
Monitoring third party service provider performance is a hard problem. Most firms don’t have the resources to perform in person audits and most providers don’t have the ability to allow every customer to audit them. This is why external independent audits of third party providers’ security practices are so important. These audits need to be performed against generally accepted security standards with objective audit criteria. ISO27001 and SSAE18 SOC2 are two examples of such audit types.
Even if a business partner gets a clean bill of health from an independent auditor, their performance must be monitored by the line of business who engaged them as well as by the infosec department. Recently, I have been seeing more and more inquiries from my firm’s customers coming between their annual due diligence reviews of our services. Most of these inquiries occur when there is a “celebrity vulnerability” like Spectre/Meltdown – what I am hoping to see in the future are more questions confirming “security 101” procedures and practices.
The advent of security ratings firms like Security Scorecard and Bitsight can also be helpful in this area. While their security ratings cover specific aspects of a vendor’s security program (practices that can be seen from the Internet), they can provide an ongoing data point to be used to detect potential problems in between those annual security reviews. I believe that this industry is in its early stages and that the results that they provide must be examined carefully against the specific requirements of your security program.
As companies outsource infrastructure, applications and services to third parties in order to concentrate on their core competencies, the importance of third party vendor management is going to continue to grow.
In August of last year, a security researcher at UC Berkeley found two security vulnerabilities in LastPass while researching the security of web based password managers. He reported the problems to LastPass, who quickly remediated them.
One of the vulnerabilities would have allowed an attacker to gain access to unencrypted credentials IF the user accessed a malicious web site and then used the LastPass “BookMarklet” to log into that site – if you use the browser extensions for Chrome, IE, Firefox, or Safari (as 99% of LastPass users do), your account was not vulnerable to this attack. BookMarklets are only used if the browser in use does not support LastPass directly.
The other vulnerability would have allowed an attacker who knew a user’s log in ID to retrieve an user’s encrypted password file, but not the key needed to decrypt this file.
LastPass states that they have no evidence that either of these vulnerabilities were exploited by anyone other than the researchers.
I still use and recommend LastPass – after all, if we stopped using software every time a security vulnerability was found and fixed, we would not be using Windows, Mac OS, or any browsers and plugins. The extra security provided by using LastPass to manage unique strong passwords for the sites you log into far outweighs the risk of being compromised by vulnerabilities such as the ones described.
There is a lesson to be learned for LastPass users, though. The security of your account is as only as good as the master password you choose for your LastPass account. Make sure that it is hard to guess, and is constructed using letters, numbers and special characters in order to make it as hard as possible for someone to crack.
I am disappointed in how long it took LastPass to reveal this issue – when you are entrusted with users’ “keys to the kingdom,” you have a responsibility to be transparent about issues like this in a timely fashion. I think that this is also a good time for LastPass to open up their code for third party security review to be proactive about finding and fixing security issues before the bad guys do.
A security vulnerability in the way that online storage provider DropBox (and possibly rival Box) handles links to shared files caused some documents (which were supposed to be viewable only people designated by the file owner) accessible and available to web site owners using Google’s visitor analytics and advertising tools. The rival online storage firm which found the issue claimed to have reported the problem (which gave access to sensitive files like mortgage documents and tax returns) to Dropbox last November. Dropbox fixed this issue, which it insists is a feature rather than a security flaw, this past Monday.
This issue highlights the need to make encryption of files and data stored on cloud service providers with keys stored on the user’s local system simple enough for non technical folks. The solution also needs to be able to support sharing of encrypted files securely with a third party or with other cloud services you authorize. If cloud providers can get this right (no small feat), living your life in the cloud will truly be ready for prime time.
Some solutions which currently exist:
- Boxcryptor is a software solution which sits on top of Dropbox and other storage providers and automagically encrypts files as they are sent to and received from the cloud. They provide secure sharing as well as mobile apps for the major platform. Of course, since Boxcryptor is an overlay to services like DropBox, using this product would break the integration between DropBox and other cloud apps.
- There is at least one consumer usable provider (SpiderOak) which currently claims to offer this type of Zero Knowledge Encryption.
The real answer to the issue of cloud encryption lies in having the encryption built in to the platforms in a standard and interoperable way. C’mon cloud vendors, you can do it!
A cautionary tale of cloud computing… apparently, a Google Groups group set up by the Japanese Ministry of the Environment to (internally) share documents and messages regarding negotiations about an international treaty was misconfigured, leaving the information therein world readable. Cloud computing is here to stay folks and governments, companies and other organizations (and their security folks) need to figure out ways to keep confidential data either out of the cloud or, better yet, safe in the cloud. IMHO, we need cloud providers to come up with creative ways to allow organizations to encrypt particularly sensitive data with keys controlled by the data owner.