It was widely published in the press last week that the original entry point into the Target system that ultimately resulted in the theft of 40 million credit cards and personal information of 70 million people came through a vendor account.
In my eyes, this shines a light on an area that nobody EVER pays attention to, but is severely in need of closer examination. I haven’t ever had a customer challenge me on the methods and processes we have in place to protect their information and that is too bad as this is quite possibly the largest hole in their security strategy.
Every IT vendor generally has administrative level access to your system. In most cases, there are usually several other vendors that do too (phone vendor, copier vendor, support department for your line of business application, etc.). Often we find when working with IT related vendors that the request comes to us to create them a set of credentials on the system with administrative rights. When we challenge whether they truly need administrative rights or not, we are generally told it won’t work without it. That is really just a way of saying “we don’t want to put the effort into figuring out how to make it work with standard user rights.”
The question you should be asking is what those vendors are doing to protect those credentials which give them (and anyone who has their credentials) access to every file, program, email, application, database, and anything else on your system. I believe there are a few standard questions that small and medium businesses should ask ANY vendor before giving them credentials:
1. Where will you store the credentials? In electronic or written format? If electronic, will the credentials be encrypted?
2. Is access to the credentials secured such that only those with a need to know have access to them?
3. How often will you change your credentials? Do you have a system in place to ensure the password is updated regularly?
4. What process do you have in place that gets executed when an employee or contractor that has access to credentials leaves the organization for any reason? How long will it take to update the credentials so that individual no longer has access to my system?
5. How do you construct the credentials you will use to access our system? Is it a standard password such as ‘password123′ or is it a long (at least 15 characters), complex, and random password such as those generated at http://strongpasswordgenerator.com?
6. What logging/auditing system do you have in place to record who is accessing the credentials and when?
The good news for our customers is we have EXCELLENT answers to every one of the questions above, but unfortunately I don’t think most vendors can say that. It certainly wouldn’t hurt to make a list of every vendor that has an account on your system and then ask them these questions just to see what you find out.
You can have the strongest internal security policies in the world at your organization, but if you don’t also put thought into what happens with the system access from vendors OUTSIDE your organization, it will all be worthless.