The Target Breach: A Study in Vendor Risk Gaps
Verizon Report to Target Reinforces Need for Instant Risk Visibility
Target has become a case study in the long-term effects of security risk via a third party. A class action suit brought by banks, credit unions, and financial firms was recently approved by a Federal judge, so the legal costs are still being added up. The total financial tally is likely years away from final conclusion.
Truth be told: This breach will not put Target out of business, but it does come with a price to the major retailer. Estimates have gone as high as $2.6 billion which sounds outrageous at face value, but until everything settles, the guessing game on costs from this breach will continue.
Security journalist Brian Krebs recently wrote about a Target commissioned report from Verizon that investigated Target’s security during the breach, and offered recommendations for the future. The last several lines of the report, according to Krebs, said the following:
“Verizon recommends performing routine vulnerability assessments of both internal and external systems, applications, and infrastructure,” the report concludes. “Routine assessments will help to identify vulnerabilities, missing patches, and configuration issues, thereby reducing the amount of time weaknesses exist in the environment.”
Security risk is dynamic by nature, so a single point-in-time approach of routine assessments is ripe for missing key information. A single point in time limits your knowledge as attacks do not operate on an assessment schedule. A lack of instant and continuous visibility is a major gaping hole in most of today’s security and risk information gathering processes. There is a palpable volume of more subtle, under-the-surface security risk that is being missed by today’s status quo practices of assessments and questionnaires.
The inability to have up-to-date security data in suitable risk context at the right time is hurting brands, damaging shareholder value, and adding damage control work across legal, investor, and corporate communications’ teams (and causing additional IT security and vendor risk management pain).
Occasionally, people lose their jobs over third party breaches.
T-Mobile and Experian: The Latest Brand Names With Vendor Risk Issues
Breaches that originate from a smaller third party and/or attacks by hackers that occur via a strategic business partner fulfilling a key outsourced function are becoming more and more commonplace. Yesterday, T-Mobile announced that 15 million of its customers could be affected by a data records hack of an Experian database that did credit checks on new customers for the mobile carrier. Social security numbers and a host of other PII was part of the theft (no credit card information was taken, according to the companies).
As one of the main three credit bureaus in the U.S., Experian is used to being a target by the underground given its large data holdings. Like the Target breach, T-Mobile is the victim of its partner being targeted and will have credit monitoring and other identity-theft related costs for its customers. It remains to be seen if legal action against Experian will move forward, but no one will be surprised if it does.
The Problem With Threat Intelligence Feeds
So what can those responsible for vendor risk do about third party security issues? They need tools that capture the right information and can be shared in an easy-to-use format. There are many options in the market for commodity threat intelligence feeds, but they come with a heap of integration work (and are not necessarily specific to third-party partners).
ESG analyst, Jon Oltsik, recently blogged about the challenges of traditional threat intelligence feeds when discussing new research on operationalizing security data. Oltsik wrote of a few key findings:
“19% say that their organization’s ability to automate threat intelligence collection from external sources is either fair or poor… [S]ecurity analysts are still collecting threat intelligence via e-mail, spreadsheets, and cutting/pasting information from web-based sources…
“19% say that their organization’s ability to act upon threat intelligence in a timely manner is either fair or poor. Threat intelligence may add some value but it doesn’t seem to be helping them accelerate their security investigations.”
Two central issues are being pointed out here by Oltsik: Manual processes are impeding the scale of the problem; And, threat intelligence feeds alone do not speed up remediation or increase reaction time.
Forensic investigation of security risk (like that of Verizon for Target) will inevitably recommend that organizations become more proactive about security and find ways to reduce the impact of vulnerabilities.
Becoming proactive requires the right tools monitoring the things that actually hurt companies, such as: password exposure of corporate credentials, mentions of your organization on hacker forums, and the frequency of patching, among the volume of malware and other standard categories that make up a security posture.
Tip for SecurityScorecard Customers: Type in a website address into the platform to retrieve detailed security-risk information instantly, without intruding on a vendor’s system.
CISOs Now Have a Seat at the Executive Table
Executives and directors on boards are having to expand their security knowledge and widen their view of security risk as being an isolated IT problem buried on a technology team. CISOs are having more direct communications with executives and boards now, but it remains to be seen if boards are understanding that most threat intelligence products require complex integration.
Many of these threat feeds are missing the kind of immediate business and risk visibility and context needed to help improve security decisions and help justify where security and risk management investments need to be made.
Managing vendor risk can be as simple as an instant security audit. Since SecurityScorecard is continuous, and features built-in alerting, actionable risk intelligence flows directly to you as it changes. Our benchmarking platform is self-service, so the most useful risk information is always available, on demand.
If you want to share the information, you can with our collaborative workflow that allows you to invite vendors to view and resolve issues seen on the Scorecard. Speed up the time to remediate risk at unprecedented scale. Know the security-risk posture of any company— instantly.