Dodging Data Breaches At Your Third-Party Provider

  /     /     /  
Publicated : 22/11/2024   Category : security


Dodging Data Breaches At Your Third-Party Provider


What went wrong in recent database breaches at Honda, Gawker, McDonalds, and Walgreens -- and how enterprises can avoid similar compromises



Companies should take to heart the rash of data breaches that exposed the sensitive information of Honda, Gawker, McDonalds, and Walgreens customers to cybercriminals, security experts say.
A series of major compromises have exposed millions of consumers sensitive information in the past month. In early December,
McDonalds revealed
that the
compromise of its third-party email marketing provider
exposed 1.3 million consumers data records. The breach involved limited customer information such as name, address, phone number, birth date and gender, the company said in a statement. The
compromise of third-party marketing services firm SilverPop
is also thought to be responsible for exposing 4.9 million accounts at Honda and its Acura subsidiary, as well as stealing e-mail addresses from Walgreens.
As a user of outsourced services, which is becoming more and more prevalent with cloud computing, everyone is nervous about the security, says Avivah Litan, vice president of analyst firm Gartner. These breaches just give them a good reason to worry more.
While the compromises fall short of the massive breaches at retailer TJX in 2007 and Heartland Payment Systems in 2008, they underscore the dangers of using third-party providers whose security cannot be validated or verified. Companies that consider doing business with an online service provider need to check the companys security, Litan says.
A lot of companies are nervous about moving authentication to the cloud unless they are really, really comfortable with the provider and their security, she says. Unfortunately, there is no academic standard out there whether a provider is secure or not, so companies have to do their own due diligence.
While the Payment Card Industrys Data Security Standard (PCI-DSS) is required for companies that handle credit-card information and financial data, there is no set of standards for protecting personally identifiable information (PII). Even companies that use the same standards as PCI are not necessarily practicing good security, but in many cases merely checking boxes, says Josh Corman, research director for The 451 Group, an analyst firm.
We have one and only one defense playbook -- not even a playbook, we only have one play, he says. What we know is that companies are still getting compromised, and we dont know whether something else might be better or worse.
Nearly eight in 10 companies suffering compromises were subject to PCI-DSS, but were not compliant at the time of the breach, according to
Verizon Businesss Data Breach Investigations Report 2010
(PDF).
Companies holding customer data should use a Web application firewall, develop software using secure practices, and focus on whitelisting technologies for key servers, 451s Corman says. The Verizon report found 97 percent of compromised records involved an attack by custom malware, and 94 percent of compromised records also involved a Web application flaw, such as SQL injection.
Finally, companies handling credit card data and PII can benefit by limiting the number of servers and employees who can touch the data. By storing key information on its own servers, rather than giving it to a third party, a company can retain control of that datas protection.
That is the problem with the whole Web 2.0 model -- the whole cloud model -- your span of control is reduced, Corman says. Sometimes the best you can do is redraw the lines of control.
The Gawker breach is a good example. While 1.3 million accounts were compromised by the attackers, customers that used Facebook Connect -- a federated identity system for Facebook users -- did not have to worry because the credentials were not stored on Gawkers systems. Federated identities, tokenization, and other technologies for centralizing the management of sensitive data could minimize the uncontrolled spread of PII that can result in breaches.
In the end, a company might not be operationally responsible for the security of its customer data, but legally and ethically it must exercise control, says Corman.
It is not your fault, but it is still your problem, he says.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dodging Data Breaches At Your Third-Party Provider