There are two diametric views to working with third-party companies that may have access to sensitive employee and/or customer data. Some companies shy away from outsourcing services that involve exposing such data to outside parties because they worry about security breaches. Other companies do not hesitate to do so, because they believe external providers’ security practices are stronger than those of internal teams.
The truth probably lies somewhere in the middle. A recent report from TrustWave indicates there may be some cause for security-related outsourcing concerns. Trustwave found that some aspect of IT support had been outsourced in 63 percent of data breaches it investigated in 2012.
“As a general rule, data custodians have a greater interest in protecting their data than a third party. We also see the length of time from compromise to identification, and ultimately to remediation, is greater in these [outsourced] situations as well,” said Christopher Pogue, Trustwave’s director of Digital Forensics and Incident Response.
Some of the most common security deficiencies observed by Trustwave include open remote access applications, weak and/or default passwords, improper input validation, and the lack of a properly configured firewall. These weaknesses occur with internal as well as external IT support organizations, Pogue said. However, internal IT administrators “do a better job managing the externally facing vulnerabilities.”
The key to avoiding security issues with third-party providers is performing due diligence, Pogue said. When selecting a third-party vendor, he recommends taking a thorough look at client history as it relates to errors, mistakes and breaches.
“I would assume that any vendor worth looking at is going to have some sort of similar skill set in terms of administration, service level agreements and project deliverables,” he said. “In my opinion, that is not what would make an organization unique. What is their knowledge of cyber-crime? What do they know about APT (advanced persistent threat)? What is their incident response plan?”
It’s also important to document providers’ security capabilities and policies in writing, Pogue said. “At the time of a breach is the absolute last time you want to be talking to your vendor about his incident response plan.”
Still, the Trustwave report doesn’t exactly serve as a vote of confidence for internal IT teams. The study found the average time from an initial data breach to detection of the breach was 210 days, 35 days longer than in 2011. The majority of companies, 64 percent, took more than 90 days to detect intrusions. A troubling 5 percent of respondents took three or more years to identify the activity.
For both internal and external IT teams, the growing sophistication of attacks is a big problem. For instance, the study found the use of memory scraping is increasing, with 20 percent of new case samples involving memory scraping, a problem the SANS Institute has said is especially insidious.