3rd Party Security

Rebecca Herold has a post up regarding the importance of ensuring 3rd party security. This is one example of how sloppy (and sometimes even fairly good) security from a partner, client or vendor can cause you all sorts of headaches. There are lots of other reasons also to do security audits of those you give network access to. I know that lots of companies talk about doing this but I wonder how many really do. I run across lots of people who work for companies that have policies in place that state that they must do security audits before giving you access to the network. Yet many of these same people tell me that they actually DON'T do these required audits. I also run across vendors and others who tell me that they have been given access to company networks with no audit requirement at all. Occasionally they have to sign a "3rd Party Access Agreement" or some other such document.

What concerns me is that these companies are putting themselves in a bad place. They think that they are covered because policy is in place or because they ask you to sign a NDA. Neither of these will hold water if you have a problem that is caused by the 3rd party if you can't prove that you are doing your due diligence. If you have a requirement to do a 3rd party security audit then you had better do it. If you say that you require your 3rd parties to do X then you need to prove that you have verified that X is being done. We can't continue to throw out a requirement without doing our part to make sure that the requirement is being enforced.

There are lots of things that can go wrong when giving anyone access to your network; even your own users. It can be difficult enough to keep your users audited and ensure that their protections are in place and that you are doing all you can to protect your data and network from them. Then if you throw in the complication of a bunch of machines that you don't control or set requirements for it makes it even worse. That is why you really need to make sure that you are extra diligent in protecting your data from these.

The list of things that can go wrong is as long as my arm. They can bring in a system that has been infected with a virus that may be spread to your systems. Hopefully your AV is installed and up to date on all of your systems, but that isn't always the case. In some instances companies don't install AV on certain systems because of performance and compatibility issues. These systems could become infected and depending on the virus they may attempt to spread it to other systems constantly, they may become part of a bot-net that can do all sorts of nefarious things. It may be loaded with a rootkit or backdoor that gives a bad guy control of that system and then he can work his way through your network. There is also the possibility that a bad guy enters their network and uses one of their systems to gain access to your network. They could take data out of your network and lose it, give it away, sell it, use it for their own purposes. They could alter data, plant keyloggers, sniffers, AP's etc... The list goes on and on.

So therefore I repeat my premise that when dealing with 3rd parties we don't need to be as strict as we are with our users we need to be even more strict. We have to do more than use CYA with a policy or NDA. We have to verify that they are doing what we require and what they say they are doing. If not then you may find yourself on the receiving end of a legal or regulatory nightmare.