Where are you most at risk?
Trusted Business Partner
Are you vulnerable to an insider attack from a trusted business partner?
Trusted Business Partners (TBPs) have been routinely reported as being popular threat vectors for malicious actors to conduct attacks. Often companies are lax in ensuring TBPs have appropriate security measures in place, and fewer still conduct periodic reviews.
How can you protect yourself from TBP attack vectors?
Closely manage your TBP relationships with:
- Background screenings and periodic re-screening
- Onboarding/Off boarding
- Reporting and documentation of policy violations
- Clearly documented intellectual property ownership rights
- Strict activities monitoring
- Recurring scope reviews
RELATED BLOG POSTS
The employee, a contractor, was a system administrator at a data-mining company that was a trusted business partner (TBP) of the victim organization. The victim organization processed consumer data, including customer information for credit-card issuers, banks, automotive manufacturers, retailers, etc.
As a TBP organization, the insider’s employer had access to the victim organization’s FTP server. A lack of proper oversight and access management resulted in the insider having unnecessary privileged access to this server. On the server, the insider discovered an unprotected file containing encrypted passwords. The employee used a password cracking program to brute force the passwords and access data belonging to 200 large companies, approximately 10% of the victim organization’s customer database. He cracked 300 passwords, including a master key that the he then used to download the personal data for millions of the victim organization’s customers.
Over a 6-month period, the employee used remote access, outside of working hours, to download the information and burn it to discs. In an IRC chat room, he disclosed to a local hacker that he had accessed a great deal of sensitive information. When the hacker’s home was raided, authorities discovered a log of the conversation. The insider was arrested after dozens of discs containing the personal data for the victim organization’s customers were found at his residence.
The employee apparently liked to collect data and did not use the stolen data for commercial or criminal purposes. He had a criminal history of illegally accessing computers. The employee was arrested, convicted, ordered to pay $2.7 million restitution, and sentenced to 45 months’ imprisonment followed by 3 years of supervised release, including a 500-hour substance-abuse program and a mental health assessment and treatment. He was prohibited from accessing the internet without his probation officer’s permission. The incident cost the victim organization $5.8 million, including the value of the stolen information, employee time, travel expenses, and costs incurred from security audits and new encryption software.
What could have been done to reduce the risks posed by this TBP employee?
- Ensure TBPs conduct background checks on all applicants and have a policy in place to address any issues that could arise.
- Ensure your TBP has an “Acceptable Usage Policy” in place, which provides employees specific guidelines on usage of company computers and phones.
- Ensure your TBPs have equivocal security measures in place so as not to become the attack vector of least resistance.
- Ensure your organization has a policy to safeguard personally identifiable information from inadvertent and intentional disclosure.