Are you fully across your supply chain and 3rd party risks? Are you aware of all the other people outside of your organisation who could have access to your systems or data? There are many issues and threats that can occur when you lose track of who is accessing your systems. There is an inherent trust that we place on our suppliers, and often there is little assurance that they are doing the right thing, and even if there is an assessment at the beginning, it is rarely reviewed.

War story of supply chain and 3rd party risks

In this story, I will tell you about the time I was consulting for a company that had contracted with a car maintenance/installer company that installed equipment such as CB radios and GPS trackers on branded company cars. As the car installer contractor company needed to enter asset IDs, serial numbers, IMEI cards etc. they had access to the Company Asset system. To give access to the asset system, the Company gave the installer contractor a login to the Citrix desktop. This was a trusted relationship held by the Company’s fleet manager – a dominating character in the Company who “personally vouched” for the installer contractor, and access was granted to a single named employee at the installer contractor.

After a few months, the car installer’s named employee left – but the user account was being shared by new employees at the car installer. The Company gave a SecureID dongle to the car installer, but this was kept next to the computer, with the username and password of the departed user that was used by the car installer – shared by everyone at the installer. No-one at the company was auditing or checking the security of the remote access environment.

READ ARTICLE:   SDDC drives mix and match hardware

The Company moved to a single Citrix desktop – with all the Company applications pre-installed, the car installer had access to everything, based on a trusted security zone concept. This was done by the IT team wanting to simplify their environment, and they just moved everyone to a new desktop image centrally

The Company moved the Asset system to the full enterprise SAP system – where the car installer would then have access to everything, because it was ‘too hard’ to break down the areas that they needed (multiple asset areas).

The Company’s Fleet Manager was regularly asked to audit permissions and access levels, to which he blindly signed off that all access was still valid, because he did not want to impact the external service provider. He was aware of the departure of the original employee, and generally knew about the shared nature of the user account. As he was a very strong character, the IT team did not push or question the validity of the external access. When IT made changes (like moving to SAP), the Fleet Manager was given the new details and access to training materials, which he just forwarded on to the installer contractor.

The car installer contractor then decided to outsource the installation of one component (GPS trackers changing from 3G to satellite communications), as this had become a specialised task. A contracted employee at the new installer sub-contractor had full access to all systems, and they then started to exfiltrate data from the Company shared drives and exports from SAP and other systems that they had blanket access to. It was only discovered because the Internet traffic was being slowed for the whole company by the amount of data that the Citrix desktop was uploading to an FTP site, 24×7.

READ ARTICLE:   Hacking risk for domestic violence victims

Lessons from failures

It is always good to learn from mistakes, but this situation had a mass of them. The factor where human personalities can have an impact is often not highlighted. As leaders, we often assume compliance and agreement, where the biggest issue is apathy or delayed completion.

Activities that streamline systems and improve efficiencies can also increase the chance of introducing risks, and increasing surface area. Assumptions that access is needed, or that people will do the right thing, can be detrimental.

What to do

Your vendors provide you with services – you need to validate that not only are they complying with their contractual obligations to provide you with services, but that they are not doing ‘other’ activities. Whilst you may not be able to do an on-premises audit of a large supplier, maintaining a strong partnership relationship with a small vendor by asking to see their premises can be beneficial to ask to see their IT arrangements.

Related posts:

Capital investment in IT - an oxymoron?
6 Lessons from Cloud Implementations
n-1 is dead, long live N+45
Obvious PCI-DSS benefits
Share this knowledge
         

Leave a Reply

Your email address will not be published. Required fields are marked *