Can Service Provider Take You Down - Part 2 another first hand experience

Just received my Visa billing and I saw a line item for $1100 from a well know Fortune 100 software company. I had bought from them before, but I just cannot remember what it was for. So naturally, I called up the number on the line item right next to the company name and amount:  xyzcompany 617-xxx-xxxx  $1100.

The person answering was pleasant, she asks for my name and credit card info. Which I provided.

Then she said "Oh, I cannot access your account information and I have to transfer you". It is obvious she had no access to any account information let alone mine. I said "OK, but now that you have my credit card information, what are you going to do with it?" Silence - no reply. I then asked for her name and the name of the company she is employed at, knowing full well, it can be an outsourced answering service. She reluctantly did give me her name but she didn't provide the company".

My point to this whole encounter is that over the phone, we are used to the idea that these calls can be taken by 3rd party contractors. Phone calls can be transferred all over the world. And I have no idea who these 3rd party companies are and if they are PCI certified!

At this time, I still don't know if my credit card information is stored in a computer or just a piece of paper laying in the wastebasket waiting for malicious harvesting.

Contractors, whose work are related to handling credit card information, must be able to articulate security compliance policies just like they were working within one's company.  These security procedures must be entrenched into these operators' minds regardless of whether they are internal employees or 3rd party contractors. They must be able to show their understanding of the policies to me - the customer.

I, as a customer, need to be assured that my credit card information is handled with care!

 

How secure are your service providers?

To follow up on the previous post on how service providers can get a company into trouble, I just read Richard Bejtlich's blog article regarding plausible links between information leaks at suppliers' information system to the development of the new J-20 Stealth fighter from China. While I am not saying that this is what happened, it certainly brings up a scenario that we should be aware of.

Let's take a look at how this might happen...

In working with our large and small business partners, information has to be passed back and forth. With advanced persistent threat (APT) implanted at these partners' information systems, it is possible to gather a company's intellectual property without ever breaching the security of the original company.

Internal emails or documents can be copied from these partners and deposited into bigdata systems like Hadoop. Hadoop is an open source Apache project and can be obtained by simple web download. Companies like Google and Yahoo provided the initial research so that they can have an efficient web search on hundreds of millions of web articles.
 
With these technologies in hand, an attacker can gather relevant and non-relevant messages from multitude of sources large and small into bigdata systems and sieve for the good information that they are interested in.

So taking the attacker's viewpoint, it does not matter whether the stolen information comes from large or small partners. It is usually easier to attack smaller companies because they are not as dedicated to the protection of their information. The value of getting information from tens of sources versus from only one gives the same ultimate result. Because an email has a sender and one or more receivers, when any party gets compromised, this email is compromised.

What can we do?

The credit card industry imposed PCI-DSS security compliance on any company dealing with credit card transactions. The medical industry imposed HIPAA security compliance on doctors and its service providers. It is high time industries like engineering and manufacturing start issuing security guidelines to its tiered suppliers and make sure they are understood and adhered to.

Can service provider take you down?

And I don't mean just your ISP but all the providers of services to you.


Just a couple of weeks ago, Walgreen and McDonald's both revealed that data breaches at partner marketing firms had exposed customer information. I got one of those letters from the mailmen myself last Friday. 


All signs point to "spear phising" attacks against email marketing firms that has been going on for a few months. This brings up a new situation that CSO's would unlikely have foreseen. 


3rd party email marketing firm are usually chosen and contracted by the Marketing Department. I doubt IT and Security Officers would be involved in the selection process. But when a data breach such as this occurs, CSO is now charged with the clean up.


The medical industry has a process whereby service providers have to undergo security and compliance training. While there is no certification process for these 3rd party providers, they do need to conform to certain standards.


Can a corporation hold its suppliers to these security standards? Does your agreement hold any clauses regarding information leakage. This need to go beyond just NDA's. You should take this into account at your next security procedure review.
 

Wake up call from Wikileaks

The damage that Wikileaks caused is far more than just the leakage of classified information that governments all over the world do not want us to know. It also contains embarrassing information and behind the scene dealings that would have been best kept under wrap.


Stopping Wikileaks is even worse. It mobilized the under estimated group of social activists who are looking for a cause to raise havoc with establishments. Who would have thought that these people would be willing to self inflict with malware so that Denial of Service Attacks can launched from their own computers. That really is no different than a suicide bomber willing to destroy its own life or equipment to cause damage to others. Only difference is that equipment is cheap and can be replaced, while human life is not.


At this time, it is still too early to find out who these attackers are. Are they truly acting "for the cause" or are they just causing trouble for trouble's sake? I guess there are both.
As a private sector organization, should we be concerned with this?


I believe so. There are always others who do not agree with us. Whether they are willing to take these drastic actions is a matter of the level of animosity against us. But Wikileaks sympathizers have shown how easy it is to launch cyber attacks against a target. And there are plenty of willing participants with their own sense of self-righteousness.


Large organizations like Visa and Mastercard have adequate resources to partially stop these attacks, but how would a smaller organization responds if this happens to it?


Wikileaks has shown us two things: external cyber attacks live on at a fast and furious pace, but the long overlooked internal data leakage prevention is what caused this outbreak in the first place. 


It is time we look within our organization and revisit the importance of tightening information access. Every employee within the organization should also be aware of how damaging certain information can be. 


I'll follow up in my next blog with an actual incidence that happened to a small organization that I know and the damage it caused.