In early 2014, Citroen found itself stuck in the middle of an IT security incident. Hackers had taken advantage of a vulnerability found in Adobe ColdFusion — the third-party web-development platform on which the French auto manufacturer relied. And though the company's own servers were never breached, Citroen was forced to conduct damage control, informing the public that things were under control and offering precautions that could keep customers' sensitive information safe. This attack is just one of the many incidents confirming that true InfoSec policies can't just stop at the company's walls — they have to include third-party products as well.
With more businesses turning to third-party software to meet their unique IT needs, solving the problem of ensuring application security has become increasingly critical. Fortunately, the IT security industry is adapting, developing methods for keeping third-party software just as secure as the rest of a company and its assets. Here's a closer look at the Citroen problem and what you can do to keep your company out of the negative spotlight.
Citroen's problem began with a vulnerability in Adobe ColdFusion, which allowed hackers to install a backdoor into a web system. According to The Guardian, the backdoor allowed the hackers to bypass the authentication process and gave them rights to just about everything on the web server.
As part of a larger effort that attacked this particular vulnerability on numerous web servers, hackers installed the backdoor on a Citroen-branded German fan site where customers could buy gifts. Logs suggest that the backdoor was active starting in August 2013 and remained working until it was discovered several months later. Citroen advised site customers to keep an eye on their bank balances, suggesting that some financial information was stolen. The website also stored information on customer addresses.
Citroen had to go through some serious damage control as news of the breach made headlines, despite the fact that the company's own servers remained unaffected. The company had outsourced web development for its central German website, along with the affected fan site — regardless, it was Citroen that had its name plastered all over the news, and Citroen that had to contact customers about the possible theft of their information. The company learned the hard way that if anything within a brand is compromised, the general public and all customers will lay blame at its feet — no matter who is at fault.
Due to the breadth and scope of most modern enterprise IT departments, avoiding third-party software is practically impossible. And though enterprises do have to leverage the opportunities provided by third-party providers in order to be successful, they can't just assume that these vendors are as concerned about security as they are. An assessment of a vendor's premises and development practices can certainly be helpful, but they do not translate directly to the security of the product itself. So, what can you do to ensure your firm's getting the best, most secure solution possible?
Robust third-party security begins with defining a vendor's responsibilities. Vendor contracts must include a solid compliance policy and acceptance criteria that are built around the enterprise's existing security policies and standards. They should require the vendor to agree to a software security assessment conducted either by the enterprise itself or a trusted security specialist. And because nothing is perfect, they should define rules for remediation in case security vulnerabilities are ever found.
Once contracts are in place, enterprises have to ensure that their CISOs have the resources necessary to ensure the security of third-party software. There must be a way to analyze the software product itself. Enterprises will want to consider scalable, cloud-based solutions that can expand to include an increasing number of vendor-supplied applications and services.
A CISO can certainly attempt to manage this solution alone, but should consider an existing solution from a security specialist. Vendor application security testing will ensure that compliance begins quickly so a company doesn't waste time building a new solution from scratch. It also ensures that scans remain up to date and test for both emerging and existing threats.
It's never been more critical for enterprise executives and CISOs to understand the growing importance of third-party security. The IT industry embraces outsourcing because it has to, but many businesses have been slow to understand that if their brands are on breached applications, their own reputations will suffer the blame. By enforcing security policies and standards for third parties, businesses can build comprehensive security solutions that will help them avoid those five dangerous minutes of infamy.
Photo Source: Flickr