Page 9 - Cyber Warnings
P. 9
This set of compromised data was due to data on the third party’s laptop being compromised.
Whether the laptop was stolen or lost, or hacked was not reported. With any method, the data
was not secured.
Follow-Up
With most breaches and compromises, there tends to be a lesson to be learned and applied to
other circumstances and business. Although each incident is different, there are still the same
issues encountered and seen repeatedly.
Although these seemingly re-appear frequently, there are still the lessons to apply with the new
environments.
There are many actions to be taken to harden your system from the application to the hardware.
These are applied based on the requirements and needs of the business and users.
There is a balancing act between the confidentiality, integrity, and accessibility (CIA). One
aspect though that continues to plague business that is not still addressed are the risks from the
third parties.
Granted the third parties are separate entities standing along, with unique ownership. With
certain third parties and projects, they require access to the client’s network, system, and
nodes.
If the third party does not have an adequate cyber/InfoSec program to ensure as much as
possible their systems are without malware, each and every time the third party vendor’s
representative connects to the system there is the distinct opportunity for malware to cross onto
the client’s enterprise.
The client may attempt to push the liability for any breach or compromise to the vendors,
however this act may not be that easily accomplished.
There are opportunities to defend against this. One step used is to require vendors and
contractors to complete a cyber/InfoSec questionnaire.
Although this is a questionnaire, it provides insight into their practices that may have been
previously unknown. It also provides the opportunity to ask follow-up questions and possibly ask
for their latest pen test or vulnerability assessment.
With this data in hand, it would be possible to gauge better their focus, or lack thereof, on
security, which may act as guidance for the client when working through the contracts.
9 Cyber Warnings E-Magazine – March 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
