Page 8 - Cyber Warnings
P. 8
3rd Party and Vendors
Lack of Focus on InfoSec
by Charles Parker, II; InfoSec Architect
No business is an island. At times, they require outside services from vendors to complete their
mission. An organization, as a rule of thumb, is not able to have every employee available that
is a subject matter expert (SME) on everything that affects a business.
The networks and systems are simply too complex with too many parts moving in tandem to
have a labor force of experts. It is just not a viable endeavor. To secure third parties who have
their expertise in these areas tend to be much more cost effective.
Although this is a positive aspect and assists the business in improving their income statement,
this also has the potential for a significant issue. When the vendors plug into the client’s
network, any malware or issues on their system have the opportunity to cross onto the clients
with the connection.
If the vendor’s laptop was connected to local coffee shop’s free and open Wi Fi, a thumb drive
that was used at the employee’s high school is plugged later into the laptop, or if this was
connected to the airport’s free and open Wi Fi, any malware encountered, including
ransomware, would be available for the client’s system.
In the Navy
The armed forces are no different than a business in that these both have the technical needs
and potential to not have the depth or breadth of staff to accomplish everything they need.
In this specific instance, the Navy contracted with Hewlett Packard Enterprises (HPE) for a
project or function. HPE had their contractors working with the Navy and their data.
Seemingly this would be an acceptable relationship. In this recent case, the contractual
relationship did not work as well. HEP notified the Navy on October 27, 2016 one of their
laptops had been compromised.
Affected
The Navy has a vast number of members all working across the planet at any particular time. In
this case, 134,386 current and former Navy personnel had their SSN and names compromised.
This data was part of the Career Waypoints (C-WAY) database, which is used by sailors for
career planning functions.
8 Cyber Warnings E-Magazine – March 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide