This article (5 risky suppliers to watch using cognitive computing) makes some good points. But, let’s be honest about Target. While it’s true that they were compromised through a vendor, the REAL problem was that they were incredibly lax in their security practices. You can vet your vendors all you like, but it won’t help if you are careless and sloppy with your security. In fact, this breach is a good example of this.
There was a significant chain of errors that lead to the Target breach. Had any of these errors been avoided, this breach would almost certainly not have happened. And, the combination of errors was so egregious that even without a problematic vendor, they were open to a similar hack.
Segregate access by role, and make that the default setup. Know what alerts your system sends and pay attention to them
The problems stared with sloppy configuration. They linked their HVAC systems to the payment systems, which is a bad idea by itself. Then, they allowed people who logged into the HVAC system to actually have access to the payment system. This makes absolutely no sense. In fact, if the system had been properly set up, the default would have been that these people wouldn’t even see the payment system, even though there was a linkage.
Then, they hobbled their tools. They had purchased and tested an intrusion detection system that had the capability to actually correct problems. They chose to turn these features off. It’s not a terribly uncommon decision, but it only makes sense to do that if you monitor your network very carefully.
Monitoring is the last part of the chain. Both the intrusion prevention system and their endpoint protection they were using logged errors. Security staff missed them. Second level support in India did notice the errors, and actually sent alerts to headquarters, but those alerts were ignored.
The bottom line is that it wasn’t a careless vendor that was the real problem here. This hack could have happened with the credentials of any employee in the company.
Most organizations don’t have the capacity to eliminate every single avenue of attack. So you need to prioritize. And you need to prioritize the things that have the broadest applicability. So, while making sure that your vendors use good security practices, that’s not where your highest risk comes from, and shouldn’t be where your emphasis is. Instead focus on the things that cover the vast majority of hacks.
Most importantly, set your systems up properly. Segregate access by role, and make that the default setup. Secondly know what alerts your system sends and pay attention to them. These two steps are the keys to preventing and minimizing the vast majority of hacks and intrusions. Focus there before you spend too much time and energy of checking the security of your vendors.