You can’t move much these days for news of PRISM whistle-blower Edward Snowden, the information security engineer who walked out of his job at US defence contractor Booz Allen Hamilton last month with “thousands” of top secret US government documents.
To some he is a hero who uncovered tyrannical abuse of power by the National Security Agency, while to others he is a treasonous rebel who has put his country’s national security at risk with his data leak. Whatever your politics, as data breaches go it doesn’t really get more damaging, so this should be a good opportunity to remember the security risks involved in dealing with third party contractors.
Organisations today are increasingly striving to be more agile and offer better value for money to shareholders or taxpayers, which means work is often outsourced to specialised service providers or contractors. The problem is that sensitive customer data or corporate IP needs to be shared with that third party, adding an extra element of risk and complexity to the CSO’s set-up.
Extending your own security policies and controls out to the contractor is vital, then, to minimise the risk of data leakage, whether it’s from a malicious insider, as in Snowden’s case, an accidental disclosure by a contractor or through an external breach of the contracted third party.
First and most importantly, there needs to be due diligence conducted on the contracting firm. The best organisations see IT as an enabler and ensure that IT security representatives as well as execs from the business and finance side are involved from the start to rigorously appraise prospective third party partners.
It goes without saying that any third party organisation with access to sensitive data should be vetted to ensure their information security defences all pass muster - things like firewalls, data loss prevention, identity and access controls, threat protection systems, patch management, security information and event management tools.
They should also have minimum system requirements to ensure there are no old vulnerable machines. These basics can help firms jump through the relevant regulatory compliance hoops and minimise the risk of getting infected - hackers are increasingly hitting perceived ‘softer targets’ such as partners and contractors which have access to key corporate data.
Sadly, a lot of the time IT is not consulted until a contractor has already been brought in and then it is seen as a blockage when security concerns are inevitably raised. Nonetheless, the most important steps to take to prevent an insider job a la Snowden are identity and access based controls.
Sit down and decide exactly what level of access each contractor needs according to their role along the principle of “least privilege” and manage that in a centralised, auditable manner. This should all be worked out preferably before an individual starts accessing the network because contractors often fall between the cracks as many are employed only for relatively short periods of time.
Legal background checks on the individual are essential to assess the level of risk that they may flee Snowden-like with bucket loads of sensitive data. As contractors are often doing highly specialised work, it’s also key to make sure their manager is capable, from a technical point of view, of maintaining rigorous oversight, and that information systems are set up to regularly report on their activities. For long term contractors likely to move between managers several times during their stay, it would be wise to make sure they are re-evaluated by each new boss.
Data loss prevention tools are also key, backed up by well-thought out policies. It can be tricky preventing IT admins like Snowden from wielding thumb drives, for example, but rules can be put in place to prevent or flag when large scale downloading onto said devices is taking place.
Finally, it goes without saying that a contract is needed setting out the contractor’s rights and legal responsibilities, ensuring they understand all IT policies and relevant disciplinary action in the event of a data breach.
Some of these steps are set out in Section 8 of the ISO 17799/27002 standard, and can at the very least provide a few best practice basics, although each organisation will have different requirements. Physical security checks, for example, should be considered as standard for organisations dealing with highly classified material.
The bottom line is that if you have a rogue insider determined to steal or leak data like Edward Snowden then no amount of technical or human controls will probably stop them. However, by and large CSOs can minimise risk to acceptable levels via rigorous vetting of contractors/contracting organisations and by extending strict policy-based security controls to these privileged third parties.
Posted by Michael Darlington, Technical Director at Trend Micro and Chairman of the Cloud Industry forum special interest group for Security