As the dust begins to settle from a series of serious, but unrelated, recent breaches at the government's Office of Personnel Management and the Army National Guard, experts say they hope the events will shine much-needed attention on security challenges around third-party contractors.
The cause for the two breaches that hit the Office of Personnel Management (OPM) this year, with one affecting 4.2 million and the other 21.5 million federal workers, remains unclear, with some reports citing Chinese hacker involvement. However, what was clear was that both incidents were related to relationships with third-party contractors that had experienced earlier breaches -- U.S. Investigation Services and KeyPoint Government Solutions. It is believed that security credentials from those breaches were used to later infiltrate OPM computer systems.
More recently, the Army National Guard was hit by a breach that affected all current members and all former members since 2004. The breach was due to a contract employee inadvertently transferring files to a non-accredited data center.
Security experts said these most recent breaches, combined with other high-profile contactor-related breaches such as Target, highlight the need for more stringent security measures around third-party contractors.
"I don't think this is a terrible surprise that something like this would happen," said Ken Levine, president and CEO of Waltham, Mass.-based vendor Digital Guardian. "I think it certainly shows that as government agencies and even corporations, they have suppliers, they have third parties all the time handling sensitive data, and if they don't have some automated processes in place to control the flow of data then things like this will happen."
While they are technically outside parties, Guy Mordecai, director of product management at San Francisco-based vendor Fortscale, said these threats should be viewed as part of a growing insider threat problem, the large majority of which involve privilege abuse.
"That's a huge problem," Mordecai told CRN. "The key or the primary threat vehicle behind the most famous attacks we've seen in the last couple of years end up relating to the risk of insiders and the problem with misused credentials."
As a result, Mordecai said he is starting to see the topic of insider threats and third-party contractors come up in more conversations with customers, especially around the idea of privilege management.
"In almost every sales call that we have with prospects, they acknowledge right away that they are willing to solve [insider threats], but it is a green field. ... Everyone acknowledges that they have or they have on their work plan an insider threat mitigation program," Mordecai said. "I would say that everyone acknowledges that there is a problem."