Trusting third parties can lead to second-rate security

img_2014-10-13_GuardianIDENTITY

Over the weekend, news broke that hundreds of thousands of individual users of SnapChat (many under the age of 18) fell victim to compromise through a third-party service called SnapSaved, reportedly perpetrated by the same group responsible for leaking the celebrity photos. And Dairy Queen revealed that they were the latest in a growing list of retailers that have had customer credit card information stolen as a result of malware installed by hackers using stolen passwords from third-party contractors. Just yesterday, hackers claimed to have stolen almost 7 million Dropbox credentials by compromising a third-party site.

The common thread: the victims, whether individuals or a large company, trusted third parties and paid a steep price as a result. It’s true that adoption of web apps has lead to an increase in productivity and even, according to this report, security. But reliance on third parties also magnifies the damage that unauthorized access can cause. Businesses of all sizes can protect themselves by following a few basic steps:

Review policies and procedures

Be careful about whom you trust and with what. As the SnapSaved victims learned, giving a third-party access to your accounts can have devastating consequences. Financially-motivated attacks designed to steal credit card or healthcare data can start with something as simple as a password for a web app. Conduct regular reviews of policies and procedures to identify users that have unnecessary privileges or no longer need access. A solid incident response plan can reduce costs by up to 25%.

Test for default credentials on devices and services

Avoid basic mistakes such as leaving default or easily-guessed passwords in place. Even the most robust infrastructure can be penetrated with the right credentials, as we’ve seen with the Shellshock vulnerability. Key infrastructure is often managed via a web app, and default credentials are the easiest way to gain access to sensitive data. Testing for default credentials should be a regular process in maintaining your information security. 

Manage usernames and passwords properly

Control credentials by using a password manager. While the benefit of frequently changing passwords can be debated (see our stance), there’s no doubt that having strong and unique passwords for every web app is critical. Here at Authentic8, we manage thousands of passwords for our customers. Not only is that data stored securely, but our patented approach gives us the ability to share credentials without revealing them to the user. However you decide to manage credentials, the ability to grant and revoke access to web apps is critical.

The general consensus is that data breaches will continue to plague businesses, celebrities, and regular people in the future. A few basic steps can help keep your business out of the headlines.