At Cybersecurity Conference, Concern Grows Over Outsourcing

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.californiareport.org/archive/R201402260850/a

When you hear the word "outsourcing," maybe you think: threat to American
jobs. To cyberexperts, there's another threat: to our data.

This week, thousands of the industry's leading minds from all over the
world are discussing the Internet and security at the annual powwow in San
Francisco, the RSA conference. These topics matter more and more to us
non-experts, especially as people become the victims of cybercrime.

Many of the people at this conference are talking about the underlying
causes of that crime and one word keeps coming up: outsourcing.

"You get what you pay for," says Andy Ellis, chief security officer with
Akamai Technologies. "If you move it to somewhere that's a lower cost,
there's a reason it's lower cost...sometimes it's because you aren't getting
as skilled personnel."

Just like the big manufacturers outsourced, online companies do, too, for
their websites, mobile apps and accounting. The downside isn't just a
poorly made t-shirt, it's data theft with untold consequences.

As a result, many people at the conference are selling a security service.
While they disagree on the merits of outsourcing, they agree it's a big
security problem. The decision to cut costs can backfire on the consumer,
says Dwayne Melancon, chief technology officers at Tripwire.

"You provide information to a company and all of a sudden it gets
compromised because of a weak link to a third-party contractor," says
Melancon. "It's your problem. It's not the company's problems."

With the recent high-profile breach at Target, hackers stole information
from a third-party vendor, an air conditioning company in the U.S. We need
to pay more attention to this trend, says. Chris Coleman, security analyst
with Lookingglass. Coleman audited about 20 subcontractors that big banks
hire. He found something startling.

"A hundred percent of third parties showed signs of compromise or
indicators of threats," he said. Was that a surprising percentage?

"No," says Coleman. "Our global cyber landscape is a scary place."

While weak links are everywhere, Coleman saw one that stood out with the
foreign servicers. Many of them used computers infected with an old worm
called Conficker. It's curable and not harmful in itself, but it's also a
signal for criminals looking for weak entry points.

"It was more predominantly coming out of networks that were in the foreign
markets," he says. "The UK for sure. India and Southeast Asia."

However, when John Stewart, chief security officer at CISCO, travels to
China, they want to know how he's protecting their information from high
risk Americans.

"It really depends on where you're sitting, what you think the risk is," he
says.

There's a lot of data security distrust, especially after the recent NSA
revelations. But Stewart notes that the U.S. is better at building trust in
one key respect: we have laws that require companies to tell police about
breaches.

He remembers participating in a panel in another country where someone said
that all the data theft is coming from the U.S. Stewart pushed back, asking
whether that country had a mandatory disclosure law, to which the guy
replied, "No."

"How do you know we're creating the problems?" Stewart said he asked the
man. "We're the only ones transparently telling you that we created the
problems."

Stewart says if everyone shared details on data breaches the way they
shared the data itself, cyberspace would be a lot less scary.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!