The Bank of America breach that hit the news this week has raised a lot of eyebrows.  Some 14Gb of data was leaked in that incident and it was directed against Bank of America by an Anonymous-related hacking group known as Par:AnoiA. The incredibly sensitive internal information contained information such as salary and career information about employees and executives, project information, source code, espionage information and more.  Having an appropriate breach response plan are critical for an organization.  It means emergency lockdown, it means preserving evidence, it means an assessment of damage done needs to take place, it means public statements through media, private statements to investors/partners and the list goes on and on.  Also on that list is a full post-mortem – a report on what happened and what can be done better.  Time and time again, a serious weakness emerges and in the case of BofA, it’s obvious right away – and that is the security questions around third-parties.

Companies must work together and they must share information, there’s no way getting around that.  So they set up filesharing repositories, collaborative schemes, and technical alliances that means sharing information.  This can mean contractors, acquisitions, any associations and others all are cause for some detailed attention when you are considering security.  Each one of those are potential points of weakness, because despite what you know about your security and your network, and your people in your organization, do you ever really know what those third-parties are doing?

That’s what happens time and time again.  It’s what happened when the RSA SecureID story came up through Northrop Grumman and L-3 Communications, a couple of years ago – to get to sensitive defense information.  It’s what we see here in this Bank of America case, where it has been reported this was a third-party leak.  Specifically, it was ClearForest, a Thomson Reuters company with operations based in Tel Aviv, that was attacked.  The target information was collected for data analytics.  This is an indicator of some clear challenges, for all the security experience of a company that operates in the finance sector, that the weakness here turned out to be the practices and execution of a third party.

Welcome to the new security age, not only do you have to worry about your perimeter, and do the basics that compliance lays out, but you also have an exponentially growing number of threats in the enterprise.  BYOD introduces portable repositories and security vectors, IF you don’t do it right.  You have to audit, analyze and keep doing so non-stop, that means you have to come to the knowledge of where the most information on your network is.  Auditing therefore has to have visibility everywhere, network, mobile, – everywhere and that means looking for things that are abnormal, it cannot just be a reactive action.  Controls are important, that means deploying encryption, limitations, multi-factor authentication, account management and so much more.  Also – make a response plan, I could and probably will write pages on that alone.  The point is that these things start to define how we are left to secure our own environments, but that’s still not enough.

It’s the question of partners and data information that’s a real challenge.  Hackers know about the third-party issues, and often that’s the first place they will look.  You just simply cannot secure this through agreements and compliance documents alone.  What really matters is getting two security teams together and getting a feel for what that other group is doing and how serious they are in their security environment.  The evaluations that emerge from this should be regarded as critical business decisions- flat out, every time because there is so much reputation and impact involved in case of an emergency.  There is room for companies in any of these cases, a potential if you will for one company to take the lead and exude professionalism and excellence in security principals.  If you’re looking at the security plan of another organization you are looking to do business with and they’re worse off than you are, there is cause for concern.