Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Retail Security: Third-Party Interaction
Copyright SANS Institute
Author Retains Full Rights
Retail Security: Third-Party Interaction
A SANS Whitepaper
Written by Eric Cole, PhD
August 2015
Sponsored by
Tenable Network Security
©2015 SANS™ Institute
Introduction
Many recent retail breaches share a common data point: They were the result of an
adversary compromising a third party and then using it as a pivot point to compromise
the retail organizations.
Although third parties offer many benefits to retailers, including providing organizations
access to services they don’t specialize in, they can often create additional security risks
and exposures. Because an adversary will always utilize the easiest, simplest and most
effective way to break into an organization, a third party with full access to the network
poses significant exposure.
Use of third parties, however, is not optional for many retailers who must control,
monitor and protect third-party access and ensure that risk is properly addressed. If an
entity from outside the private network can access sensitive information, this access is
also an easy entry point for an adversary.
Outsourcing to third
parties may reduce
workloads, but
unfortunately, it does
not reduce risk.
Outsourcing to third parties may reduce workloads, but unfortunately, it does not
reduce risk. Sometimes organizations believe that they are transferring the risk along
with the work and therefore no longer need to be concerned. In fact, the reverse is true:
Outsourcing results in an additional burden of proof on the part of the primary entity
because it cannot transfer or outsource liability. The originating party is ultimately going
to be responsible if PCI data is compromised at the third party.
In the case of financial operations covered under PCI standards, PCI requirements clearly
state that “organizations that outsource their CDE or payment operations to third parties
are responsible for ensuring that the account data is protected.”1 If the third party
breaches a contract and does not implement proper security, the retail organization
remains responsible and liable for any disclosure of PCI or personally identifiable
information.
In other words, using a third party does not relieve or reduce an organization’s
responsibility to meet PCI compliance. Although this has been true since PCI 2.0,
many organizations missed it, so PCI 3.1 is more explicit. It states that an organization
is responsible for any third parties: “Parties should clearly identify the services and
system components which are included in the scope of the service provider’s PCI DSS
assessment.”2
SANS ANALYST PROGRAM
1
PCI DSS v3.1, www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
2
PCI DSS v3.1
1
Retail Security: Third-Party Interaction
Introduction
(CONTINUED)
The initial burden of properly securing an external connection involves due diligence
and legal, IT and security contracts to properly implement access in a secure manner.
Outsourcing also creates additional work for retailers in terms of the documentation
required for PCI compliance.
This paper provides guidance on understanding, recognizing and minimizing the risk
of exposure from third parties, including those related to supporting services covered
under PCI DSS standards.
SANS ANALYST PROGRAM
2
Retail Security: Third-Party Interaction
Risk Associated with Third Parties
If a retailer decides to utilize a third party, regardless of what the third party does, the
retailer is still liable and responsible for any breach or disclosure of information. Although
a third party can greatly increase a retailer’s productivity and cost effectiveness, the
burden of verifying that the third party is implementing proper security can erode those
cost savings. It’s therefore important for the retailer to perform a cost-benefit analysis that
compares the cost savings of using a third party with the cost of a breach. In many cases,
the thousands of dollars an organization would save per year pales in comparison to the
potential millions of dollars that could be lost due to poor security.
Furthermore, the easy, backdoor access often granted to third parties—which the
retailer might not even be aware of—provides a prime opportunity for an adversary to
compromise an organization because compromising a third party is often easier than
breaching a retailer directly. Controlling these risks therefore becomes imperative to
minimize loss and protect data. A quick Internet search will yield a long list of retailers
that have been compromised via third-party exposures.
Controlling the Security Risk: Strategic Planning
Security risks can never be completely eliminated, but they can be reduced to a
manageable level. An organization can take several actions to properly control and
manage risk in the retail environment. Note that the information needed to drive these
actions is required by PCI. Therefore, if an organization is compliant with PCI standards,
the information is readily available to perform the analysis outlined here. Figure 1 offers
an overview of the necessary actions that help control security risk.
Figure 1. Components of Risk Management in the Retail Environment
SANS ANALYST PROGRAM
3
Retail Security: Third-Party Interaction
Risk Associated with Third Parties
(CONTINUED)
Understand the Threats and Exposures
All retailers must assume that they will be targeted and attacked, and anticipating those
attacks is crucial. Through a process called attack modeling, an organization can look
at the various existing threats, correlate those with vulnerabilities and tie them back to
systems that contain sensitive information. (As noted above, this information should be
available to retailers that are PCI compliant. PCI requires retailers to perform an annual
risk assessment and understand the flow of PCI data, information that can then be used
in attack modeling.) An example of modeling is shown in Figure 2.
Malicious
Insider
Authentication
Bypass
MemoryScraping
Malware
Compromised
Credentials
Client-Side
Attack
Third-Party
Compromise
PCI Database
Server
Compromise
Compromised
Device or
Network
Figure 2. Sample Attack Model for Retail Organizations
Knowledge is indeed power when it comes to understanding how the adversary
works. Risk is reduced if a retail organization can anticipate the myriad ways in which
a compromise can occur, identify the vulnerabilities that cause the most exposure and
focus on fixing those high-risk areas. Often, an organization quickly recognizes that by
fixing one vulnerability, it can stop a large percentage of potential attacks. This kind of
discovery helps to prevent spending considerable time and money fixing insignificant
exposures. While Figure 2 illustrates one attack model, there are many other types. For
example, memory scraping is a concern with point-of-sale systems, whereas skimming
attacks target card readers at places such as gas pumps.
SANS ANALYST PROGRAM
4
Retail Security: Third-Party Interaction
Risk Associated with Third Parties
(CONTINUED)
Conduct a Data Flow Analysis
For a compromise to occur, an adversary has to gain access to sensitive information and
exploit that information. By understanding all of the possible ways that data flows, a
retail organization can better identify its exposure points and focus security on reducing
or minimizing them. Pivot points and lateral movement are integral to proper security.
Often organizations focus their efforts on securing the systems that contain sensitive
information. If the system does not contain sensitive information, the organization might
consider it low risk and fail to properly secure it. The problem, however, is that although
the system itself may not contain sensitive information (i.e., a system at a third party),
it may have direct access to another system that does. Recognizing this, an adversary
would not directly break into the most obvious system but instead target the third party,
set up a pivot point and use lateral movement to ultimately compromise the target.
Grant Least Privilege
It is often easier for a retailer to give a third party full access to the entire network than
to figure out exactly what the third party rightfully needs. But this lack of due diligence
can result in big exposure. If the third party is compromised, it means full compromise of
the retail organization as well. Security controls are a necessary cost of doing business—
and will ultimately cost less than losses resulting from a breach. As such, retailers should
ensure that third parties are provided with only minimum access up front and require
that they justify any requests for additional access. Contracts between retailers and third
parties should include specific language outlining the requirements for such integration,
networking and access controls.
Segment Information
Whereas least privilege deals with access, segmentation focuses on what information is
visible to the third party. Segmentation limits access from a network perspective. Any
system that a third party needs to access should be put on a separate, isolated network.
This way, even if the third party is compromised and the adversary can compromise the
retailer, the attacker will have only limited access to the retailer, thereby controlling the
amount of damage. Third-party access should never be directly connected to the main
network. There should always be a separate segment with controlled access set up for
the third party. Although this approach is not required by PCI, it is highly recommended.
SANS ANALYST PROGRAM
5
Retail Security: Third-Party Interaction
Risk Associated with Third Parties
(CONTINUED)
Implement a VPN with Robust Authentication
Any third party that needs access to a retailer should have proper credentials
established, utilize robust authentication (i.e., two-factor authentication) and connect
via a secure channel—all of which are PCI requirements. Ideally, organizations should
track, monitor and control each third-party individual accessing systems, which is not
always feasible with large outsourcing projects. But the retailer should make every effort
to control, track and manage all access.
SANS ANALYST PROGRAM
6
Retail Security: Third-Party Interaction
Discovering and Identifying Third Parties
According to PCI,3 a third party is any non-employee entity, including individuals,
primary contractors and sub-contractors, that performs services and/or has access to
company information. Identifying all third parties that have access to an organization is
not only critical for security but also for PCI compliance. Although third parties greatly
enhance the services an organization offers, they also increase the risk of exposure and
compromise sensitive information.
The first thing an organization needs to do is identify any and all third parties that
have access to card data in terms of “transmit, process, store” or any access that could
impact the security of cardholder data. Making this determination can be challenging
because sometimes outsourcing happens without making other units in the business
aware of such business arrangements. In other cases, the outsourcing arrangement
starts out small and is planned for only a short time, so the organization may consider it
too insignificant to tell security about. But when due diligence, contract validation and
security controls are insufficient at the outset, there will likely be problems if that small
contract grows and becomes a key fabric of the business.
Identification of third parties, then, should begin with a review of contracts, legal
documents, and purchasing and procurement procedures. Even small contractors have
to be under contract to get paid, so looking at the legal documents related to their
engagement with the organization is a reliable way of identifying third parties. In those
instances where security is out of the loop, any entities involved with contracts and
payment often have a good idea of the third-party profile within an organization.
Identify third parties by asking business units, managers or others the following questions:
• D
oes your team work with any third parties (i.e., contractors, business partners,
service providers, individuals or anyone who is not an employee)? Note that it is
critical to clearly define what constitutes a “third party.” For example, a third party is
any individual or entity providing some fee-based service that supports or enables
company business. Contractors such as outsourced IT are sometimes considered
the same as employees. One way of determining this is to find out whether they
have domain credentials.
• D
oes any third party have access to systems on our network? Third parties might
also be in the payment path.
• D
oes any third party receive emails or data transfers that contain organizational or
sensitive information?
• C
an you provide all contracts that you have with third parties that provide any
services to the organization?
3
SANS ANALYST PROGRAM
PCI DSS v3.1, www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
7
Retail Security: Third-Party Interaction
Discovering and Identifying Third Parties
(CONTINUED)
After identifying all the services that are outsourced and related agreements or
contracts, identify what information can be accessed by the third party and the
sensitivity of that information. Be sure to define access as both direct and indirect.
For example, a third party might be given access to a server that contains public
information, but if that server is on the same network as another server that contains
sensitive information and the credentials for accessing that server are the same,
technically that third party has access to sensitive information.
Next, contact the third parties to identify security measures already implemented or
slated for implementation. Here are some questions to ask:
• D
oes sensitive information reside on computers that do not belong to you? If so,
what information and where is it stored?
• What data classification and protection mechanisms are in place?
• D
o security policies exist, and are there specific sections related to third-party
information?
• D
o you perform logging of all access to company information? How long are your
logs preserved, and where are they stored?
Organizations may have a high
tolerance for risk—until they
suffer a major breach.
• Is information about your business segmented from that of other clients? What
level of security is implemented to protect this information?
• H
ow do you monitor and detect potential breaches, and how would we be notified
in the event of a breach?
After your organization identifies its third parties, it can assess overall security posture
and calculate the risk associated with their use. If the risk exceeds an acceptable level
(which is likely), remediation measures need to be implemented to minimize the risk.
Typically, such measures include reducing visibility, controlling the flow of information,
detailed logging and authentication.
The acceptable level of risk is defined by the risk appetite of the executive team
and board of directors. It is also closely tied to the security budget. The less risk an
organization can tolerate, the more it must spend on security. Organizations may have a
high tolerance for risk—until they suffer a major breach.
If retailers outsource any aspect of PCI information or compliance, additional due
diligence must be performed. The retailer must decide whether it will utilize only third
parties that are already PCI compliant or make the effort to ensure that the third party is
fully compliant. It is also important to validate exactly which PCI DSS requirements are
being met by the third party.
SANS ANALYST PROGRAM
8
Retail Security: Third-Party Interaction
Best Practices: Tactical Implementation
Retailers rely on third parties to help them run effective, low-cost and efficient
businesses. The following best practices will help organizations achieve that goal and
maintain associated security risks at an acceptable level:
• I dentify what access is required. Although it’s easier to grant third parties full
access to the network, it also creates significant risk and exposure. For each vendor,
create a list that indicates the access required for specific data and systems.
• C
reate clear control gates for access. Instead of allowing a third party to have
full access to a network, a separate DMZ should be set up to clearly control and
manage all vendor access in and out of the organization. Creating a clear control
gate makes access easy to manage, verify and control.
• I mplement strict access control. Verify that the vendor only has the access it
needs and nothing more. While tracking this takes more time and effort up front,
the amount of time and money spent on due diligence will be a lot less than the
cost of a breach—which becomes much more likely if this step is overlooked.
• M
onitor all access. Because adversaries often use the access established by a
third party to compromise a retailer’s systems, all access coming from the thirdparty organization must be carefully monitored. The behavior of a third party
performing legitimate activity will be significantly different than the behavior of
an adversary that has compromised the third party. By carefully monitoring and
building a pattern of normal activity, deviations can be identified and used to
trigger response.
• S
can and verify access. Claiming to have security is a lot different than verifying
security measures are properly implemented and working correctly. When
breaches occur, often the target organization will say that it thought it had proper
security. Security managers didn’t know something had either stopped working or
hadn’t been implemented correctly—and no one noticed. Perform active scanning
with technical verification to verify that everything is optimally configured and
working the way it was designed to work.
• I nsert security service level agreements (SLAs) in the contract. Define clear
metrics with explicit language in the contract that require the third party to meet
a certain level of security. In addition to clear metrics tied to SLAs, penalties should
be identified if the third party fails to meet those requirements.
• R
equire security reports and validation from vendor. On a regular basis, the
third party should provide explicit security reports showing adherence with
contract terms and metrics. Additional reports should be provided indicating
whether security protocols are properly implemented to protect the retailer’s
sensitive information. This information should be tied to SLAs that define penalties
if the reports are not provided.
SANS ANALYST PROGRAM
9
Retail Security: Third-Party Interaction
Summary
The more an organization knows about its infrastructure and location of sensitive
information, the better it can protect high-value data, ensure operational integrity and
comply with PCI requirements. Any third party that has access to an organization’s
infrastructure, network or data must also be included within the security plan.
Outsourcing doesn’t relieve organizations of their security obligations.
After becoming familiar with the PCI requirements, organizations need to learn how to
identify third parties, clearly define and limit their access, and put safeguards in place to
ensure that their actions do not compromise the organization’s overall security or data.
Best practices should include the following items outlined in this paper:
• Identify what access is required.
• Implement strict access control.
• Monitor all access.
• Scan and verify access.
• Create clear control gates for access.
• Insert security SLAs in the contract.
• Require security reports and validation from vendor.
Any time third parties are utilized, the organization must take the extra steps to ensure
that all access is properly verified and validated. Be sure not to underestimate the
importance of executive buy-in. Critical to success are executives who are strongly
motivated by the economic benefits of reliance on third parties to make security an
equal priority.
SANS ANALYST PROGRAM
10
Retail Security: Third-Party Interaction
About the Author
Eric Cole, PhD, is a SANS faculty fellow, course author and instructor who has served as CTO of
McAfee and chief scientist at Lockheed Martin. He is credited on more than 20 patents, sits on
several executive advisory boards and is a member of the Commission on Cybersecurity for the 44th
Presidency. Eric’s books include Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight,
Network Security Bible and Insider Threat. As founder of Secure Anchor Consulting, Eric puts his 20-plus
years of hands-on security experience to work helping customers build dynamic defenses against
advanced threats.
Sponsor
SANS would like to thank this paper’s sponsor:
SANS ANALYST PROGRAM
11
Retail Security: Third-Party Interaction
Last Updated: June 15th, 2017
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
DFIR Summit & Training 2017
Austin, TXUS
Jun 22, 2017 - Jun 29, 2017
Live Event
SANS Paris 2017
Paris, FR
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Cyber Defence Canberra 2017
Canberra, AU
Jun 26, 2017 - Jul 08, 2017
Live Event
SANS Columbia, MD 2017
Columbia, MDUS
Jun 26, 2017 - Jul 01, 2017
Live Event
SEC564:Red Team Ops
San Diego, CAUS
Jun 29, 2017 - Jun 30, 2017
Live Event
SANS London July 2017
London, GB
Jul 03, 2017 - Jul 08, 2017
Live Event
Cyber Defence Japan 2017
Tokyo, JP
Jul 05, 2017 - Jul 15, 2017
Live Event
SANS Los Angeles - Long Beach 2017
Long Beach, CAUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Cyber Defence Singapore 2017
Singapore, SG
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS ICS & Energy-Houston 2017
Houston, TXUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Munich Summer 2017
Munich, DE
Jul 10, 2017 - Jul 15, 2017
Live Event
SANSFIRE 2017
Washington, DCUS
Jul 22, 2017 - Jul 29, 2017
Live Event
Security Awareness Summit & Training 2017
Nashville, TNUS
Jul 31, 2017 - Aug 09, 2017
Live Event
SANS San Antonio 2017
San Antonio, TXUS
Aug 06, 2017 - Aug 11, 2017
Live Event
SANS Hyderabad 2017
Hyderabad, IN
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Prague 2017
Prague, CZ
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Boston 2017
Boston, MAUS
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS New York City 2017
New York City, NYUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Salt Lake City 2017
Salt Lake City, UTUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Adelaide 2017
Adelaide, AU
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Virginia Beach 2017
Virginia Beach, VAUS
Aug 21, 2017 - Sep 01, 2017
Live Event
SANS Chicago 2017
Chicago, ILUS
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Tampa - Clearwater 2017
Clearwater, FLUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS San Francisco Fall 2017
San Francisco, CAUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS Network Security 2017
Las Vegas, NVUS
Sep 10, 2017 - Sep 17, 2017
Live Event
SANS Dublin 2017
Dublin, IE
Sep 11, 2017 - Sep 16, 2017
Live Event
SANS Minneapolis 2017
OnlineMNUS
Jun 19, 2017 - Jun 24, 2017
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced