Security Questions to Ask After the ZeroedIn Breach

Last week, word spread of a data breach at ZeroedIn Technologies that affected nearly 2 million individuals, whose personal identifiable information such as names, addresses, and Social Security numbers was exposed. The bad actor gained unauthorized access to ZeroedIn’s network for a brief period in early August. ZeroedIn is a third-party data manager that specializes in workforce data, including analytics and regulatory compliance.

The notice about the breach included Dollar Tree and its subsidiary Family Dollar as a corporate customer affected, with speculation pointing to employees of that company potentially being impacted.

The attack called attention to the bullseye that third-party data managers might be under. As more organizations look to external providers to oversee their data for efficiency and compliance needs, the trend might also offer hackers and other bad actors centralized targets of opportunity -- breach one data manager and gain access to data from a multitude of sources.

“Unfortunately, organizations today can’t stay competitive if they don’t use third-party providers and suppliers, whether it’s data or services or software,” says Etay Maor, senior director of security strategy at network security company Cato Networks. He coupled third-party data breaches with supply chain attacks, where bad actors can potentially have widespread impact across multiple enterprises and organizations.

Related:Latest Okta Breach: Stolen Credentials and Third-Party Risk

Such tactics, in general, are not new, Maor says, citing the credit card information breach at Target nearly 10 years ago. “The initial breach happened through the HVAC contractor that Target had,” he says. “That’s how they got into the network.” It seems either through external data storage or third-party credentials to access a network, hackers will seek out ways to infiltrate systems.

Though many companies cannot meet their data needs entirely in-house, some organizations such as financial institutions may try to keep everything on-prem for direct security control, Maor says. “Most organizations cannot do that. You can’t. You have to remain profitable and competitive and so you’ll have to work with outside vendors. I can’t think of a company that doesn’t work with you. Google Drive or Salesforce.com. What happens is, all of a sudden, your security is dependent on their security.”

He says organizations should ask to what extent they must work with third-party suppliers and understand the security risk that they take on by using those services, whether it is software, data, or services. “It’s not enough that third party says, ‘Oh yeah, I am certified,’” Maor says. “Certification does not equal security.”

Related:FTC to Require More Data Breach Reporting, Security Plan

That is where strict, zero-trust security models can come into play, he says. “Never trust; always verify. Yes, you’re my vendor. Yes, I work with you daily. I even know some of the people personally. Doesn’t matter. Every access from your organization into my network has to be validated.”

Organizations also want to know what is happening on the vendor’s end, Maor says, because if something happens with the data or access given to a vendor it could be a significant problem. “You cannot fully control the organization that you work with, so you’re inheriting their security posture,” he says.

Bad actors might breach systems to steal information, for a potentially long-term grift, or more immediate ransomware attacks that demand payment here and now.

Gaining access to personal information may speak to extended plans on the bad actor’s part, especially since temporary resources might be employed to stymie their ill-gotten gains. “The criminals know they need to wait a year until that free credit monitoring is expired,” Maor says. “Then they'll use the credentials.” Alternatively, he says, they might use credentials extremely fast, but not for credit card fraud, rather to inflict a network-based attack.

Related:US Probes Microsoft Email Breach, Cloud Security

It Takes a Village

“Your team is only as strong as your weakest player,” says Dana Simberkoff, chief risk, privacy, and information security officer with AvePoint, recollecting advice she got from a soccer coach in fifth grade. “The difference now is that the team that companies have in terms of their IT portfolio is now extended outside of their own company.”

That means organizations need to have conversations with those external parties that they would have with themselves about defending against attacks. “What kind of security program do you have?” she asks. “What kind of assurances do you provide for your own infrastructure and your own organization and what should you expect from your vendors and your suppliers?”

The idea is to hold the supply chain to the same level of accountability that companies hold themselves, Simberkoff says. “That’s not so easy to do, because when it’s your responsibility, you have visibility into it. So, I think it’s really important to have a strong vendor risk assessment program.” This should be part of the procurement process, she says, but also with part of ongoing reviews of vendors, especially as regulators and policymakers crank up accountability for data privacy.

“One of the sort of newer things that GDPR introduced was this responsibility of data processors to their controllers,” Simberkoff says. Basically, if an organization uses a vendor to process information, then the organization that contracted them faces responsibility for their bad acts. “You have an obligation to look after them and I think it’s a very wise concept,” she says. “It’s something you know to really look out for. It kind of raises the bar for everybody.”

In the past, bad actors thrived in the shadows where their actions might go unrevealed by targets who did not want to admit their data was compromised. Having clear channels to address such incidents may be essential to mitigating the damage such hackers might inflict. “I think having good, transparent communication and an incident response plan where if something bad does happen, you’re able to communicate quickly with not only regulators but employees or customers or individuals that may be impacted is really important,” Simberkoff says.