AMEX Breach Latest in Third-Party Credential Theft
American Express is the latest company to realize a breach as a result of a third-party service provider. Adding to a long list of other high profile breaches: Target, Home Depot, Goodwill, Dairy Queen, Jimmy John’s and Lowes, American Express filed a letter with California’s attorney general warning customers of a breach.
SC Magazine reported that “After an unauthorized person or group accessed the system of a third-party service provider” American Express warned customers that card member information may have been compromised. The credit card company suggested cardholders should take multiple steps to protect their sensitive data.
Account numbers, names, expiration dates and other information could have been exposed according to Stefanie Ash, chief privacy officer (CPO), U.S. American Express Company. AMEX said it was “vigilantly monitoring” accounts for fraudulent activity and asked customers to do the same. The notice said that customers could receive more than one letter about the incident if more than one account was affected.
Everyone is at Risk of Third-Party Theft
“It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” Ash wrote in his letter to California’s attorney general.
And while that might mitigate some legal risk for AMEX (although we’ll see over the days, months and years to come), the damage is done. Third-party theft is a real problem for organizations because once someone is in, you are at risk.
NSA’s head of the Tailored Access Operations, Rob Joyce said on the topic of third party access, “If you’ve got trouble with an appliance on your network, for example, and the vendor tells you to briefly open the network for them over the weekend so they can pop in remotely and fix it, don’t do it. He warns that once an attacker is in, they will poke and poke your network waiting for an opening to the network to appear. And once in, the damage is done whether you know it today or in a few years.
Preventing Third-Party Data Theft
Traditional methods of securing networks are simply inadequate for privileged users. Traditional security methods such as VPNs, firewalls, and jump hosts fall short. They don’t provide fine-grained access control and do not consider the user’s role and attribute-based context.
What’s needed is a software defined perimeter approach to prevent third-party breaches. A Software-Defined Perimeter (SDP) establishes one perimeter for each user effectively creating an individualized perimeter – a network ‘segment of one’. This segment of one delivers fine-grained authorization, contextual awareness and fewer hard-coded rules for IT and security teams to manage. It essentially renders other network resources invisible as the user can only see and access those resources which they have been authorized for.
Organizations ought to consider dynamic context-based access control solutions to provide this ‘segment of one’ access to only those cloud (or on-premises) resources that each individual user/device needs to do their job, while making all other resources invisible. It’s all about using strong user authentication combined with reducing the attack surface for would-be cybercriminals.
Falco President Bill Blake, echoes these sentiments in SC Magazine by saying. “This is exactly why a ‘persistent security’ approach needs to be employed, one where a file can only be accessed a limited number of times on specific PCs, and if someone tries to steal, the file it can’t be opened.”
Learn more about dynamic, context aware privileged access management and how a segment of one can help.
What is AppGate? Watch the video now.