Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/24/2016
01:30 PM
Joe Schorr
Joe Schorr
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Poor Airport Security Practices Just Don’t Fly

Five lessons learned the hard way by the Tampa International Airport about bringing third parties into a security environment.

I love living in the Tampa area for a lot of reasons, among them getting to regularly use one of the best airports in the US – Tampa International Airport (TIA). Unfortunately for the folks who run TIA, they had a spot of trouble that was reported earlier this month by the Tampa Tribune and others. Like a lot of places these days, TIA experienced an IT security breach. Unlike a lot of places—because it's an international airport—TIA has to do a lot of explaining. 

Here is what we know from what has been reported -- and it reads like an information security “Don’t Do List.” TIA hired an individual (and apparently his wife) to work on an Oracle project. That person shared their VPN logins and (privileged) accounts and passwords with almost a dozen other people and some others working for a staffing firm, “who logged into the system dozens of times from places like Mumbai and Pradesh, India, United Arab Emirates and Kashmir, India.”

This episode brings into clear view the unfortunate collision of insecure VPNs, open vendor access, and lack of best practices in password management. That collision has led to multiple people losing their jobs, including the IT Director, an IT manager, and others. It's also led to TIA being forced to cripple their business processes by taking the drastic, but at this point probably necessary, step of only allowing the airport's computer network to be accessed from equipment issued by the aviation authority, not from personal electronic devices.

So as a result of the breach, because TIA didn’t setup access correctly to start, they now have to go back to how we did things 20 years ago.

There is a better way. Here are five lessons that any company bringing third parties into their security environment should take into account.

1. Never trust your vendors when it comes to YOUR information security. Properly vet the third parties, contractors, and consultants who are working for you. “Body shops” in IT services are not known for their cutting edge information security. They may have some consultants for hire, but it doesn’t equate to them having a mature security posture of their own. Be sure to understand how they screen the temps they’re giving you and see if they include security awareness training as part of how they handle their stable of workers.

2. When you must allow third-party access into your environment, you don’t have to use a legacy solution such as a VPN and hope that everyone behaves in how they use it. A solution using a brokered connection that allows you to control the Who, What, Where, When, and How of their connection to you gives you real control. As the The Offspring song goes, “You gotta keep ‘em separated!”  And you can -- and still have third parties working on your projects, without giving them an IP-enabled grappling hook into your internal network. 

3. Don’t give blanket access. Your vendors should be part of a mature workflow process that tracks everything from their need for access to granting it to revoking it. This gives you attribution and accountability.

4. Monitor the access you are granting them. Have the ability to “peek over their shoulder” whenever you want. Record all the activity. A pretty disturbing note in the TIA hack is the fact that even after security auditors investigated the breach, they were “unable to determine specifically what data may have been transferred.” Recording what is going on when your vendors are accessing your networks and systems makes sure you always know exactly what they did or didn’t do. This is good practice for everything from project tracking and billing to completing an annual security audit to having to respond to a breach such as the one that occurred at TIA.

5. Secure passwords. Another element that stands out here is that there seems to have been a complete lack of control over password policy at TIA. This can be remedied quickly and completely by using a password/credential vaulting solution. In this way, you mitigate the risk of weak, shared, and duplicate passwords as well as the dangers posed by embedded system accounts or shared accounts.

As with most breaches, this is a very good learning opportunity for others, and in the long run for Tampa Airport as well. 

Related content:

 

Joe Schorr has more than 25 years of professional services and industry experience in information and cybersecurity and currently leads the executive services directors at Optiv. Joe is also a director on the Leading Disruptive Innovation Advisory Board at Stetson University ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
9/9/2016 | 10:12:02 AM
Online security while travelling
It was a really nice and informative article on the causes and consequences of identity theft at pblic hotspots and open wifi places, most likely to be airports, restaurants , train stations and so on. The issue is ordinary internet users are not tech savvy and therefore most of the times do not pay much consideration towardsthis issue. I myself have been the victim of credit card theft while I was booking a hotel on vacation to Thailand. Since then, I have made it a practice to use vpn server to avert these kind of activites and also spamming and unlocking regional restricted content. The vpn provider, Purevpn, is fine if not great but that's what matched my pocket and the big plus for me is the 5 multi login feature. Anyway, keep us posted about these recent developments within the online security industry. I always confer to dark reading to gain latest info on latest tech updates. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.