Your organization’s risk surface may be larger than you think. Here is why.
Depending on the industry or vertical niche, most businesses today rely on several (if not many) third-party service providers and other vendors to support core business functions. Supply chains are interconnected so just-in-time inventory management hums along seamlessly. The multi-function printers contact the vendor that services them to schedule maintenance or repair automatically. These are just two common examples of third-party entities having access to a company’s data and its internal systems. Remember, this interconnectedness without adequate vigilance was how Target made all the bad headlines – their HVAC contractor had access to the same network that the core business ran on (and the credit cards within it).
Have you given thought to your building access system?
ID card-based building access systems are seemingly de rigueurthese days. You can’t go into an office building of any size and not see these modern marvels of technology in place. They are often connected to lights, video camera systems, elevators, HVAC, and of course doors to various areas within the building. Sometimes these are controlled by the property management firm and you as a tenant pay a service to use the system. In other instances, individual companies implement their own and connect the system to the same network the core business systems run on.
Well, if you or the property management firm have NOT done your diligence and are using a system from the vendor PremiSys developed by IDentical Details, among other vulnerabilities, the “god” level password is hardcoded (not changeable). These vulnerabilities can be used to shut down building access systems. If the command and control servers running this software are online, an attacker can use this now widely known username and password to access a building’s ID card management system to introduce rogue cards or disable access control features altogether to aid in theft and unauthorized access to the most sensitive areas in a business or complex.
The IDenticard Details was discreetly (but repeatedly) notified by two different white hat (good guys of cybersecurity) sources months ago and ignored the notices, refusing to fix the vulnerabilities. Now that they are outed, they will probably make adjustments for their tens of thousands of customers – if they are not sued or fined into the Stone Age for negligence!
The point is to remember you can outsource many things, but ultimate responsibility for security is not one of them. Regularly assessing your third-party vendors should be a key part of your robust cybersecurity program, lest you literally give the attackers the keys to your door!