Feb 07, 2012

How much do you trust the security of third-party vendors' remote access/VPN?

I read the results of a study by Trustwave that said 75% of data breaches were the result of security deficiencies introduced by thrid-party vendors responsible for system support, development or maintenance. Also disturbing was the fact that only 16% of companies manages to detect breaches on their own. What do you do to make sure third-party vendors aren't creating security holes that are putting your company at risk?


It's certainly true all VPNs have the ability to track users and log their data. Many do so because they don't consider themselves privacy services and logging helps identify repeat DMCA infringers and quickly troubleshoot network issues. Others do so seemingly because of a poor grasp of their country's laws.


Of course, anyone concerned about privacy should not sign-up to a service that's retaining data. Most privacy-orientated VPNs approach this issue by using a non-persistent log (stored in memory) on gateway servers that only stores a few minutes of activity (FIFO). That time window gives the ability to troubleshoot any connection problems that may appear, but after a few minutes no trace of activity is stored.

Not much, is the short answer to the question. Let me give you one reason why: stupid passwords for system logins. Ask anyone who has worked for a third party vendor if they ever used "admin" or "administrator" for passwords and logins. Bet a lot of them will admit that they have. And if that isn't bad enough, it isn't uncommon to use the same passwords for all their customers. That's right, so if a hacker gets one, they get them all. If you absolutely must allow remote access, I would at least insist on multi-factor authentication and that passwords of my choice be used.
Perhaps the best idea might be to avoid using them, if at all possible. If you must use them then ask in advance what their security policies are and read them carefully before using their services.

A little research, carefully done, might save you a lot of security headaches later on. It's also good for companies to be held accountable in advance for their security policies. It lets them know that customers are interested and that they expect a certain high level of trustworthiness.
Answer this