Many people love living in the Tampa area for a lot of reasons, among them of course is having access to regular use one of the most popular airports in the USA - Tampa International Airport (TIA).
Unfortunately for the people that run TIA, they experienced an IT security breach as reported in May. However, unlike a lot of the other organizations, because it is an international airport, the profile of the breach was far higher because of its security status.
Here is what we know from what was reported, and it reads like an information security “Don’t Do List”: TIA hired an individual (and apparently his wife) to work on an Oracle project and that person shared their VPN logins and (privileged) accounts and passwords with almost a dozen other people and some others working for a staffing firm, “who logged into the system dozens of times from places like Mumbai and Pradesh, India, United Arab Emirates and Kashmir, India.”
This episode brings into clear view the unfortunate collision of insecure VPNs, open vendor access and lack of best practices in password management. That collision has led to multiple people losing their jobs, including the IT Director, an IT manager, and others. It's also led to TIA being forced to cripple their business processes by taking the drastic, but at this point probably necessary, step of only allowing the airport's computer network to be accessed from equipment issued by the aviation authority, not from personal electronic devices.
So as a result of the breach, because TIA didn’t setup access correctly to start, they now have to go back to how we did things 20 years ago. But there is a better way to have avoided this situation. Here are five lessons that any company bringing third parties into their security environment should take into account:
- Never trust your vendors when it comes to YOUR information security - Properly vet the third parties, contractors, and consultants who are working for you. “Body shops” in IT services are not known for their cutting edge information security. They may have some consultants for hire, but it doesn’t equate to them having a mature security posture of their own. Be sure to understand how they screen the temps they’re giving you and see if they include security awareness training as part of how they handle their stable of workers.
- When you must allow third-party access into your environment, you don’t have to use a legacy solution such as a VPN with the hope that everyone behaves when they use it - A solution using a brokered connection that allows you to control the who, what, where, when, and how of their connection to you gives you real control. You can still have third parties working on your projects without giving them an IP-enabled grappling hook into your internal network.
- Don’t give blanket access - Your vendors should be part of a mature workflow process that tracks everything from their need for access to granting it to revoking it. This gives you attribution and accountability.
- Monitor the access you are granting them - Have the ability to “peek over their shoulder” whenever you want. Record all the activity. A pretty disturbing note in the TIA hack is the fact that even after security auditors investigated the breach, they were “unable to determine specifically what data may have been transferred.” Recording what is going on when your vendors are accessing your networks and systems makes sure you always know exactly what they did or didn’t do. This is good practice for everything from project tracking and billing to completing an annual security audit to having to respond to a breach such as the one that occurred at TIA.
- Secure passwords - Another element that stands out here is that there seems to have been a complete lack of control over password policy at TIA. This can be remedied quickly and completely by using a password/credential vaulting solution. In this way, you mitigate the risk of weak, shared, and duplicate passwords as well as the dangers posed by embedded system accounts or shared accounts.
As with most breaches, this is another good learning opportunity for others organizations, and in the long run, it was a learning experience for Tampa Airport as well.