Following the news that Acer has suffered a data breach on its e-commerce site due to the unauthorized access of a third-party. Acer is not saying how many users were affected by the intrusion but revealed that data such as names, addresses, payment card numbers, card expiration dates and three-digit security codes (CVV numbers) may have been compromised. IT security experts from AlienVault, ESET and Cryptzone commented below.

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“Breaches as a result of third parties are not something new. The nature of business today is that organisations rely on many partners and suppliers to provide services to their customers. However, this supply chain needs to be managed and secured appropriately.

Attackers will choose the path of least resistance to get into a company – and if it is well-secured, then this path will usually be through a third party that has legitimate access.

Having an appropriate supplier security assurance framework in place that sets the requirements for a third party and also the ongoing controls is essential. For this, though, no one size will fit all. The level of rigor needed will change depending on whether a third party has direct access to data on-premise, how the data is shared between organisations, what data the third party processes, etc.

There are other legal considerations – for example, is the company allowed to conduct security testing against a partners IT infrastructure? Can it monitor third party communications?

One of the fundamental security controls to have in place where a third party is connecting to corporate systems is to have solid monitoring controls in place that can notify when a connection is made, the duration, and the activity that was carried out. Added benefits would be some form of behavioral monitoring that can assess whether a third party has suddenly changed their activity, for example, by communicating over uncommon ports, transferring large amounts of data, or traversing the internal network.

Until companies can get proper visibility and understanding into what actions are being undertaken on their systems and by who, these types of breaches from external and internal parties will continue.”

Mark James, Security Specialist at ESET:

mark-james“With so many data breaches happening these days some recent and some from a while ago, it really is getting to the point where if you’re lucky enough to NOT have at least some of your data bouncing around the internet then you’re in the minority.

We entrust all levels of data both personal and public to organisations but have NO control over how they protect it. When it does get compromised we have to rely on those companies to inform us, hopefully quickly and giving us all the relevant information but there’s always a compromise from their point of view. It’s also important to ensure they have all the facts and sometimes this may take time, finding out how it happened, how to stop it happening again and then informing the affected parties is not going to happen in a few days. Then it’s our job to try and mitigate any damage, change passwords, cancel payment options or even cancel cards if enough data is at risk. You also need to consider any other logins that may be sharing passwords although I am sure nobody reuses passwords…

Using a password manager is a great way to generate complex and unique passwords you personally don’t have to remember and also, where possible, try and utilise two-factor authentication.

You need to ensure you keep an eye on your finances, be on the lookout for small insignificant payments or amounts you’re not sure about. Don’t be concerned about flagging payments that you don’t remember, it’s better to be over cautious rather than under cautious after all it’s your hard earned money that’s at stake here.”

Leo Taddeo, CSO and Former Special Agent at NYC’s FBI Cybercrime Division: 

LeoTaddeo“Acer claims the breach was the result of a problem with one of its third party payment processing systems.  No matter how the breach occurred, Acer is ultimately responsible for maintaining the security and confidentiality of its customer information. The risks posed by third parties are clear: all of the IT vulnerabilities of your third party partners become your vulnerabilities when they connect to your network.  The best defenses against these risks are proper segmentation, strong authentication, robust logging and monitoring, and limiting access to only the network segments that are required by the third party.”

Information Security Buzz