1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

11/12/2018

0 Comments

Why the Pentagon Data Breach is a Wake-up Call for Better Screening of Third-party Vendors

 
Pentagon data breach

Why the Pentagon Data Breach is a Wake-up Call for Better Screening of Third-party Vendors

On October 14 2018, news of a major data breach at the Pentagonhit the headlines.

This was a startling, even disturbing, reminder that even the most important, most secure institutions in the world are vulnerable when hackers identify a way into their systems. As the Department of Defense’s headquarters, the Pentagon plays a critical role in the United States military and national security: it oversees all aspects of the Air Force, Marines, Army, Coast Guard and Navy, ultimately helping to defend the country.

The very notion that a global symbol of security and power would fall prey to a data breach has surprised many,but it shouldn’t have. At a time when cyber-criminals continue to employ increasingly-sophisticated techniques to disrupt business and organizations of all kinds, this incident is proof positive that proper screening of third-party vendors is critical for effective cybersecurity.

What Data was Involved in The Pentagon Breach?

It’s believed as many as 30,000 employees’ travel records were compromised as a result of the data breach. This includes personal details and credit-card data pertaining to civilians and military personnel: all sensitive information that could have serious financial repercussions if acted upon.

The breach may have first occurred months before it was discovered, and it’s believed the actual number of people potentially affected could rise as the investigation continues. However, no classified information is said to have been compromised.

How Did the Pentagon Breach Happen?

The Pentagon breach was the result of workconducted by a ‘single commercial vendor’, delivering its service to a ‘very small percentage’ of the DoD’s employees. The vendor in question has remained anonymous and was, in the days after the announcement, still contracted to provide its services.

News of the breach struck after the U.S. Government Accountability Office confirmed that work had been undertaken to secure the Pentagon’s networks, though its weapons system security was under closer scrutiny. They claimed they face more and more challenges in keeping weapons systems secure, due to the rise of sophisticated cyber-crime tactics.

Pentagon personnel have faced similar issues before. A large attack on the federal Office of Personnel Managementin 2015 left the personal details of over 21 million individuals (including people at the Pentagon) compromised. As with this latest incident, the 2015 attack supposedly first occurred months before word of it reached the media.

Who was Responsible for The Pentagon Breach?

One or more attackers seized an opportunity to exploit the vendor’s access to the Pentagon’s network, ultimately stealing the travel records. Little else is known.

This incident, though, is a prime example of how ambitious (or, rather, brazen) cyber-criminals are in their choice of targets. While some may focus on distributing ransomware to small businesses in exchange for payment, others are clearly setting their sights a little higher.

The tools and technology available to such individuals empowers them to exploit weaknesses in even those systems that should be the most airtight in the world. While the exact circumstances surrounding the vulnerability created by the vendor remain secret, it’s no doubt the company responsible is determined to avoid such an oversight happening again.

It’s also highly likely that the vendor has a strong reputation and valuable experience to have even secured the contract with the Department of Defense in the first place.

This entire incident demonstrates why it’s so vital for businesses and organizations of all sizes, in all sectors, to perform thorough screening of any vendors they intend to work with.

Screening Vendors, Protecting Your Business

No business or organization should ever start working with a vendor without checking their credentials and their background.

Simply settling on the first firm on your radar may not deliver the results you expect — and any mistakes or general incompetence on their part could have major repercussions. You might not have data pertaining to thousands or even millions of civilians in your records, but you could still be risking your customers’ and employees’ privacy by choosing a sub-par team.

If a data breach were to rock your company or organization, the damage could be extensive. First and foremost, those customers whose details have been compromised would be incredibly unlikely to keep working with you in the future.

Fast, effective action can help to minimize the fallout and keep their finances safe from unauthorized access, but their perception of your brand would still be soured.

Your reputation would be affected too, making it more difficult to build trust with new customers or affiliates. That’s not to mention the sheer disruption a breach could cause to your everyday operations, leaving you unable to deliver the services your customers expect for hours, days or longer.

This equates to a potential loss of business and, sadly, income.

Undertaking effective, in-depth screening of your vendors is the smart choice.

Look into any reviews you can find online to learn more about the quality of service previous clients have received. Did they perform as required? Did they use the right processes and achieve the goals they set out to with respect for the client’s security needs?

You may consider approaching some of these clients to get a deeper insight into their experience.

Make sure to speak with prospective vendors at length, to get a better idea of how they work, what security measures they take to safeguard systems against breaches and more. You can only ask so many questions and ask for so many examples of their prior work before making your decision but doing your research will help ensure the safest choice for your business or organization.

At The Driz Group, we’re committed to helping our clients stay protected and compliant, minimizing the risk of cyber-attacks using the latest, automated third-party screening technologies. Want to learn more about what we can do for you? Just get in touch!

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit