By Aarti Shahani for NPR News, aired on KQED station
When you hear the word outsourcing, you might think of threats to American jobs. To cyber experts, there’s another threat: to our data.
This week, thousands of the industry’s leading minds from around the world are discussing the Internet and security at their annual powwow in San Francisco at RSA Conference. These topics matter more and more to us non-experts, especially as people become the victims of cybercrime.
“You provide information to a company and all of a sudden it gets compromised because of a weak link to a third-party contractor,” he says. “It’s your problem. It’s not the company’s problems.”
In the recent payment card breach at Target, hackers reportedly used stolen credentials that was working for the giant retailer.
We need to pay more attention to this trend, says Chris Coleman, a security analyst with Lookingglass Cyber Solutions. Coleman audited about 20 subcontractors that big banks hire. He found something startling.
“A hundred percent of third parties showed signs of compromise or indicators of threats,” Coleman says. Was that a surprising percentage?
“No,” Coleman says. “Our global cyber landscape is a scary place.”
While weak links are everywhere, Coleman saw one that stood out with the foreign servicers. Many of them used computers infected with an old . It’s curable and not harmful in itself, but it’s also a signal for criminals looking for weak entry points.
“It was more predominantly coming out of networks that were in the foreign markets,” he says. “The U.K. for sure, India and Southeast Asia.”
However, when John Stewart, chief security officer at Cisco, travels to China, people there want to know how he’s protecting their information from high-risk Americans.
“It really depends on where you’re sitting, what you think the risk is,” he says.
There’s a lot of data security distrust, especially after the recent revelations about domestic spying by the National Security Agency. But Stewart notes that the U.S. is better at building trust in one key respect: It have laws that require companies to tell police about breaches.
He remembers participating in a panel in another country where someone said that all the data theft is coming from the U.S. Stewart pushed back.
“How do you know we’re creating the problems?” Stewart said he asked the man. “We’re the only ones transparently telling you that we created the problems.”
Stewart says if everyone shared details on data breaches the way they shared the data itself, cyberspace would be a lot less scary.
Many of the people at this conference are talking about the underlying causes of that crime and one word keeps coming up: outsourcing.
“You get what you pay for,” says Andy Ellis, chief security officer with Akamai Technologies. “If you move it to somewhere that’s a lower cost, there’s a reason it’s lower cost … . Sometimes it’s because you aren’t getting as skilled personnel.”
Outsourcing isn’t just for big manufacturers. Online companies are using outside vendors, too — for their websites, mobile apps and accounting. The downside isn’t just a poorly made T-shirt — it’s data theft with untold consequences.
While many of the cybersecurity business people at the conference disagree on the merits of outsourcing, they agree it’s a big security problem. The decision to cut costs can backfire on the consumer, says Dwayne Melancon, chief technology officer at Tripwire, an IT security firm.
The following is a media update from Target after the Data Breach in Dec. 2013.
Target Data Security Media Update #4
December 27, 2013
Our investigation into the data breach incident is continuing and ongoing. While we are still in the early stages of this criminal and forensic investigation, we continue to be committed to sharing the facts as they are confirmed.
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.
The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.