[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Strengthening Third-Party Contracts To Lower Breach Risks
From: InfoSec News <alerts () infosecnews ! org>
Date: 2012-02-23 9:52:28
Message-ID: alpine.DEB.2.02.1202230352170.31015 () infosecnews ! org
[Download RAW message or body]
http://www.darkreading.com/database-security/167901020/security/news/232601293/strengthening-third-party-contracts-to-lower-breach-risks.html
By Ericka Chickowski
Contributing Writer
Dark Reading
Feb 22, 2012
Details emerged this week that showed that recent Anonymous hacks of
Federal Trade Commission (FTC) websites could potentially have been
prevented had the FTC not dispensed with security provisions in a
contract with the third-party vendors who hosted the sites. As
organizations continue to divide labor in IT—particularly in development
of public-facing websites—the incident could prove a good lesson in the
importance of shoring up contract language and SLAs to ensure third
parties are not adding undue risks of data breaches in the future.
In the case of the FTC, the federal agency suffered two embarrassing
breaches within the last two months. In January, Anonymous attacked the
FTC's OnGuardOnline.gov site and this month it again hacked the FTC's
Bureau of Consumer Protection site. The websites in question were open
to attack due to a failure to patch the server operating systems and
applications associated with the site, a weakness that Anonymous took
advantage of to publicize its distaste for the Anti-Counterfeiting Trade
Agreement (ACTA) backed by the federal government.
"Even more bothersome than your complete lack of competence in
maintaining your own f***ing websites and serving the citizens you are
supposed to be protecting, is the US federal government's support of
ACTA," Anonymous wrote about its most recent attack.
The sites in question were developed by public relations firm
Fleishman-Hilliard, which hosted the sites on resources provided by
hosting and cloud services provider Media Temple. The two firms are
currently duking it out in a very public finger-pointing spat reported
by Ars Technica, which also brought to light the fact that the $1.5
million contract to develop the sites initially included security
provisions during the acquisition process but then dropped those
requirements.
[...]
______________________________________________________________________________
Learn how to be a Pen Tester or a CISSP with Expanding Security online. Get
a free class invitation and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic