The news earlier this month that Syrian hacktivists from Syrian Electronic Army (SEA) hacked and defaced the official website of United States Army shows how important it is to ensure that your third party vendors apply adequate and robust security. In this case, the SEA defaced a page, inserting a message on the hacked US Army website, blaming the country for training and sending terrorists to fight the Syrian President Bashar Al Assad.
TK Keanini, CTO, Lancope commented; “The take away for everyone should be that, as one outsources and does business with partners, security practices must be considered. Outsourcing websites – whole or in part – still means it is your website and, when breaches occur, it is still your breach. Evaluate and monitor the security of your partners as if it were your own.”
Gavin Reid, VP threat intelligence, Lancope added to this stating;
“TK is spot on with SEA. The hack of third parties to compromise the parent organisation is a well known tactic of SEA. They used this same technique to hack a DNS registrar and in-turn compromise Twitter, The New York Times and The Huffington Post. Similarly, the SEA previously compromised “OutBrain” – a third party content recommendation system that allowed SEA to inject their message into the Washington Post, Times and CNN. Looking at CNN there are over 300 separate web connections that occur when a user connects many to third party services. The content providers need to understand and ensure the integrity and security of all those connection.