How much do you trust the security of third-party vendors' remote access/VPN?


I read the results of a study by Trustwave that said 75% of data breaches were the result of security deficiencies introduced by thrid-party vendors responsible for system support, development or maintenance. Also disturbing was the fact that only 16% of companies manages to detect breaches on their own. What do you do to make sure third-party vendors aren't creating security holes that are putting your company at risk?

Topic: Security
Answer this Question


3 total
Vote Up (16)

Perhaps the best idea might be to avoid using them, if at all possible. If you must use them then ask in advance what their security policies are and read them carefully before using their services.

A little research, carefully done, might save you a lot of security headaches later on. It's also good for companies to be held accountable in advance for their security policies. It lets them know that customers are interested and that they expect a certain high level of trustworthiness.

Vote Up (13)

Not much, is the short answer to the question. Let me give you one reason why: stupid passwords for system logins. Ask anyone who has worked for a third party vendor if they ever used "admin" or "administrator" for passwords and logins. Bet a lot of them will admit that they have. And if that isn't bad enough, it isn't uncommon to use the same passwords for all their customers. That's right, so if a hacker gets one, they get them all. If you absolutely must allow remote access, I would at least insist on multi-factor authentication and that passwords of my choice be used.

Dr. Rose
Vote Up (2)

It's certainly true all VPNs have the ability to track users and log their data. Many do so because they don't consider themselves privacy services and logging helps identify repeat DMCA infringers and quickly troubleshoot network issues. Others do so seemingly because of a poor grasp of their country's laws.


Of course, anyone concerned about privacy should not sign-up to a service that's retaining data. Most privacy-orientated VPNs approach this issue by using a non-persistent log (stored in memory) on gateway servers that only stores a few minutes of activity (FIFO). That time window gives the ability to troubleshoot any connection problems that may appear, but after a few minutes no trace of activity is stored.

Ask a question

Join Now or Sign In to ask a question.
Google, Dropbox and the Open Technology Fund are supporting a new organization focused on making open-source security and privacy tools more user-friendly.
Among six major U.S. cities, CSOs are paid the most in San Francisco and New York, but factoring in the cost of living makes Denver and Chicago the best bang-for-the-buck places.
Apple's iOS 8 addresses a serious weakness that could allow attackers to hijack the wireless network authentication of Apple devices and gain access to enterprise networks.
Legislation introduced in the U.S. Senate on Thursday aims to place limits on access by U.S. law enforcement agencies to emails and other communications stored abroad.
Two online advertising networks, Google's DoubleClick and Zedo, have been delivering malicious advertisements that could install malware on a person's computer, according to the security vendor Malwarebytes.
Google is turning on data encryption by default in the next version of Android, a step that mirrors broad moves in the technology industry to ensure better data security.
CloudFlare said it has engineered a novel way to handle sensitive encryption keys that allows organizations such as financial institutions to still use its caching service to fend off cyberattacks.
Samsung on Thursday announced price reductions and updates for its Knox security and management software for IT shops and a free My Knox service that is directly available to professionals using ActiveSync.
The breach of Home Depot's payment systems may have compromised 56 million payment cards as a result of malware that has since been eliminated, the company said Thursday.
Apple outlined its new privacy policy and set up a site to explain what information it collects from users and how it handles it, as the company enters new areas like health tracking and mobile payments that have potential privacy implications.
Join us: