Last week it was announced that an alliance was formed. This alliance is known as VSA(Vendor Security Alliance). This Alliance was formed by many companies (Lead by Uber’s Ken Baylor), these include – Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, Godaddy, and AirBnb.
Example of a Vendor Hack:
“Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.”
Also – We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor’s credentials which were used to access our system
The VSA is going to release a questionnaire that businesses can give to their vendors to assess the security their vendors have. Hopefully, this will prevent the amount of hacks that are due to poor vendor security. Vendors will be given a grade, similar to how restaurants are handed a letter grade based on their health rating.
The VSA has plans overtime to compile a list of the highest rated vendors. However, there is a fee to join the VSA. Anyone can use the questionnaire to audit their own vendors, but the official verification will only be provided if you are participating in VSA.
Overall, I see the VSA as becoming a standard for all companies which could really benefit the cyber security industry. Vendors will also be able to use their scores to get out of tasks that had to be done by each individual company like security audits. There will finally be a standard against which all companies can be graded against.
Link to target article: http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/