As a business, who should you trust? Which companies are you confident won’t lose your customers’ information to cybercriminals, or leave a virtual back door open for hackers?
Mark Bristow, director of the National Cybersecurity and Communications Integration Center Hunt & Incident Response Team with the Department of Homeland Security, says businesses make a critical — and common — mistake by failing to think about where they place their trust.
Trust can create major vulnerabilities, because hackers know how to exploit it for fast access to systems and information. Security is only as good as the weakest link, and the weakest link might be your supplier.
“I like to say cybersecurity is not a technology problem, it’s a people problem,” Bristow said. “At the end of the day it is humans that are writing vulnerabilities into code or clicking on the [malicious] links — it’s an interpersonal relationship challenge.
“A great example of this is a case we worked over last summer where Russian government hackers attempted to get into the U.S. power grid. … And what [the hackers] really were trying to exploit were trust relationships.”
Instead of mounting a direct attack the Russians hacked into the small companies that supported the large power providers, Bristow said, and then tried to use the business trust between those organizations to get into the electric power utilities.
Such attacks mean that businesses building a cybersecurity plan must go beyond a technical assessment of their inventory of assets, and also take inventory of their business and strategic associations. Ignoring them can be disastrous.
“I worked on incident response for an oil company a number of years back that had a trust relationship with a second party that got compromised,” Bristow said. “The adversary … tried to get in through the front door of the [oil company’s] network, but they really had great security. But their partner didn’t. And because that trust model existed there, they were able to get in by compromising the partner.
“So we have to understand the totality of who we’re trusting — and how are we ensuring our partners have the right level of security?”
That’s the essence of supply chain security. Mark Weatherford, senior vice president and chief cybersecurity strategist at vArmour, describes it this way: “I may trust you, but I may not trust who you trust.”
Attacking trusted suppliers, apps and contractors where defenses are lower is a stealthy way to breach hard-to-reach, high-appeal targets like defense contractors.
To illustrate, Peak InfoSec CEO Matthew Titcombe uses the example of “a Lockheed Martin or a Boeing delegating down to this little mom-and-pop six-man shop out of Indiana or someplace, because they’re the experts. But they’re six people, and they’re basically running things off PCs.
“Well, if I can attack them, I can get the intellectual property that the government’s given to them down at their level — but I can now also use them as a Trojan to try and get in [to Lockheed Martin or Boeing, the real target], going up their supply chain. I can just keep exploiting more and more as I go up, until either you get caught, or you’re exceptionally good and you get all the way into DoD.”
Supply chain attacks are on the rise, a survey by the Ponemon Institute found: 56 percent of organizations have had a breach that was caused by one of their vendors.
At the same time, only 57 percent had a list of all third parties they were sharing sensitive information with. Worse, only 18 percent of companies said they knew if those vendors were, in turn, sharing that information with other suppliers.
Of those surveyed, 57 percent didn’t know if their vendors’ policies would prevent a breach — but continued to share data anyway.
“This is where the supply chain risk is now, because we’re giving so much out to other companies to do,” Titcombe said. “The term is ‘delegation by abdication,’ and that’s what a lot of companies are doing. They’re just assuming everybody else out there is good and secure, therefore I don’t need to worry about it.”
One place where companies wrongly assume they’re protected is with cloud service providers.
“We got brought in on a client last year to do a cloud service provider test and he said ‘We’re really good — we’re hosted in Google and we’re compliant because they’re compliant.’ …” Titcombe said.
“Amazon, Microsoft, Rackspace [managed clouds] et cetera are not safe. People think that when they’re moving their apps into those environments, they’re secure. They don’t understand that they go to the lowest-level bar they have to go to meet their compliance requirements for providing infrastructure, platform, or software as a service… . So we find a lot of clients who’ve got sensitive information up on those sites and they’ve got bare-bones, next to nothing for security around it.”
Cloud service providers do give businesses the ability to put a lot more security measures in place, Titcombe said, but it’s up to the individual company to do that.
“And that’s the thing most of them miss, they’re like, ‘OK, we can just put this up in Amazon, we’re good.’”
An example: The Verizon breach, which involved 6 million customer records, was caused by customer service analytics provider Nice Systems, which put six months of customer service call logs (including account and personal information) on a public Amazon S3 storage server.
CSO Online recommends businesses take the following steps to defend against supply chain and third-party attacks.
• Monitor vendor access to internal data and networks, establish boundaries and adhere to these boundaries strictly.
• Log and monitor any external vendor access, and know third-party providers’ incident response and disaster recovery plans.
• Decrease your attack surface by limiting users’ ability to install third-party software on machines, primarily freeware.
But for most small and medium-sized businesses, working out the cybersecurity footing of your suppliers isn’t easy, Titcombe said. Most will need guidance from information security specialists who can dig deep, ask the right questions and, if necessary, perform audits on suppliers and partners.
“If they don’t have somebody qualified on staff who understands information security, [they’ll need] a consultant. …” he said. “General IT guys still don’t know what to ask. … It’s a lot more than most IT guys ever get their hands into.”