Like with most things in life, it is crucial to understand history in order to better understand and prepare for the future. Countless examples of cyber attacks that originated through trusted third parties (such as those that affected Jimmy Johns, Lowe’s, Goodwill Industries) serve as a cautionary tale of the extraordinary threats that enterprises face from supply chains and vendors alike.
Still resonating today is the story of retail giant Target and a small HVAC provider. According to analysis by researcher Brian Krebs at the time, Pennsylvania-based Fazio Mechanical Services’ reliance on a free version of a malware detection tool that was licensed explicitly for individuals and not for corporate use, its non-segmented access to Target’s administrative and online project management portals, plus a determined adversary at the helm, all added up to what has been described as the fourth largest data breach of all time.
As Secure Halo explained at the International Risk Management Institute (IRMI) CyberRisk Summit in Houston on March 3, the vast majority of organizations we have assessed have not identified what information assets are most at risk and why, or where they reside. This lack of insight provides a perfect opening for determined adversaries, who prefer the path of least resistance. The Fazio and Target example illustrate how that path can include use of third parties and supply chain partners to gain foothold onto a targeted network.
As frameworks such as Lockheed Martin’s Cyber Kill Chain Model has demonstrated, sophisticated attackers do their homework during a reconnaissance phase prior to an attack where the main objective is to observe, probe, and formulate potential avenues of approach. Once a plan has been identified and a payload weaponized for delivery, attackers go to work, quietly and systematically purloining data, causing business disruption, and in the case of SCADA attacks, sparking devastating sabotage that can result in ‘failure to supply’ events.
In the case of Target, the infection was delivered through malware-laced emails, opened by Fazio employees, that paved the way for access to segments of the network containing highly sensitive payment card and customer privacy data. Once hackers established a foothold, they prepared for their coup de grâce by uploading malicious software to collect payment card information within a few registers. Once they confirmed that the malware performed properly, they infected hundreds of point-of-sale devices with malware. The attack resulted in the exposure of nearly 110 million customers’ personal and credit card information and upwards of $420 million in liability for the retail giant.
Due Diligence with Third-Party Vendors Protects Supply Chain
While the monumental story of Fazio and Target increased awareness, third-party threats are on the rise and continue to be widely overlooked. Beyond acknowledging the threat exists, the next step is to implement a proactive security posture throughout the enterprise by insisting on greater vigilance on the security practices of third-party partners.
For companies seeking outsourcing of key services, such as data storage in the form of cloud service providers (CSP’s), critical questions must be asked of vendors and suppliers before signing any service level agreement (SLA). From a technical standpoint, companies should be focusing on data security and inquire about the vendor’s controls on three levels:
- Application layer controls, which address whether applications are well written;
- Data layer controls, which address encryption; and
- Access controls for the CSP and the greater client user-base, which address concerns regarding privileged use and access control strength, consistency, and maturity.
Some of the questions that may fall under these technical controls include:
- Is multi-factor authentication used?
- What kinds of legacy defenses are used, such as firewalls, anti-virus, and intrusion detection & prevention?
- What are the encryption standards used for both data in transit and data at rest? Allow the vendor to articulate its security philosophy. Do they invest in ‘compliance’ or are they evidencing maturity beyond the standard?
- Has there ever been a significant cyber breach in the past?
- If so, what was the cause and are there recovery time objectives? Did the third party meet those objectives?
- What resilient measures are in place to prevent similar events from happening again?
- What type of vetting is done on new hires? When somebody is fired, what termination protocols are enacted as to ensure access paths and credentials are revoked?
- Who and how many employees will have access to my data?
- What types of preventative and detective physical security controls are implemented at this location, such as barriers, alarms, cameras, and intrusion detection?
- To what extent is auditing performed on my account if changes are made?
When Subcontractors Send Malicious Messages
The above questions should help companies stay vigilant against accidental breaches via partners, but what about subcontractors and other third parties with nefarious intentions who act deliberately? Although recent and high profile cyber attacks such as Edward Snowden, and the attack on Sony brought focus to the issue of insider threat, the little known case of Khosrow Zarefarid, a subcontractor working for three major banks in the Middle East, shows just how problematic this threat can be.
Zarefarid, a software manager at the company responsible for operating the banks’ networks, was good at his job. He discovered a potentially serious security flaw, and he wrote a formal report to notify the CEOs of each of the three banks that they were at risk of an impending attack. After a year passed with no action being taken, Zarefarid felt unappreciated and resented that bank executives did not heed his advice. The frustrated subcontractor decided to make a point.
The result was the compromise of three million bank accounts and thousands of card numbers and PINS, which Zarefarid exported and posted on his personal blog. This resulted in not just the compromise of payment card and privacy data of millions of the banks’ customers, but enormous reputational and revenue loss for the banks themselves.
Ensure Security Beyond Compliance
Whether they’re the unsuspecting vehicles used by cyber attackers or the originators of such assaults themselves, vendors and subcontractors continue to represent potentially devastating areas of risk to companies.
As the customer, the power of the purse reigns supreme and a company seeking out third-party support has the power to decide with their pocketbook if vendors fail to demonstrate adherence to industry standards and best practices as their minimum baseline. But sadly, that is also not enough. Often lost in the discussion of the Target case is the fact that the retail giant was certified as meeting the standard for the payment card industry (PCI-DSS). And as we know, this did not prevent its victimhood.
Although much has been revealed about the litany of vulnerabilities that contributed to the success of this attack, such as lack of network segmentation of the payment processing network or hardware-based point-to-point encryption, there is still the requirement of companies to exceed minimum, defense-in-depth obligations to ensure security is not just a ‘check-the-box’ exercise.
Conversely, cybersecurity must be an ongoing process that demands vigilance and multiple layers that address people, process, and technology. It is imperative that companies approach their own risk management with these important factors in mind. If history has taught us anything, it’s that those who do not learn from it, are only doomed to repeat it.