Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
SecTor
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
10/25/2018
12:00 PM
John Wilson, Field CTO, Agari
John Wilson, Field CTO, Agari
Event Updates
50%
50%

Stop Doing Business with Cybersecurity Cheapskates

I live in a suburban city in Silicon Valley. Every year, at least one or two homes in my
neighborhood get tented for termite fumigation. I’ve had to do my own home three times in the past 25 years. During that time, I’ve seen pretty much every house on my street tented at least once except for one a few doors down from me. Also, this particular house doesn’t bother to mow their lawn, their driveway is overrun with weeds, and there are enough dead leaves and branches on their roof to make the entire neighborhood a fire hazard.

By now, you’re probably wondering what any of this has to do with cybersecurity. I’ve got
security cameras, smoke detectors, CO detectors, motion-activated lights, and a solid fence
around my yard. Yet, no matter what I do to protect my own property, my neighbor will continue to be the weakest link in the security of my home. Until my neighbor kills off the termites that make their way from his walls to every house on my block, I’m going to need to keep tenting my house every 8-10 years. My smoke detectors may save my life, but they aren’t going to save my home if an inferno starts from the dead leaves on my neighbor’s roof.

Your supply chain is a bit like my neighborhood. Some of your suppliers take extreme pride in
protecting their data and systems, while some of your suppliers are like my sloppy neighbor.
Just as my neighbor’s carelessness causes undue risk to my property, some of your suppliers
place your business at risk.

Business Email Compromise schemes involving a compromised email account at a business
partner have increased 2,300% since 2015. An ATO-based BEC attack begins when one of
your suppliers has one of their corporate email accounts compromised, usually via phishing.
The attacker monitors your supplier’s email communications for outgoing invoices. At this point, the attacker will either modify the invoice, changing the payment account details, or will send a follow-up email explaining that the first invoice should be ignored as it contained the wrong payment details. Eventually your angry supplier will be demanding payment, and the finger-pointing begins. Even if your supplier accepts responsibility, you’ll spend many frustrating hours trying to resolve the issue. Worse, your email hygiene solution is unlikely to stop an email containing a crypted sandbox-aware weaponized document if that document is sent from a trusted business contact’s compromised email account. Soon the invoices you send to your customers may be tampered with, and your incoming payments will get diverted to criminals.

I could complain to the city about my neighbor, in fact, my wife has on multiple occasions.
Unfortunately, there are things you can’t control in life, and my neighbor’s behavior is one of
those things. When it comes to your supply chain, here’s where the analogy breaks down in a
good way: You can (and should!) demand your suppliers implement an appropriate level of
cybersecurity controls. You are, after all, the customer. Demand that your suppliers use
multi-factor authentication on all of their email accounts. Demand that your suppliers use a
state-of-the-art email security solution. Demand that your suppliers conduct phishing-wareness training and demand that your suppliers utilize a proven endpoint security solution. And if you see my neighbor, please tell him to clean up his act.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1177
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2011-1942
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2011-1955
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2011-2926
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-20389
PUBLISHED: 2021-06-23
Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php.