Black Hat Asia
March 26-29, 2019
Singapore
Black Hat USA
August 3-8, 2019
Las Vegas, NV, USA
Black Hat Europe
December 3-6, 2019
London UK
10/25/2018
12:00 PM
John Wilson, Field CTO, Agari
John Wilson, Field CTO, Agari
Event Updates
50%
50%

Stop Doing Business with Cybersecurity Cheapskates

I live in a suburban city in Silicon Valley. Every year, at least one or two homes in my
neighborhood get tented for termite fumigation. I’ve had to do my own home three times in the past 25 years. During that time, I’ve seen pretty much every house on my street tented at least once except for one a few doors down from me. Also, this particular house doesn’t bother to mow their lawn, their driveway is overrun with weeds, and there are enough dead leaves and branches on their roof to make the entire neighborhood a fire hazard.

By now, you’re probably wondering what any of this has to do with cybersecurity. I’ve got
security cameras, smoke detectors, CO detectors, motion-activated lights, and a solid fence
around my yard. Yet, no matter what I do to protect my own property, my neighbor will continue to be the weakest link in the security of my home. Until my neighbor kills off the termites that make their way from his walls to every house on my block, I’m going to need to keep tenting my house every 8-10 years. My smoke detectors may save my life, but they aren’t going to save my home if an inferno starts from the dead leaves on my neighbor’s roof.

Your supply chain is a bit like my neighborhood. Some of your suppliers take extreme pride in
protecting their data and systems, while some of your suppliers are like my sloppy neighbor.
Just as my neighbor’s carelessness causes undue risk to my property, some of your suppliers
place your business at risk.

Business Email Compromise schemes involving a compromised email account at a business
partner have increased 2,300% since 2015. An ATO-based BEC attack begins when one of
your suppliers has one of their corporate email accounts compromised, usually via phishing.
The attacker monitors your supplier’s email communications for outgoing invoices. At this point, the attacker will either modify the invoice, changing the payment account details, or will send a follow-up email explaining that the first invoice should be ignored as it contained the wrong payment details. Eventually your angry supplier will be demanding payment, and the finger-pointing begins. Even if your supplier accepts responsibility, you’ll spend many frustrating hours trying to resolve the issue. Worse, your email hygiene solution is unlikely to stop an email containing a crypted sandbox-aware weaponized document if that document is sent from a trusted business contact’s compromised email account. Soon the invoices you send to your customers may be tampered with, and your incoming payments will get diverted to criminals.

I could complain to the city about my neighbor, in fact, my wife has on multiple occasions.
Unfortunately, there are things you can’t control in life, and my neighbor’s behavior is one of
those things. When it comes to your supply chain, here’s where the analogy breaks down in a
good way: You can (and should!) demand your suppliers implement an appropriate level of
cybersecurity controls. You are, after all, the customer. Demand that your suppliers use
multi-factor authentication on all of their email accounts. Demand that your suppliers use a
state-of-the-art email security solution. Demand that your suppliers conduct phishing-wareness training and demand that your suppliers utilize a proven endpoint security solution. And if you see my neighbor, please tell him to clean up his act.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9047
PUBLISHED: 2019-02-23
GoRose v1.0.4 has SQL Injection when the order_by or group_by parameter can be controlled.
CVE-2019-9062
PUBLISHED: 2019-02-23
PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Request Forgery (CSRF) in my-account.php.
CVE-2019-9063
PUBLISHED: 2019-02-23
PHP Scripts Mall Auction website script 2.0.4 allows parameter tampering of the payment amount.
CVE-2019-9064
PUBLISHED: 2019-02-23
PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png file.
CVE-2019-9065
PUBLISHED: 2019-02-23
PHP Scripts Mall Custom T-Shirt Ecommerce Script 3.1.1 allows parameter tampering of the payment amount.