The annual flight for Santa Claus comes in just a few days, and he's got some issues. The good news is that Saint Nick hasn't popped up on any list of SolarWinds' customers. We also know that Dr. Fauci himself vaccinated Santa against COVID-19. The bad news is that Santa has to deal with many of the same issues that every other enterprise on Earth has faced in 2020: workers sent to their homes, supply chains disrupted, and IT systems stretched to cover it all.
It turns out that Santa is faced with a classic supply chain problem: He must ensure that his product is delivered to a strict schedule, under a strict budget, while maintaining organizational secrecy, and keeping customer personal information absolutely secure. How can he do that when circumstances are so unusual?
Dark Reading went to a number of industry experts and asked for the advice they would give Santa on this critical set of security issues. They responded in full and acknowledged that the implications of Santa's decisions can have an impact on those far from the North Pole.
"When Santa delivers that package to your kids, it's important to consider the implications of where the toy or gift was made. We should consider whether the elves are really working from quarantine or have they been social. Perhaps they have been forced into a traditional production environment as the time crunch to deliver gifts at mass scale mounts. While there is no evidence that COVID has impacted the elf or reindeer population, it should be a consideration," says Brandon Hoffman, CISO at Netenrich.
"In 2020, the supply chain was compromised before it even started," says Tyler Reguly, manager of security research and development at Tripwire. That notion of a compromised supply chain came up repeatedly -- along with the idea that, in spite of compromise, operations must continue.
As for the compromises, Reguly points out an obvious place for infiltration to begin: "Santa’s email has been published and that domain name provides a starting point for malicious individuals to seek out additional systems and potentially public facing infrastructure."
So with the problem explained and obvious, what should Santa do? "Santa should be looking at his third-party vendors and giving them a foundational security requirement or assessment of what they need to be doing so that he can feel comfortable," says Kiersten Todt, managing director of the Cyber Readiness Institute. She points out that Santa has to be clear that the steps that his third-party vendors are taking equate to the risk he's willing to accept and not willing to accept.
The idea of "risk appetite" is something that several experts touched on in their comments, and Ekaterina Kilyusheva, head of the information security analytics research group at Positive Technologies says that there are concrete steps that Santa should take within his historic appetite for risk:
- Check elves' recommendations to prevent recruiting an attacker from the Grinch group.
- Ensure that all gift providers maintain high level of information security.
- Check storage system of the lists of good children in advance so that the Grinch cannot include himself or his allies in it through the backdoor, and restrict access by third parties.
- Deliver gifts to elves for packaging only through trusted channels and trusted suppliers.
- Ensure that using secret combinations to test the reindeer before handing over wrapped gifts is a mandatory procedure for an elf.
- Ensure that elves record the facts of transfer of wrapped gifts to reindeer by means of a hoof print in the act of acceptance and transfer.
- Coordinate the routes of the reindeer, and install a tracking system on them so that not a single reindeer with gifts is stolen along the way.
- Regularly conduct training and test elves for their knowledge of the basics of safe handling of confidential information so that they can easily recognize phishing and inform Santa about attempts to kidnap Christmas.
Finally, Jeff Roth, southeast regional director at NCC Group waxed poetic in responding to Dark Reading's query about Santa and third-party risk. With apologies to Clement Clarke Moore...
"It is the weeks before Christmas and all through the house, the criminal and state actors were hacking with a click of their mouse.
"All the companies, governments, and citizen still reeling from pandemic fatigue were not ready to stop these adversaries' mayhem and greed. The bad guys attack without fear or shame, even stopping poor Rudolph from his Reindeer games.
"Backdoors, zero days, and counterfeits abound. Poor Santa's elves' supply chains were all down. For without secure critical infrastructures in place, how could they build all the gadgets and toys and bring smiles to our faces?
"But out of this darkness came a sound of glee, Santa's cyber warriors were protecting their supply chain for all his elves to see.
"It started with IOC detection coupled with well-engineered layered defense protection. Santa's cybersecurity program started to spread; the adversaries now had something to dread. Yes, we will find you and address your threats with purpose, focus and speed, to stop you, state actors, criminals, and other Grinches indeed.
"So goes the lesson for all to remember: Keep your security focus 24/7 and all year, not just December."