Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/4/2018
09:00 AM
By Kelly White, CEO & Co-Founder, RiskRecon
By Kelly White, CEO & Co-Founder, RiskRecon
Sponsored Article
100%
0%

Why the Security of Your Vendors Entire Enterprise Matters

Be very cautious of vendors who contend that their enterprise security program is none of your concern. That very argument demonstrates a lack of understanding of the cyber-threat landscape.

Reliably protecting systems and data over time requires the disciplined execution of a robust security program that spans an entire enterprise. As a former CISO and now advisor to third-party risk management teams, I’ve seen some vendors take the contrary position, arguing that customers need only be concerned with the security of the systems that host their data.

Rarely can risk be contained to one set of systems and not be impacted by the threats and vulnerabilities of the surrounding systems and people. Grounding your third-party assessments in a correct, practical understanding of the cyberthreat landscape will compel you to be concerned with your vendor's complete enterprise cyber-risk management program, and not just the systems that you use.

We offer three points to consider when faced with a vendor’s "contained risk" argument: 

1. Data that can be moved will be moved. On paper, most application stacks are well bounded, supporting the argument that risk is contained to a limited scope. In this perfect world, your data resides in a database, data processing functionality is implemented in an application tier, and presentation logic is fulfilled through a web server layer. Backups may go to encrypted tape or to a remote network archive.

In imperfect reality, data does not just sit in a database. It takes a tremendous and rarely achieved level of organizational discipline and architectural investment to guarantee that data cannot leave its primary systems. If data can be extracted from those systems, it will be. For example:

  • Data is written to logging servers
  • Analysts pull data from the database for analytics and reporting
  • Network and server logs contain sensitive information
  • DBAs query subsets of data in the process of supporting databases
  • Production data may be used in test or QA systems

A compromise of any of these systems can result in compromise of your data. For example, in early May, Twitter advised its 330 million users to immediately change their passwords; their password hashing algorithm was writing the passwords in plaintext to a log server.

2. Systems are networked, facilitating unexpected attack paths. The systems that store your data are interconnected with other systems. In most environments, it’s pretty easy to construct an attack path against a “secure” environment that starts with compromise of an “out of scope” workstation or server.  At a minimum, administrators, analysts, monitoring systems, back-up servers, remote access servers and related web and application servers can directly access systems that store your data. These systems in turn are connected to other systems. A compromise of any system within the network path can result in compromise of other networked assets.

Consider the Equifax breach reported in September of 2017. Miscreants exploited an Apache Struts vulnerability on a consumer portal to gain initial access, then expanded into other systems. During his Congressional testimony, former CEO Richard Smith described the difficulty in conducting forensic analysis because of the sheer number of systems compromised. Equifax’ admissions of exposed data have expanded since the breach was initially reported, even into this month.

The 2011 breach of RSA offers another example. Hackers used spear phishing to compromise the system of a junior-level RSA worker who was outside of the expected attack profile, then pivoted across the organization until they reached a file server containing SecurID token seed values.

3. Lack of enterprise-wide security discipline will bite you in the end. All too often I’ve heard third-party CISOs and security professionals argue that severely vulnerable Internet-facing systems don't matter because they are "low risk" and are unrelated to the customer environment. But ask yourself—do you trust an organization that spends more energy justifying operation of vulnerable online systems than just fixing the issue?

Third-party cyber-risk management is ultimately about trust. Do you trust that moment-to-moment, day-in and day-out, your vendors will reliably protect your risk interests? Do you trust a vendor that has a 10 percent Internet system software patching failure rate?  Do you trust a vendor that only focuses threat intelligence operations on some internet points of presence but not others?

It may be that the systems hosting your data are patched, but vulnerabilities in other systems could be exploited to attack those where your data resides. If the vendor performs poorly as an enterprise, eventually that poor performance will show up in systems relevant to you.

Be very cautious of vendors who contend that their larger enterprise security program is none of your concern. That very argument demonstrates a lack of understanding of the cyber-threat landscape. As Geoff Belknap, CISO of Slack put it, "If your business makes money by collecting, hosting or processing data from others, you're a security company. Act like it.

Kelly White is the CEO and co-Founder of RiskRecon, the world's leading provider of solutions for solving third-party cybersecurity risk at scale. Prior to dedicating his full attention to RiskRecon, Kelly held various enterprise security roles, including CISO and director of information security for financial services companies. Kelly was also practice manager and senior security consultant for CyberTrust and Ernst & Young.

Kelly is a frequent contributor to the security community, speaking at conferences such as Cybercrime Prevention Summit, United Security Conference, RSA Conference, and RSA eFraud Global Forum. He is also a member of the Fraud Global conference board.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.