Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/4/2018
09:00 AM
By Kelly White, CEO & Co-Founder, RiskRecon
By Kelly White, CEO & Co-Founder, RiskRecon
Sponsored Article
100%
0%

Why the Security of Your Vendors Entire Enterprise Matters

Be very cautious of vendors who contend that their enterprise security program is none of your concern. That very argument demonstrates a lack of understanding of the cyber-threat landscape.

Reliably protecting systems and data over time requires the disciplined execution of a robust security program that spans an entire enterprise. As a former CISO and now advisor to third-party risk management teams, I’ve seen some vendors take the contrary position, arguing that customers need only be concerned with the security of the systems that host their data.

Rarely can risk be contained to one set of systems and not be impacted by the threats and vulnerabilities of the surrounding systems and people. Grounding your third-party assessments in a correct, practical understanding of the cyberthreat landscape will compel you to be concerned with your vendor's complete enterprise cyber-risk management program, and not just the systems that you use.

We offer three points to consider when faced with a vendor’s "contained risk" argument: 

1. Data that can be moved will be moved. On paper, most application stacks are well bounded, supporting the argument that risk is contained to a limited scope. In this perfect world, your data resides in a database, data processing functionality is implemented in an application tier, and presentation logic is fulfilled through a web server layer. Backups may go to encrypted tape or to a remote network archive.

In imperfect reality, data does not just sit in a database. It takes a tremendous and rarely achieved level of organizational discipline and architectural investment to guarantee that data cannot leave its primary systems. If data can be extracted from those systems, it will be. For example:

  • Data is written to logging servers
  • Analysts pull data from the database for analytics and reporting
  • Network and server logs contain sensitive information
  • DBAs query subsets of data in the process of supporting databases
  • Production data may be used in test or QA systems

A compromise of any of these systems can result in compromise of your data. For example, in early May, Twitter advised its 330 million users to immediately change their passwords; their password hashing algorithm was writing the passwords in plaintext to a log server.

2. Systems are networked, facilitating unexpected attack paths. The systems that store your data are interconnected with other systems. In most environments, it’s pretty easy to construct an attack path against a “secure” environment that starts with compromise of an “out of scope” workstation or server.  At a minimum, administrators, analysts, monitoring systems, back-up servers, remote access servers and related web and application servers can directly access systems that store your data. These systems in turn are connected to other systems. A compromise of any system within the network path can result in compromise of other networked assets.

Consider the Equifax breach reported in September of 2017. Miscreants exploited an Apache Struts vulnerability on a consumer portal to gain initial access, then expanded into other systems. During his Congressional testimony, former CEO Richard Smith described the difficulty in conducting forensic analysis because of the sheer number of systems compromised. Equifax’ admissions of exposed data have expanded since the breach was initially reported, even into this month.

The 2011 breach of RSA offers another example. Hackers used spear phishing to compromise the system of a junior-level RSA worker who was outside of the expected attack profile, then pivoted across the organization until they reached a file server containing SecurID token seed values.

3. Lack of enterprise-wide security discipline will bite you in the end. All too often I’ve heard third-party CISOs and security professionals argue that severely vulnerable Internet-facing systems don't matter because they are "low risk" and are unrelated to the customer environment. But ask yourself—do you trust an organization that spends more energy justifying operation of vulnerable online systems than just fixing the issue?

Third-party cyber-risk management is ultimately about trust. Do you trust that moment-to-moment, day-in and day-out, your vendors will reliably protect your risk interests? Do you trust a vendor that has a 10 percent Internet system software patching failure rate?  Do you trust a vendor that only focuses threat intelligence operations on some internet points of presence but not others?

It may be that the systems hosting your data are patched, but vulnerabilities in other systems could be exploited to attack those where your data resides. If the vendor performs poorly as an enterprise, eventually that poor performance will show up in systems relevant to you.

Be very cautious of vendors who contend that their larger enterprise security program is none of your concern. That very argument demonstrates a lack of understanding of the cyber-threat landscape. As Geoff Belknap, CISO of Slack put it, "If your business makes money by collecting, hosting or processing data from others, you're a security company. Act like it.

Kelly White is the CEO and co-Founder of RiskRecon, the world's leading provider of solutions for solving third-party cybersecurity risk at scale. Prior to dedicating his full attention to RiskRecon, Kelly held various enterprise security roles, including CISO and director of information security for financial services companies. Kelly was also practice manager and senior security consultant for CyberTrust and Ernst & Young.

Kelly is a frequent contributor to the security community, speaking at conferences such as Cybercrime Prevention Summit, United Security Conference, RSA Conference, and RSA eFraud Global Forum. He is also a member of the Fraud Global conference board.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...