Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/4/2018
09:00 AM
By Kelly White, CEO & Co-Founder, RiskRecon
By Kelly White, CEO & Co-Founder, RiskRecon
Sponsored Article
100%
0%

Why the Security of Your Vendors Entire Enterprise Matters

Be very cautious of vendors who contend that their enterprise security program is none of your concern. That very argument demonstrates a lack of understanding of the cyber-threat landscape.

Reliably protecting systems and data over time requires the disciplined execution of a robust security program that spans an entire enterprise. As a former CISO and now advisor to third-party risk management teams, I’ve seen some vendors take the contrary position, arguing that customers need only be concerned with the security of the systems that host their data.

Rarely can risk be contained to one set of systems and not be impacted by the threats and vulnerabilities of the surrounding systems and people. Grounding your third-party assessments in a correct, practical understanding of the cyberthreat landscape will compel you to be concerned with your vendor's complete enterprise cyber-risk management program, and not just the systems that you use.

We offer three points to consider when faced with a vendor’s "contained risk" argument: 

1. Data that can be moved will be moved. On paper, most application stacks are well bounded, supporting the argument that risk is contained to a limited scope. In this perfect world, your data resides in a database, data processing functionality is implemented in an application tier, and presentation logic is fulfilled through a web server layer. Backups may go to encrypted tape or to a remote network archive.

In imperfect reality, data does not just sit in a database. It takes a tremendous and rarely achieved level of organizational discipline and architectural investment to guarantee that data cannot leave its primary systems. If data can be extracted from those systems, it will be. For example:

  • Data is written to logging servers
  • Analysts pull data from the database for analytics and reporting
  • Network and server logs contain sensitive information
  • DBAs query subsets of data in the process of supporting databases
  • Production data may be used in test or QA systems

A compromise of any of these systems can result in compromise of your data. For example, in early May, Twitter advised its 330 million users to immediately change their passwords; their password hashing algorithm was writing the passwords in plaintext to a log server.

2. Systems are networked, facilitating unexpected attack paths. The systems that store your data are interconnected with other systems. In most environments, it’s pretty easy to construct an attack path against a “secure” environment that starts with compromise of an “out of scope” workstation or server.  At a minimum, administrators, analysts, monitoring systems, back-up servers, remote access servers and related web and application servers can directly access systems that store your data. These systems in turn are connected to other systems. A compromise of any system within the network path can result in compromise of other networked assets.

Consider the Equifax breach reported in September of 2017. Miscreants exploited an Apache Struts vulnerability on a consumer portal to gain initial access, then expanded into other systems. During his Congressional testimony, former CEO Richard Smith described the difficulty in conducting forensic analysis because of the sheer number of systems compromised. Equifax’ admissions of exposed data have expanded since the breach was initially reported, even into this month.

The 2011 breach of RSA offers another example. Hackers used spear phishing to compromise the system of a junior-level RSA worker who was outside of the expected attack profile, then pivoted across the organization until they reached a file server containing SecurID token seed values.

3. Lack of enterprise-wide security discipline will bite you in the end. All too often I’ve heard third-party CISOs and security professionals argue that severely vulnerable Internet-facing systems don't matter because they are "low risk" and are unrelated to the customer environment. But ask yourself—do you trust an organization that spends more energy justifying operation of vulnerable online systems than just fixing the issue?

Third-party cyber-risk management is ultimately about trust. Do you trust that moment-to-moment, day-in and day-out, your vendors will reliably protect your risk interests? Do you trust a vendor that has a 10 percent Internet system software patching failure rate?  Do you trust a vendor that only focuses threat intelligence operations on some internet points of presence but not others?

It may be that the systems hosting your data are patched, but vulnerabilities in other systems could be exploited to attack those where your data resides. If the vendor performs poorly as an enterprise, eventually that poor performance will show up in systems relevant to you.

Be very cautious of vendors who contend that their larger enterprise security program is none of your concern. That very argument demonstrates a lack of understanding of the cyber-threat landscape. As Geoff Belknap, CISO of Slack put it, "If your business makes money by collecting, hosting or processing data from others, you're a security company. Act like it.

Kelly White is the CEO and co-Founder of RiskRecon, the world's leading provider of solutions for solving third-party cybersecurity risk at scale. Prior to dedicating his full attention to RiskRecon, Kelly held various enterprise security roles, including CISO and director of information security for financial services companies. Kelly was also practice manager and senior security consultant for CyberTrust and Ernst & Young.

Kelly is a frequent contributor to the security community, speaking at conferences such as Cybercrime Prevention Summit, United Security Conference, RSA Conference, and RSA eFraud Global Forum. He is also a member of the Fraud Global conference board.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.