Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/31/2018
10:30 AM
Brandon Dobrec
Brandon Dobrec
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Spooking the C-Suite: The Ephemeral Specter of Third-Party Cyber-Risk

Halloween movies are the perfect metaphor for breaking down today's scariest supplier breach tropes.

If data breaches were a film genre, third-party cyber-risk would be the talk of producers and casting agents; it's where the money is. Like a relentless killer who cannot seem to be destroyed, third-party breach scenarios dominate the headlines. The scares are all different — compromised health records, weapons designs, or automakers' trade secrets — but the plot is the same: leaked and stolen files via compromised contractors, supply chains, or business partners.

From my vantage point counseling senior executives on cyber-risk management, it is easy to see why the ephemeral specter of third-party cyber-risk haunts the C-suite. It's because when you're operating in your company's own familiar environment, you often miss the warning signs of danger lurking — until something hits you. Leaders complain they can spend untold sums and time ratcheting down their company's internal security measures only to see their data and reputation suffer the consequences of errors and carelessness at other companies, seemingly out of their control.

Let's break down a few third-party breach tropes and how to confront them:

The Partner You Don't Know

Photo Credit: 'Creature from the Black Lagoon', Public Domain, from the Florida Memory Project hosted at the State Archive of Florida.
Photo Credit: "Creature from the Black Lagoon", Public Domain, from the Florida Memory Project hosted at the State Archive of Florida.

Just as the Creature from the Black Lagoon terrified boaters who stumbled onto his turf, many companies don't learn of a third-party's privileged access until a breach flops onto the deck and begins costly disruptions. Given how technology and business forces constantly evolve, it is very easy to overlook business partners who have accumulated through decentralized and delegated sourcing, M&A, and other shifts.

The best way to avoid a terrifying Halloween surprise (or any other time of year, for that matter) is to create cross-functional vendor management teams including sales, development, and marketing. These overseers can interface with both the chief information security officer's (CISO) organization and other stakeholders, like the CFO. This will maintain an updated, central radar screen of third-party relationships to ensure that security, financial, and other controls are all evenly applied.

The Trusted Partner Who Proves to Be Risky
Dr. Jekyll probably aced his security interviews and contract negotiations. After all, he's a scientist! But what oversight mechanism kicks in when a company you trust one minute becomes the equivalent of Mr. Hyde the next? 

The solution requires more than annual audits, one-time compliance checks, or the threat of litigation. It's better for companies to configure alerts that fire on the names of IP and business partners whose names turn up on the Dark Web, paste sites, or the wider cybercrime underground. Often, the first occurrence of breached data offers telltale indicators of whether the material was targeted directly, or spilled out of a larger third-party breach. Early-warning measures like these help minimize needless exposure by helping find and remedy vulnerable systems.   

The Promise and Peril of New Technology Frontiers
Dr. Frankenstein thought he could make death obsolete. In Event Horizon and Ex Machina, brilliant minds create new technologies that are awe-inspiring at first — but soon reveal terrifying, unintended consequences. Protagonists begin these films coolly and seemingly in control of technology that pushes boundaries but end up with more than they bargained for, and a total loss of control.

Today's ubiquitous third-party data breaches fortunately do not cause loss of life or the rise of sentient machines. However, many a company has rushed to embed a hot new service provider's remarkable technology without necessarily realizing or weighing the inherent risk being shouldered in the process. For example, companies that turned to a popular online chat tool, including Best Buy, Sears, and Delta Airlines, were affected when the high-profile, category-defining vendor behind the chat platform was hit with malware.

In fairness, any outsourced technology can be breached — not only those of hot, emerging startups. But this underscores the point that companies need to follow the trail to see where their data goes and "who" has access to "what." While it's unrealistic to expect a customer service leader to know her or his company's entire risk appetite, it underscores the need to have cross-functional team-based approaches to sourcing and major investments in any new technology partner — particularly those running code on your site or in your product.

The Cliffhanger
THE END… or is it? When the 3:00 a.m. phone calls, harried email threads, tired spokespeople, and empty takeout containers subside after an exhausting data breach response, employees feel partially relieved. Yet they are also wary of "What else is out there?" This is akin to how our heroes feel after they finally destroy the last alien or zombie — right before the camera pans to an egg or one more infected person right before the credits roll. Hollywood and merchandisers love to set things up for a sequel, but executives and CISOs would be doomed to failure if they find themselves trapped in a reboot of the same breach screenplay six months later.

After every third-party breach affecting their business or a peer company, security leaders need to take stock of what happened, and study precursor activities or preconditions that allowed excessive risk to go unchecked. In some cases, attackers might have been remarkably lucky, or the root cause could be the result of unimaginable oversights in vendor behavior and decision-making.

It is true no organization can find everything that might be lurking in the night to do them harm. But taking a deeper look at these telling patterns can equip security professionals to speak up when they start hearing familiar assumptions and clichés from scripts they have seen too many times before.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Brandon Dobrec has dedicated his career to cybersecurity, particularly to delivering the comprehensive threat data, intelligence, and tools required for organizations to minimize their business risk. Since joining LookingGlass in September 2016, Brandon has served as an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
qiujanji
50%
50%
qiujanji,
User Rank: Apprentice
11/7/2018 | 3:45:58 PM
nice
very nice post :)
matanorel
50%
50%
matanorel,
User Rank: Apprentice
11/7/2018 | 10:08:36 AM
Doesn't point to the real problem
This article does a great job describing the problem. Unfortunately, however, the discussion of potential solutions fails to point to the real problem: lack of resources. While the concept of creating cross organizational monitoring teams and the idea of darknet vigilance do make sense in theory, they don't reflect the reality, where the number of third-party data exchanges are far beyond what organizations can handle. A crucial piece of tackling the third-party risk problem is a platform that not only collects information about your third-party risks, but also points out areas that require attention or present challenges to your organization.
QQ1221
50%
50%
QQ1221,
User Rank: Apprentice
11/4/2018 | 8:44:01 PM
QQ1221
I am still confused about this articles..
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:40:54 PM
Cavoukian
On the privacy front, we saw this happen recently in Toronto when privacy expert Ann Cavoukian resigned her position from a major Smart Cities renovation project by Sidewalk Labs (an Alphabet subsidiary / Google sister company). Upon hearing that the assurances that data would always be anonymized at the source could no longer be assured when it came to outsiders working with a third party that commissioned Sidewalk Labs for the project (Waterfront Toronto), Cavoukian reportedly quit right then and there.
WilliamSlater
100%
0%
WilliamSlater,
User Rank: Strategist
10/31/2018 | 3:30:27 PM
Empheral? Really?
Nice article.  Thank you.

By the way, you probably misused the word Ephemeral in your title.  Maybe you meant to use the word "Eternal", because "Ephemeral" means "very short-lived", and in fact, as long as a company has third-party vendors, the potential for risk never ends.  


News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21981
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
CVE-2021-20989
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
CVE-2021-20990
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
CVE-2021-20991
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
CVE-2021-20992
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.