It's undeniable that cloud computing and outsourcing have resulted in better margins and higher profits for businesses over the past 10 years. However, data breaches have continued to plague companies around the globe with no end in immediate sight. This begs the obvious question: Could there be some relation between the two?
There is a clear connection between data breaches and an increased adoption of cloud computing and outsourcing - and that’s what I want to discuss in this blog post. As a preface though, I want to be clear that this is NOT about why we shouldn’t be leveraging the cloud or outsourcing certain elements of business. In fact, the opposite is true. I firmly believe that we SHOULD be leveraging these areas to our advantage. But like most things in business, jumping into something blindly can come with certain risks and ramifications.
Security + The Cloud
A company recently brought in our Cybersecurity Consulting Group to evaluate their cybersecurity defenses and susceptibility to an attack. More specifically, they asked that we assess everything from the perspective of an attacker or cybercriminal. Our client had been entrusted with certain sensitive information and, rightfully so, wanted to better understand how difficult it might be for a criminal to hack into their network and gain access to this information they were trying to protect.
While performing reconnaissance on our client, we discovered a website that contained a significant amount of documentation about the client’s network. This documentation included IP addresses, office locations, usernames, passwords and other pieces of interesting information. Obviously, this was alarming. Upon further review and after speaking with our client, it became apparent that this document originated from a trusted third-party that was providing a particular service to our client and other companies.
In short, we had discovered that this third-party had been breached and that the attacker(s) had put everything out on the Internet. The motives for why they would do this are unknown, but the document had only been accessed a few times. It is likely that the attackers had been sharing the document between themselves and never intended for it to be discovered publicly. Regardless of the original motive or intent, by using the discovered credentials, our team was able to login to the client’s network and ultimately gain access to the information that our client was entrusted to protect.
Supply Chain Attack
What we had stumbled upon was evidence of a supply chain attack. By definition, a supply chain attack is a type of attack that seeks to damage a company by targeting less-secure elements in that company’s supply network. The compromised third-party provided a critical service to numerous high-profile companies - including our client. It’s highly probable that a threat group had targeted this third-party because they suspected (or knew) that this third-party worked with high profile companies/organizations.
Thankfully, our client was not significantly impacted by this particular situation; however, it shows how supply chain attacks can be very effective because criminals are primarily exploiting the trust that companies have placed in their contractors, vendors, or other business relationships. In many cases, companies are working with third parties because they are specialists within a particular field or area. However, unfortunately, many of these specialty company’s service delivery models have not been optimized for security, which effectively makes them a weak link in the chain.
Remember When ...
In late 2013, something similar happened to Target and the impact was devastating. As you might recall, a small HVAC vendor had legitimate VPN access to Target’s network for the purposes of monitoring and maintaining heating and air systems. Target is a successful retailer, not an HVAC company. So, it only makes logical sense that Target would outsource this portion of their business to specialists - especially when HVAC systems are such a critical component of their business.
Attackers specifically targeted and ultimately compromised this particular HVAC company for the purposes of masquerading their attack against Target. Because they were connecting to Target’s VPN from the HVAC company’s network using valid credentials, it was nearly impossible for Target to know whether the connection was legitimate or malicious. Once the attackers were connected to the VPN, they were able to explore Target’s network and look for other weak areas - which they found. This incident became the second largest credit and debit card breach, resulting in the theft of 40 million credit and debit card numbers and 70 million records of personal information.
The Cloud's Weakest Link
By moving servers to the cloud, companies have effectively decentralized their network perimeter while also simultaneously introducing third-party, cloud provider relationships to the equation. While none of this is inherently wrong, it absolutely changes the attack surface and often dramatically alters a company’s risk profile. Today, the weakest links for many businesses in the cloud are vendors, contractors, and other third-party providers.
Does this mean that we should stop putting our workloads in the cloud or consider switching back to an in-sourced staffing model? Of course not.
However, companies do need to evaluate the risks that third-parties present to their business. As businesses continue to embrace these concepts while also becoming more digitized than ever, we can expect a major uptick in supply chain attacks in 2019. Now is the time to prepare. A large company like Target can survive the fallout of a data breach; however, many smaller companies don’t have that same luxury and must proceed with caution.
Establish a Plan
Managing cyber risk is an incredibly complicated subject and there is no single, silver-bullet answer that I can offer the reader. Every company should look at all aspects of their business and understand the interplay between technology and the business itself. A company’s biggest risk is usually inside of that overlap. Therefore, a security program and a risk management strategy are essential.
With the new year just around the corner, I propose that companies make a resolution to focus on third-party risk and vendor management as one of their 2019 priorities. As a starting point, I offer the following recommendations:
Compile a detailed list of every vendor, partner, contractor, or third-party that does business with your company.
Determine which ones transmit, store, process or have access to any sensitive information.
Determine which ones have remote access to your network – even if they don’t have access to any sensitive data.
Assume each company in the list has been (or will be) breached. Evaluate and consider the potential impact to your business.
Ensure that you understand which third parties present the most risk to your business and begin to prioritize risk mitigation efforts.
Audit all vendors and third parties and require that they provide assurances that demonstrate their commitment to cybersecurity. (This will look different by company, but many free spreadsheets exist to help, including our current favorite here.)
Prior to entering into any business relationship with a third-party, have them sign a contractual agreement requiring them to adhere to all relevant information security/cybersecurity risk standards that apply and to accept liability for any damages that arise from their failure to do so.
Require third parties to allow periodic and random audits of their cybersecurity posture, to be performed by qualified auditors.
Require third parties to immediately disclose any cybersecurity incidents that impact the service being provided.
Encourage and reward employees for “thinking like a criminal” and ask them to look for new and creative ways to defraud or cause harm to the business. They often know your business better than anyone but don’t always feel empowered to vocalize such things.