Spending millions on APT defense? Don’t forget about Third Party Risk Management
Being a large company, you have a risk when hiring a third-party consultant - you condemn them to be hacked instead of you.
Advanced Persistent Threats has become a very popular term today, whereas companies are spending millions on APT defense. While APT defense is important for many large companies, it should not overshadow other security practices and strategies: from the correct and secure implementation of SSL to Third Party Risk Management (TPRM).
According to PwC’s Global State of Information Security Survey 2016, information security budgets have increased by 24 percent in 2015. Many organizations are incorporating strategic initiatives to improve security and reduce risks, relying on new technologies such as cloud-based cybersecurity solutions, cybersecurity insurance, and big-data analytics.
In comparison to 2013, when 74 percent of companies did not even hold a complete inventory of all third parties that handle employee and customers’ personal data, today 52 percent of companies have security baselines and standards for third parties’ cybersecurity, according to PwC. Third parties are usually represented by IT vendors, suppliers, consultants, or lawyers.
Meanwhile, according to Bloomberg, 80 of the 100 largest law firms have been hacked since 2011. I highlight that 80/100 is an officially reported number of attacks that were detected. A total number of undetected or unreported APTs and intrusions would be a more frightening figure, no doubt. Obviously, cybercriminals don’t care about law firms (I omit script-kiddies and ransomware attacks), but rather they are interested in their VIP clients.
Why would hackers spend millions of dollars on expensive 0days and weeks of time preparing complicated APTs against a bank or an oil company, if all the documents are available in the mailboxes of their lawyers? In Switzerland and Central Europe, we regularly assist compromised law firms, that didn’t allocate a single dollar to their cybersecurity before a breach, thinking that nobody will ever bother to attack them.
In a world of globally interconnected technologies - cloud data storage and outsourcing - your data is as secure as the least secure trusted party that has access to your data. A recent example is a theft of 15 million records of T-Mobile customers following a data-breach at Experian, a vendor that processed their credit applications.
Nowadays, hacking is a well-established [criminal] industry, and adopts many rules applicable for any other business. One of the main rules is to maximize profit by spending less and/or generating more. Therefore, hackers are always looking to minimize their time and expenses related to every new intrusion. One of the easiest ways to access sensitive data is to compromise the least secure party that has access to the data. Therefore, there is a risk when hiring a third-party consultant - you condemn them to be hacked instead of you.
The good news is that industry has already started implementing technical measures and regulations aimed to identify and reduce third-party risks. American National Futures Association (NFA) has just announced that the Commodity Futures Trading Commission (CFTC) approved its plan regarding Information Systems Security Programs (ISSP) coming into effect on March 1, 2016. Among a long list of information security industry best-practices, the NFA also requires ISSP to address the risks posed by critical third-party service providers. One of the largest insurance companies Zurich has recently announced that they start evaluating third-party risks for external IT vendors and partners. Many organizations release guidance and best-practices about third-parties risk monitoring and prevention.
The bad news is that it’s still very difficult to estimate and to prevent third-party risks in practice. Probably the biggest problem is to continuously verify that your third-party suppliers are as secure as they declare. What is secure now may become vulnerable tomorrow. Moreover, it’s just impossible to control each third-party in place and you have to believe the documents or questioners they provide you with. Security benchmarking companies are on the rise these days, however there are many “dark areas” they can never properly control in practice.
I recently visited an insurance brokerage. The company has access to a large third-party database with lots of sensitive data from all over the world. In order to access the database, they need to authenticate with a 2FA token and their [complex] password [they need to change every four weeks]. What do they do in practice? They keep tokens on tables and put a Post It notes with their passwords on their monitors. Their office building, located in a nice sky-scrapper, allows almost anybody who is familiar with social engineering to easily bypass the reception and access any of the large open-space offices. Who can ever control this?
New regulations can sometimes even bring more harm than good. Small consulting companies often struggle to get a contract at large multi-nationals that pay well. Being obliged to be compliant with strict cybersecurity regulations, they spend their money on inefficient or inappropriate security solutions. Worse, they think that after spending on security they have zero risks, lose their prudence and are easily hacked by basic social engineering or phishing attacks. I saw a small financial company that was very proud of their hardware firewall, saying that now they click on any links in any emails as they have total protection against any threats according to the firewall reseller.
Another example is various IPS/IDS aimed to monitor abnormal or suspicious behavior when third-parties are accessing your data remotely. Sometimes you cannot properly segregate user access privileges, because due to business reasons any user may need to access a record from your database. In this case, you can set other limits, such as the number and frequency of requests for example, or request patterns and types. A few weeks ago, we conducted a penetration test for a financial institution that had such a system installed. Nevertheless, nothing blocked us. In fact, due to the high number of false-positives that caused a high level of inconvenience to customers and to phone-based support, this feature was in log-only mode that didn’t block anything. Worse, logs were so big that nobody ever had time to analyze them.
Vladimir Naimark, CISSP, CISM, CEH, ECSA, senior manager at PwC Russia, shares his experience: “We do observe continuously increasing involvement of third-parties in confidential data processing of different companies. Not so rare even CISOs are not fully aware of which external service providers are engaged in confidential data processing by business departments directly, without involvement of security experts and proper risk assessment. We’ve faced cases where financial institutions requested that suppliers literally ‘establish appropriate level of protection’ for their data hosted externally, without understanding what it actually means and how is it going to be controlled. The ultimate result was lack of any reasonable protection as such. Nowadays outsourcing data processing often means not transferring the cyber risk but transforming it into a different but not lower one.“
Therefore, it’s not enough just to identify, prioritize, and address third-party risks once a year. You need to establish a global, well-though TPRM system to continuously monitor and re-evaluate third party risks in a holistic manner, making sure that what you get on paper truly reflects the reality.