Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: My focus is on firms that sell software or services to other organisations. You need to realise what the cybercriminals already know and what your prospects (and their regulators) are becoming increasingly concerned about: You are the perfect stepping stone into your clients’ computer systems and you could be the weakest link in your their cybersecurity defences. It was demonstrated in the WannaCry attack of 2017, the SolarWinds attack of 2020, and this month’s Kaseya attack that has impacted up to 1500 businesses.
This week’s action: Recognise that your suppliers are a risk to you, and you are a risk to your clients.
>>>>> THREE ARTICLES <<<<<
1: Your software is the perfect delivery mechanism for ransomware
If you develop software for a client, or many clients, cybercriminals are very interested in your cybersecurity defences. After all, why should they just focus on one of your clients when they could focus on you, and use you as a way in to all of your clients. Two (hundred?) birds with one stone.
2: Your service providers are the perfect delivery mechanism for ransomware
I am making the same point here, but from the perspective of the businesses impacted by these types of attacks. In the Kaseya attack that I mentioned above, few if any of the 1500 businesses impacted were customers of Kaseya. They never explicitly bought the software – Their external IT MSP did. It is possible that the first time these businesses heard of Kaseya was when they were hit by ransomware and found out it got into the organisation because of the Kaseya attack.
“Essentially, the [service providers] do all the hard work for the threat actors because they unknowingly deploy the malicious software out to all their customers”
Attacks like these remind us why regulators are pushing regulated firms to do more about supply chain risk management, and to go further than third party risk management.
3: What could a firm do to defend against this type of attack?
1500 businesses were infected with ransomware because of a vulnerability in a piece of software that most of them didn’t even know they used.
The key question: What could they have done to defend against this type of attack?
If you are Kaseya? Review vulnerability and patch management processes. According to this report on KrebsOnSecurity, the attack succeeded because two known vulnerabilities were not addressed by Kaseya. If the report is correct, one of these vulnerabilities was addressed in a patch released by Kaseya in 2015. The other was a vulnerability that was first identified three months before the attack.
If you are a ‘normal’ business: The US Cybersecurity & Infrastructure Security Agency (CISA) published guidance on ‘Defending against Software Supply Chain Attacks’ in April 2021. Page 8 gives a checklist of things you should ask your suppliers and software providers. For example, seeking evidence that software development processes incorporate “secure software development practices” and “actively identifies and disclosed vulnerabilities”. It also suggests looking elsewhere if the responses you receive to your questions are evasive or incomplete.
If you are a software development business: Again, the US is here to save the day. CISA recommends you become familiar with a white paper published by NIST that outlines a subset of high-level practices that should be particularly helpful for integrating a secure software development framework (SSDF) into a your SDLC.
>>>>> TWO STATISTICS <<<<<
The number of endpoints (i.e. PCs and servers) that could have been impacted by the one attack on Kaseya, spread across up to 1,500 businesses. To repeat a key point – Most of these 1500 businesses were probably unaware that the Kaseya solution was in use within their business.
2: $70 million
The attackers behind the Kaseya attack apparently offered to stop the attack and provide a ransomware decryption tool for a single payment of $70 million, according to Sophos. Sophos also point out that the Kaseya attack is like the ‘good’ malware attack that killed all those pesky aliens in Independence Day.
>>>>> ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this. <<<<<
1: If you develop software, recognise that you are a risk to your clients. If you rely on service providers, recognise that they are a risk to your business.
I accept that this week’s action is more ‘aspirational’ than ‘actionable’. But we all need to recognise that our security depends on our supply chain, and our vulnerability depends on where we sit in the supply chain.
If you develop software, you need to recognise that your vulnerability is not just the financial loss you will incur if you get hit by ransomware – It is the reputational loss you will suffer if your software enables an attack on your clients. In this context, reputational damage means the book value of your business will drop like a stone. And if you could be easily replaced by a competitor, you will be – Clients will deem you as too much of a risk.