Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: How one business took 24 years to build and 24 hours to destroy, what the EU’s Agency for Cybersecurity has to say about supply chain attacks, why you should ask more questions about the security of your IT service providers, and why you should expect to be asked similar questions by your clients.
This week’s action: Ask questions. Seek evidence.
>>>>> THREE ARTICLES <<<<<
1: 24 years building a business, and 24 hours to blow it to smithereens (although it took 8 years for the explosion)
Ransomware is rampant. As Brian Krebs says in this article published by the LA Times, “There are a lot of predators out there doing this, and the reason we have so many of them is because there’s a lot of easy prey”.
Here is just one story about the easy prey: SEC Info had 500,000 customers who paid to gain access to 1.6 billion pages of SEC filings. It was recently hit with ransomware. The hackers gained access because the administrator password was the same as the owner’s Yahoo password. This password was breached 8 years ago when Yahoo was hacked. So, for those 8 years, the password “was sitting around as a ticking time bomb”. In late June, the hackers started their attack. It took “2.5 million failed login attempts before [the hackers] finally hit on the right password”. There are no backups of either the data or the customer lists. This means that “once SEC Info is back in operation, [the owner] won’t be able to proactively inform his customers what happened — he’ll have to wait for them to get in touch with him.”
Reusing a password (and not changing it in 8 years). No backups. No multi-factor authentication. No security monitoring to spot 2.5 million attempted logins. Hindsight is 20/20.
Read more: https://www.latimes.com/business/story/2021-07-09/a-ransomware-attack-destroys-a-thriving-business via https://securethevillage.org/news
2: If you are a supplier: Get ready for plenty of questions
ENISA (The European Union Agency for Cybersecurity) recently released a study of 24 supply chain attacks that place within the European Union in the last 18 months. It estimates that there will be 4 times more supply chain attacks in 2021 compared to 2020, primarily because “the robust security protection that organizations have put in place” have caused the criminals to turn their focus to a target’s suppliers. Supply chain attacks are also appealing because one successful attack can impact a number of organisations.
The recommendation from ENISA: “Incorporate all [of your] suppliers in [your] protection and security verification”. In other words, verify that all suppliers are taking this risk seriously and can demonstrate that they have appropriate measures in place.
If you are a supplier, get ready for more 300-question questionnaires, and plenty of follow-ups if you can’t easily demonstrate that you have your house in order.
Absence of evidence = Evidence of absence.
Read more: https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
3: If you are a client: Don’t trust. Verify.
“By outsourcing many of their day-to-day IT requirements to these companies, smaller organizations in particular can save costs, improve service levels and focus more resources on growing the business. In theory, they can also reduce security risk by handing over to a more capable and well-resourced provider. However, as the ransomware campaign impacting Kaseya customers has illustrated, MSPs can also be a source of cyber-risk.”
For a cyber attacker, “it makes total business sense to spend time researching and targeting a single organization that can provide access to potentially thousands more, than to target those downstream customers individually”.
While this article recommends a number of questions you should ask your IT managed service provider about their cybersecurity measures, the questions are also applicable to SaaS providers, software vendors, and any of the third parties in your supply chain.
The questions includes:
- “What is their patch/vulnerability management program like?
- Do they run the eight essential controls for MSPs? (These are: app whitelisting, patching and hardening, restricting administrative privileges, multi-factor authentication, OS patching, daily backups, and adjusting Office macro settings)
- Do they operate a least privilege access policy and network segmentation to minimize the attack surface?
- Do they regularly train and update staff in phishing awareness?
- Do they undertake regular and comprehensive security audits/reviews?”
Just remember – If you are asking your IT MSP, you are not asking about how they do these things for your organisation. You are asking them how they do it within their organisation.
Also, don’t be surprised if a supplier is slow to respond – They may not have evidence to back up their sketchy answers.
Absence of evidence = Evidence of absence.
Read more: https://www.welivesecurity.com/2021/07/13/msp-kaseya-incident-third-party-cyber-risk/ via https://securethevillage.org/news
>>> TWO STATISTICS <<<<<
1: 62%
According to the ENISA report on supply chain attacks: 62% of supply chain attacks succeeded because the victim inherently trusted their supplier, and this trust enabled the attacker to get through the victim’s defences.
If you are a supplier, you will soon have to earn a client’s trust, by proving that you are not a cybersecurity risk. “Don’t worry about it” will not be an acceptable answer. You will need evidence.
Absence of evidence = Evidence of absence.
Read more: https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
2: 66%
Again, according to ENISA, “66% of the incidents attackers focused on the suppliers’ code in order to further compromise targeted customers”.
If you write code or applications that are then used by clients, you are a golden ticket for a cyber attacker. If you do not protect this code, and secure the devices that can access this code, and protect the people that operate these devices, you’re making the attacker’s job so much easier.
Your developers may hate the idea of losing local admin access, or having restrictions placed on the websites they can visit, or controls introduced to review the tools they want to install on their device, but what your developers want is also what your cyber attackers will adore. They’ll be Charlie in the Chocolate Factory.
Read more: https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
>>> ONE ACTION <<<<<
1: Start asking your key IT service providers about their security measures
Do not assume that an IT company is secure. Just because someone knows how to manage a server or develop software does not mean they know (or care) that they are doing this in a secure way.
Follow ENISA’s advice and ask questions (like those listed in the welivesecurity article mentioned earlier). Seek evidence that backs up their answers.
Remember: Absence of evidence = Evidence of absence.
Yes, it’s a pain to have to ask questions and review answers (and chase a supplier that is slow to respond or does not answer the question they were asked). But it’s far less painful than cleaning up after a cyber-attack that succeeded because of your IT provider’s lax controls. It might be their fault. But it will be your headache.