By Deryck Mitchelson, Field CISO EMEA, Check Point Software Technologies.
The interconnectedness of the global marketplace means that a single supply chain disruption can compromise hundreds or thousands of organizations. To provide context, the average auto manufacturer retains 250 tier-one suppliers and 18,000 across the full value chain. Proctor & Gamble has over 75,000 suppliers and the French oil company Total does business with more than 150,000 different firms.
Organizations that fail to future-proof systems against cyber supply chain threats may see their own demise, along with the collapse of their industry, diminished marketplace results, loss of customer trust, and limited opportunities for future business growth. Does your organization take the reality of supply chain threats seriously enough? Does your business continuity plan provide a robust response to a supply chain attack?
The latest in supply chain breaches:
Healthcare has had several massive supply chain breaches. Last year, the National Health Service in the UK (NHS) experienced a breach following a cyber attack on one of its suppliers. This disrupted the 111 emergency advice line, interrupted ambulance dispatch, scrambled emergency prescribing, limited access to patient records, harmed appointment availability and affected patient referrals. Staffing services had to resort to pen and paper, not for the first and I suspect last time, unfortunately.
Fast-forward to the MOVEit breach, which began in May of this year, where attackers exploited a zero-day vulnerability in order to infiltrate a massive number of companies. Attackers listed affected company names and data on their leak site with the intention of having firms pay a ransom to recover data. And that’s only the beginning…
Not only were at least 1,000 organizations affected, but 60 million individuals had data compromised through the MOVEit breach. In Canada, the personal data of as many as 100,000 past and present government employees is believed to have been affected. These tallies reflect a fraction of the total number of organization and individuals who will likely suffer on account of this supply chain breach. It has now been estimated that the cost of the MOVEit breach sits at around $10 billion and rising.
The MOVEit story will continue to go on and on for months on-end. There are now multiple class-action lawsuits filed against the service provider, Progress Software and potentially lawsuits coming in cases where organizations have not been deemed to have fully assessed their supply chain risk and developed necessary mitigation plans. The era of cyber litigation and class-actions is upon us and you better be prepared.
The worst of it is that none of this is new. We’ve seen cyber attackers, indeed this same threat actor, exploit vulnerabilities related to managed file transfers in the past. The critical questions right now are: What due diligence are organizations doing around these breaches? Why are we not learning from the mistakes? What have we learned about the supply chain? There are hugely instructive lessons available to us here.
The questions that need to be asked:
Are we at a place where we believe that through the tick-box exercises, or achieving certification — for example, an ISO 27001 or cyber essentials within the U.K. — that organizations have then done enough and can simply declare their efforts sufficient?
As a consumer, I wonder whether we’re really safeguarding and prioritizing our most important data. Are we putting too much trust in our suppliers in assuming that that they will look after the data for us? That’s my big concern. As mentioned before, there are huge lessons to be learned from the MOVEit breach.
Do organizations ask to get confidence in the code that’s being written? Do they ask to see internal scan results and external scan results? Do they ask to see how a supplier’s CI/CD pipeline has been established so that they can see any misconfigurations or vulnerabilities within it and remediate or even better, auto-remediate in a timely manner? Most importantly, have we fully mapped our supply chain, do we understand where our critical suppliers’ dependencies are and who they are dependent on?
Sometimes, the questions are asked, but the answers are false…
In major companies, administrators are sometimes asked to tick boxes assuring vendors, partners or suppliers ‘yes, we have this level of compliance, we have this level of segmentation, we use best practices, we do scanning…etc’. But what’s happening is that the staff aren’t necessarily following through on any of the assurances that they’re signing their names to.
Giving confidence in assurances and compliance without having the technical expertise come in to do the work is a surefire path to cyber security mayhem.
The path forward for enterprises:
One part of the path forward involves red teaming. In so doing, organizations should be saying to their suppliers and business partners, ‘We are trusting you with HR data, with payroll data or with other confidential data. As part of our due diligence and contractual agreements, we would like to hire external parties and obtain a finer understanding of the services we’re getting and the corresponding software code to see if the service is fit for purpose.’
Something that we don’t talk about: Organizations need to obtain assurance alerts around technical guardrails. Setting up service provisioning is fine. However, as a buyer, I would need assurances around the quality of that service – the guardrails that are in-place. For me, that would be critically important. For instance, if you consume a service from ServiceNow or Workday — those are just examples — how do you ensure that the services maintain the highest levels of integrity, confidentiality and availability? (The CIA triad in cyber security.)
It feels like far too much trust is being given to these organizations to satisfy these requirements. Perhaps we should be in a place where every vendor that provides a service should have to verify that the service is provided in such a way as to ensure data encryption. And then, as the company that purchases the service, perhaps the company should own the encryption key. Fully encrypted data has no commercial value and will therefore not be a target.
To protect proprietary data and source code, we also need to do more obfuscation, ensuring that no data is shared as a part of the supply chain side – apart from what’s critically necessary to share. And that’s sometimes difficult, especially with things like payroll systems, for example. If you’ve got a payroll system, you tend to ask employees to log onto that system so that they can see the details; so that they can see their paycheck, and what’s gone to taxes…etc. So there’s a large data-egress.
Some of security comes down to ensuring that it’s essential, but minimal, information that gets transferred and shared and nothing more. It’s difficult when you get down to file transfer, because among a large file transfer, you have to spot the large egress of data being made.
In relation to the MOVEit breach, based on the technical controls, it should have been very clear for the service provider that there was a huge amount of data being exfiltrated. More likely than not, there was something around the operating procedure of the organization that led to the data breach. Systems should have been set up so that data could only come in from a trusted source and data could only go out to a trusted source. Thus, even if there were a breach, they’d have a level of authentication into the systems. In addition, there should have been a second level of control that actually, that said ‘there’s a large amount of data getting moved across to something that we don’t know about. There should have been a behavioral control that kicked in and that said ‘this is not normal.’ Let’s stop it, flag it, and can someone have a look to see what it was. But that didn’t happen. I don’t think that there was a second layer of behavioral controls at all. |
It’s also about forcing best practices, maturing areas of leadership and managing risk, which are often antithetical to what security teams actually want to be doing. The stuff that I just mentioned isn’t the exciting stuff that people want to work on. Security professionals want to work on the shiny stuff, with the cool tools. This is absolutely, totally different.
The path forward for consumers:
As I mentioned earlier, the MOVEit data breach has affected 60 million people. To put the number into perspective, an equivalent number of sports fans would fill the largest sports venue in the U.K., Wembley Stadium, 600X over. Not only do employers need to take action – arguably, consumers like you and I need to take action as well.
However, how do we ask our employers for assurances around how they’re controlling and managing our data? Employees must abide by a growing list of cyber security rules within day-to-day role, but I think that employees also need to hold employers accountable around the safeguarding of our private information.
It’s probably not something that employees are comfortable doing, but perhaps we’ve reached a tipping point. Employees need to say, ‘I’m interested in understanding the best practices that you’ve set up around protecting my data; around data loss prevention. Have you invested in zero-trust, for example?’ Or ‘Would you know if someone accessed my HR record?’ ‘Would that set of an alert in your system?’ And, ‘Would you know if an API were suddenly and illicitly connected to the payroll data system?’ ‘Would your organization be able to identify a large and unusual data egress?’
But I’ve rarely heard of anyone asking such questions.
Further insights:
Ensure that your suppliers are adopting a proactive, innovative approach to cyber security, with a sharp focus on prevention and the implementation of best practices; from the early stages of code development all the way across the supply chain. By embracing these methodologies and implementing robust systems, you can minimize the potential impact and scope of supply chain attacks. Or you might be able to avoid them in entirety.
I don’t think we are managing supply chain risk sufficiently. If we don’t, we may well end up in costly litigation.
For more insights from Global CISO Deryck Mitchelson, please see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.