The latest posterchild of third party risk raises serious questions for cybersecurity executives about the assessment and oversight of technology vendors
Network monitoring software firm SolarWinds was notified of a major supply chain hack of their Orion Platform using malware known as SUPERNOVA on December 12, 2020. Attackers weaponized platform updates to spread the SUPERNOVA malware to SolarWinds’ network of customers.
Ultimately, the hack may have affected up to 18,000 companies and government agencies in the US. Widely thought to be the result of Russian state-sponsored cyber espionage, the true perpetrators are still unknown, as are the true scale of and motivations for this unprecedented breach.
“Everyone knew it was possible,” says Sparbanken Syd CISO and Head of IT Jörgen Mellberg. “But that it would blow up like this with such a big vendor as SolarWinds with enterprise systems that almost everyone is using? That was really an eye-opener.”
The breach eluded world-class cybersecurity teams at some of the US’ largest companies for months, and went as far as compromising Microsoft’s cloud protections, allowing the hackers to access its source code.
For cybersecurity executives, the hack raises questions about network vulnerability because of supply chain hacks from thirdparty vendors.
Mellberg concludes: “You really need step-by-step processes of how to assess your third parties and how they handle your risks and potential incidents like this.”
Evaluating Third-Party Vendors on Risk
One reason the SolarWinds hack is so concerning for corporate cybersecurity experts is that compromised updates from third parties are so hard to detect.
Patching and updating software is itself one of the most basic protections against cybercrime. But what if those patches and updates, seemingly authentically signed, are introducing malware to your network?
“We all use a lot of third parties, and there is no way that each and every integration and each and every package, upgrade or update can be scanned,” says Voya Financial SVP, Global Chief Information Security Officer Raj Badhwar. “There is no way that we can detect using traditional means all the malware that may be hidden in there.”
For many cybersecurity executives, this has meant a new focus on evaluating third-party technology providers based on their cybersecurity credentials. However, there is no regulatory guidance on how this should be done, leaving negotiations to be conducted largely on a case-by-case basis.
“Unfortunately, there’s no regulation to force a third-party’s hand on compliance,” notes BNP Paribas Group Head of Cyber Risk Intelligence Jules Pagna Disso. “You might point out during that [they] have a number of vulnerabilities that we feel can be exploited. It works for some, but it doesn’t always work for others.”
Technology solutions such as BitSight or RiskRecon can help with this process, of course. But you don’t need a multi-milliondollar program to get started. The process begins with the basics of global sourcing and vendor management.
“If you don’t have anything in place, then ensure that you build out a questionnaire containing basic security information,” advises Equifax Business Information Security Officer Michael Owens. “Get [vendors] to fill it out. Start to capture some basic information and build out a tracking program.”
“If you do have a program, then it really has to be about refining it,” he adds. “Working to mature that program and ensure that the visibility is raised to the point where information security is really baked into that process.”
“Every company is a target, and it doesn’t matter what business or what industry you’re in,” he concludes. “Attackers are constantly and consistently going to find ways to try to infiltrate your environment.”
Locking Down Lateral Movement to Reduce Exposure
While risk can be mitigated with careful vetting of technology vendors, the possibility of a breach introduced by third-party software can never be eliminated.
“It’s not about that if we will be attacked, it’s about when we will be attacked,” warns Pravin Kumar, CIO at payments company Wimbo. “In parallel, it is also true that you can be safe and secure to some extent as well. It’s not rocket science. But it’s important to create basic technology hygiene.”
Technology hygiene starts with threat detection and careful use of account management to limit the ability of a bad actor to move laterally across the network, Kumar explains.
“It’s crucial to look for lateral movement in attacks that are going on and evaluate technologies that can watch for individuals trying to either access systems or data inappropriately,” says Bank of America Merrill Lynch SVP Business Information Security Officer David Monahan.
“It’s important to firewall, and essentially isolate authorized communications between applications to restrict unauthorized entities from accessing those applications while trying to move laterally or exfiltrate data,” he concludes.
This example highlights the importance of account management to ensure that users, human or computer, only have access to the parts of the network that are necessary. This is especially true of accounts with administrator privileges which are the biggest prize for any would-be attacker.
Cybersecurity executives focused on preventing the spread of an attack know that the internal security is as important as the external security.
“Administrators should not be allowed to administrate the whole environment, administrative rights should be limited and compartmentalized,” says Pagna Disso. “Unfortunately, many businesses do not take their internal vulnerabilities as seriously as the ones that they expose to the internet.”
This is an extract from the exclusive report The 2021 Information Security Agenda. The report highlights how COVID-19 has rapidly shifted priorities for Chief Information Security Officers (CISOs), requiring them to implement new strategies, technologies and educational programs in a time of heightened risk. Click here to get your copy.