Vulnerable Vendors: Supplier Weaknesses Put Your Organization at Risk

Richard Long

The SolarWinds hack showed how under-protected many vendors are and how easy it is for companies to be attacked through their vulnerable suppliers. In today’s post, we’ll look at the risks companies are exposed to through their vendors and share some ideas on how organizations can plug the gaps and increase their security.

 

 

The Significance of SolarWinds

In the recent hack of IT powerhouse SolarWinds, hackers thought to be Russian broke into the company’s Orion software system, which is used by the majority of Fortune 500 companies, many top government agencies, and thousands of other clients. The hackers inserted malicious code which SolarWinds unwittingly sent out to 18,000 of its clients when making routine software updates.

The SolarWinds hack was bad enough, but it probably amounts to only an opening salvo in this new type of cyber-struggle.

The significance of the SolarWinds hack for business continuity professionals is it’s not just a one-off attack. Rather, the hack highlights a pervasive and rising vulnerability that BC pros need to be cognizant of and take steps to correct.

Defining the Danger

What is the danger, exactly? It’s that hackers might penetrate one of your suppliers and then, once they’re inside, gain the means to infiltrate your organization through the back door. They can then spy on its activities, cripple its operations, and steal its data.

The irony is, tools such as automatic updating that make it easy to keep software current also make it easy for thieves to fan out through the vendor’s clients’ networks and wreak havoc.

Identifying the Richest Targets

It hurts to say it, but these hackers are extremely intelligent. Corporate IT people might be the cream of the crop. Hackers on the level of the SolarWinds attackers are the cream of the cream, at least in terms of technical ability. (In other areas, it’s another story.)

The people who broke into SolarWinds didn’t hit on such a strategically rich target by accident. They know what kinds of vendors are likely to provide deep access to rich targets. Few third-party service providers are shy about listing their most important clients on their websites. This means hackers can scan the providers’ sites like people at a restaurant looking at the menu and thinking about what dishes they might like to order. (“If we break into Orion, we can gain access to Microsoft, Boeing, the Department of Homeland Security, and the Los Alamos National Laboratory!”)

Digital Break-ins, Physical Intruders

With SolarWinds, the attack was purely digital. But it’s not hard to imagine an attack that’s part digital and part physical. It might be worth the effort for a high-value target. Suppose an attacker breached one of the target’s vendors and gained critical information about the target, such as the name of the technician assigned to that account. The attacker might then be able to forge credentials, impersonate a substitute technician, gain access to the data center, and replace a clean drive with one containing a virus.

Today this idea seems outlandish; tomorrow you could read about it in the newspaper.

That’s a sketch of the risks companies face through third-party attacks. Let’s turn to how they can make themselves safer.

How to Reduce Your Exposure

For the most part, protecting your company against back-door attacks through your suppliers is not about putting new infrastructure and processes in place. It’s about risk assessment, supplier analysis, and ensuring that the appropriate checks and balances are in place for your environment.

First, you should understand who your technology vendors are, how they are protecting their IT and your data, and how it would impact you if they suffered a breach.

Here are some things you can do to reduce the danger:
  • Don’t put blind faith in the security of your third-party vendors, no matter how big and famous they are.
  • Determine whether the vendor’s security protocols are sufficient. If they aren’t, try to get them to tighten their security. If they won’t, find a new vendor.
  • Make sure you have all the standard protections in place, such as proactive monitoring of system logs.
  • Review your always-on connections to your vendors’ software systems. Turn off those that are not necessary.
  • Consider requiring case-by-case approval of automatic requests to perform routine system updates.
  • Consider whether you want your vendors to identify you as one of their customers publicly. If not, you might want to include a provision disallowing this in your contract.
  • Consider mandating that your vendors obtain third-party data-security certification, such as that available through ISO.
  • Don’t use the same password for different vendors.
  • Focus on those vendors of yours who have access to your sensitive information. Suppliers that have publicly available or innocuous information about your organization are of little concern.
  • Pay special attention to your infrastructure vendors’ security since the pieces of hardware they provide are the gateways into your system.
  •  Remember that your vendors also have vendors. Their vulnerabilities are your vulnerabilities. In conducting your risk analysis, look down the supply chain.
  • Ask yourself whether your company’s mission makes it a desirable target. If it does, you’ll have to be that much more vigilant.
  • Ensure that your protection against a third-party attack will be maintained even if an event impacts your organization. This might require making updates to your IT/disaster recovery strategies and solutions.
  • Don’t fool yourself regarding the caliber of your adversaries. Unfortunately, there are a lot of bad actors out there who are proficient at computers. The best way to counter their brilliance is through your diligence.

Scrutinizing Your Supply Chain

The SolarWinds attack highlighted a key vulnerability of many companies: if a hacker breaches one of your suppliers, he or she might gain the ability to sneak into your network through the back door, infecting your system, spying on your activities, and stealing your information. This is a serious and overlooked problem and one that is likely to increase in the coming years. However, by scrutinizing your supply chain and making the recommended adjustments, you can reduce your organization’s exposure to this kind of attack.

Further Reading

For more information on vendor security, vulnerable vendors, and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:

About
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
IT/DR Testing