National Supply Chain Integrity Month: Understanding Third-Party Cyber Risk

The National Counterintelligence and Security Center (NCSC) named April “National Supply Chain Integrity Month.” Along with its federal partners, including the Department of Homeland Security, NCSC kicked off this campaign to raise awareness about “growing threats to the supply chains of both the private sector and U.S. Government agencies,” and to provide resources to help mitigate these risks. 

A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your company’s system through an outside partner or provider with access to your systems and data. A business is only as secure as the weakest link in its supply chain; that includes vendors, technology partners, contractors — any third-party that needs access to your enterprise’s systems to complete a task. A single lapse by a third party can lead to an operational disruption, cyberattack, or compliance violation. 

Perhaps the most high-profile third-party data breach was the Target breach in 2014. The retailer’s point-of-sale (POS) system was hacked through a compromised HVAC vendor. That should’ve been a wake-up call about the dangers of supply chain risk. Instead, the problem has grown worse since then. According to a survey conducted in the fall of 2018 by the Ponemon Institute, 56 percent of organizations have experienced a breach that was caused by one of their vendors. Meanwhile, the average number of third parties with access to sensitive information at each organization has increased from 378 to 471. Making matters even more difficult, only 35 percent of companies surveyed said they had a full list of all the third parties they were sharing sensitive information with. 

How Third-Party Data Breaches Occur

To effectively prevent third-party cyber risk, companies must first get a better understanding of how they happen in the first place. There are three main ways an enterprise can be compromised through its supply chain:

Sponsorships Available

Sponsorships Available

Sponsorships Available

• Cloud-based storage, service or hosting providers. Just recently, researchers discovered the private data of 540 million Facebook users that had been inadvertently exposed in an AWS cloud, thanks to the poor security hygiene of one of Facebook’s third-party app developers.
• Online payment, credit card processing, or point-of-sale systems. Third-party payment processing systems hold a treasure trove of financial data, which makes them a major target. For example, earlier this year, Click2Gov, a third-party portal used by government agencies to accept payments for permits, licenses, fines and utilities, was compromised, resulting in the exposure of personal information of residents in Virginia and Florida who used the service.
• Javascript on web sites (used for web analytics, visitor tracking, etc.). A recent example of this is the MageCart attack that affected the credit card information of European consumers using e-commerce websites. The compromised third party was a French advertising firm who partnered with these websites. 

Assessing Your Third-party Ecosystem

So, how can organizations be certain that their vendors and partners are keeping up with the latest regulatory mandates, industry best practices, and cybersecurity measures? 

A great place to start in building up a secure third-party ecosystem is by auditing and scrutinizing all third-party applications, along with any additional services you rely on from vendors, before they are officially implemented. It’s no different than interviewing a potential new candidate to come work for you. Asking the right questions and performing a comprehensive background check on your potential vendor partners is just as important. A rigorous cyber risk assessment process allows businesses to gain the visibility needed to fully understand the various entry points that potential attackers could exploit to gain access to systems.

Historically, cyber risk assessments have been conducted manually by sending supply chain partners a lengthy and in-depth questionnaire that asks for detailed information pertaining to such security aspects as software patch management, whether a vendor’s login credentials have been involved in a leak (such as the “Collection #1” breach), DNS health, SSL/TLS strength, DDoS resiliency and website security. These questionnaires are sent out annually and typically include hundreds, even thousands, of questions about how firms use encryption, require authentication and other measures they take to protect sensitive data. Some of the questionnaires have been used for many years and depend entirely upon supply chain vendors answering honestly and accurately.

Some industries, such as financial services, are moving toward what’s called a “shared assessment” methodology. In this model, a company answers one questionnaire about their data protection strategies, and the results are shared throughout the wider industry. The benefit to this approach is that a single company only needs to go through the process once, rather than dedicating a large about of resources to answering surveys from multiple vendors –a task that can take hours, even days to complete. 

Perhaps an even better way to approach shared assessments is to adopt what is called Open Source Intelligence (OSINT) techniques. When hackers identify their targets, their first order of business is to conduct nearly undetectable cyber reconnaissance. To identify the weakest assets in the network, including any vendors or partners with access to the target company’s corporate network, hackers often leverage OSINT resources, such as internet-wide scanners, deep and dark web, social networks, search engines, leaked database dumps, and even legitimate security services. Similarly, enterprises can use these OSINT resources to conduct an “outside-in” analysis of their third-party security risks. Using an OSINT framework allows enterprises to take a less intrusive approach to cyber risk assessment based on publicly-available resources, using only your vendor partners’ domain names. 

One of the benefits of using OSINT instead of manually-transmitted questionnaires is that enterprises can conduct more regular cyber risk assessments instead of sending out one large survey a year. This way, cyber risk assessment can become a more proactive, continuous process that allows businesses to communicate more regularly with their partners about any changes in their security posture. A continuous cyber risk assessment process also empowers organizations to have frank discussions with their partners about how any changes or shortcomings in security best practices can impact the shared ecosystem, and what partners need to do to improve their posture to continue working together.