The 2013 Target data breach is one of the most infamous attacks in the past decade. Attackers gained access to the point-of-sale (POS) terminals and stole the credit card information for up to 40 million customers during the peak of the 2013 holiday season. This attack cost Target over $300 million dollars in actual expenses, not accounting for the financial impact of the reputation hit and lost business as a result. What many don’t know is that the attackers gained access through Target’s HVAC vendor. In almost every news article I have researched while writing this blog, the HVAC vendor isn’t even named. This just goes to show that supply chain information security risks affect the victim organization more than the vendor in most cases. In this blog, we are going to explore supply chain information security risks, what makes them so dangerous, and what you can do to protect your organization.
Supply Chain Attacks
A supply chain attack is defined as:
Any threat targeting an organization that originates from a third party vendor, or outside firm, with access to the organization’s network.
When considering supply-chain attacks against your organization, think of everyone who has access to your network. This may include:
- Building Maintenance (HVAC, Plumbing, Electrical)
- Accounting Firms
- Legal Firms
- Benefit Companies
- Alarm Companies
- Managed Service Providers (IT, Security, etc.)
- Partner Companies
Why Attacker’s Target Your Vendors
Generally speaking, if you are a large organization, and if you are reading this blog, you have probably invested time and effort into your security. However, your organization’s security is only as strong as its weakest link. It is likely that your vendors are not investing the same amount of time and money into their own security programs. Based on our experiences, we have seen the following weaknesses with vendors:
- Weak or shared passwords – Often, a vendor will use the same password across all of their clients. This makes life easier for them to gain access and put out fires, but it also means that if they are compromised or even one of their clients is compromised, the attacker may be able to obtain that shared password. This puts your network at risk immediately, even though your systems weren’t the original point of compromise. Additionally, shared passwords are often not being protected properly, as they are passed among administrators, stored in files, written down, not rotated often, etc.
- Weak security posture on their network – Many vendors, even if they are secure about how they manage your data, are not being proactive about their own security posture. Therefore, an attacker may target their organization directly in order install a key-logger or gain access to their password manager, providing access to all their clients.
- Not maintaining organizational standards – Many times when we are doing a penetration test, we’ll find a server that is missing security patches, has default credentials, or contains some other weakness that allows us to gain an initial foothold on a network. Sometimes, we find out that this server was placed there by a third party or owned/operated by a third party. These vendor organizations may not maintain their systems using the same organizational security standards you employ.
What Can You Do About It
Now that we have explored some supply chain information security risks, and hopefully opened your eyes to their danger, there are some things you can do. At Triaxiom Security, we perform vendor risk assessments that analyze all of the third parties within an organization and categorize the risk associated with each of them, based on what level of access they have and what kind of data they possess. In general, the following are recommendations that we have provided to organizations in the past to better manage these risks:
- Ensure contracts are in place that spell out the security requirements. These should include non-disclosure agreements, an indemnity clause, a right to audit clause, etc. If you are expecting your vendors to protect your information or connect to your organization securely, these need to be stated in the contract.
- Practice the principal of least privilege. Make sure you are taking a good look at the permissions you assign to each vendor and each of their users. These should be locked down as much as possible to let them do their job, but nothing else. Additionally, if possible, segment this vendor to a dedicated VLAN of the network that is meant for third-party access. For example, the HVAC company in the Target data breach has no reason to see point-of-sale terminals. They just need to monitor their HVAC equipment. So why were they able to?
- Require individual accounts. Each individual employee of a third party accessing your network should be required to have a unique account. This helps break the pattern of them reusing the same password across clients and ensures non-repudiation for forensic purposes.
- All remote access should have multi-factor authentication. Remote access is one of the riskiest aspects of your security posture, as it allows an external user (employee or vendor) to gain access to the internal network. As such, it needs the highest level of protection. Although we recommend multi-factor authentication everywhere, remote access is the most important and a great starting point.
- Audit your vendors. Make sure they are having penetration tests completed by a reputable third party. If they want your business, they will find a way to get them done which will do nothing but help in the long run. Especially as more and more of their clients are demanding it. Although you may run into roadblocks if you try recommending your own penetration testing firm to perform the tests, this can be a good way of ensuring they aren’t just getting a “check the box” penetration test that does nothing to identify the real risks.