Handling suppliers with low security awareness

Supply chain risk – in cyberspace

Cyber supply chain risk is a difficult area to manage. According to NIST 80% of all breaches originate in the supply chain, meaning it should be a definite priority of any security conscious organization to try and manage that risk. That number was given in a presentation by Jon Boyens at the 2016 RSA conference. A lot of big companies have been breached due to suppliers with poor information security practices, for example Target and Home Depot.

supplychainexpansion

Your real attack surface includes the people you do business with – and those that they do business with again. And this is not all within your span of control!

Most companies do not have any form of cybersecurity screening of their suppliers. Considering the facts above, this seems like a very bad idea. Why is this so?

A lot of people think cybersecurity is difficult. The threat landscape itself is difficult to assess unless you have the tools and knowledge to do so. Most companies don’t have that sort of competence in-house, and they are often unaware that they are lacking know-how in a critical risk governance area.

Why are suppliers important when it comes to cybersecurity? The most important factor is that you trust your suppliers, and you may already have shared authentication secrets with them. Consider the following scenarios;

  1. Your HVAC service provider has VPN access to you network in order to troubleshoot the HVAC system in your office. What if hackers gain control over your HVAC vendor’s computer? Then they also have access to your network.
  2. A supplier that you frequently communicate with has been hacked. You receive an email from one of your contacts in this firm, asking if you can verify your customer information by logging into their web based self-service solution. What is the chance you would do that, provided the web page looks professional? You would at least click the link.
  3. You are discussing a contract proposal with a supplier. After emailing back and forth about the details for a couple of weeks he sends you a download link to proposed contract documents from his legal department. Do you click?

All of these are real use cases. All of them were successful for the cybercriminals wanting access to a bigger corporation’s network. The technical set-up was not exploited; in the HVAC case the login credentials of the supplier was stolen and abused (this was the Target attack resulting in leak of 70 million customer credit cards). In the other two cases an existing trust relationship was used to increase the credibility of a spear-phishing attack.

To counter social engineering, most companies offer “cybersecurity awareness training”. That can be helpful, and it can reduce how easy it is to trick employees into performing dangerous actions. When the criminals leverage an existing trust relationship, this kind of training is unlikely to have any effect. Further, your awareness training is probably only including your own organization. Through established buyer-supplier relationships the initial attack surface is not only your own organization; it is expanded to include all the organizations you do business with. And their attack surface again, includes of the people they do business with. This quickly expands to a very large network. You can obviously not manage the whole network – but what you can do is to evaluate the risk of using a particular supplier, and use that to determine which security controls to apply to the relationship with that supplier.

Screening the contextual risk of supplier organizations

What then determines the supplier risk level? Obviously internal affairs within the supplier’s organization is important but at least in the early screening of potential suppliers this information is not available. The supplier may also be reluctant to reveal too much information about his or her company. This means you can only evaluate the external context of the supplier. As it turns out, there are several indicators you can use to gauge the likelihood of a supplier breach. Main factors include:

  • Main locations of the supplier’s operations, including corporate functions
  • The size of the company
  • The sector the company operates in

In addition to these factors, which can help determine how likely the organization is to be breached, you should consider what kind of information about your company the supplier would possess. Obviously, somebody with VPN login credentials to your network would be of more concern than a restaurant where you order overtime food for you employees. Of special concern should be suppliers or partners with access to critical business secrets, with login credentials, or with access to critical application programming interfaces.

Going back to the external context of the supplier; why is the location of the supplier’s operations important? It turns out that the amount of malware campaigns a company is exposed to is strongly correlated with the political risk in the countries where the firm operates. Firms operating in countries with a high crime rate, significant corruption and dubious attitudes to democracy and freedom of speech, also tend to be attacked more from the outside. They are also more likely to have unlicensed software, e.g. pirated versions of Windows – leaving them more vulnerable to those attacks.

The size of the company is also an interesting indicator. Smaller companies, i.e. less than 250 employees, have a lower fraction of their incoming communication being malicious. At the same time, the defense of these companies is often weak; many of them lack processes for managing information security, and a lot of companies in this group do not have internal cybersecurity expertise.

The medium sized companies (250-500 employees) receive more malicious communications. These companies often lack formal cybersecurity programs too, and competence may also be missing here, especially on the process side of the equation. For example, few companies in this category have established an information security management system.

Larger companies still receive large amounts of malicious communications but they tend to have better defense systems, including management processes. The small and medium sized business therefore pose a higher threat for value chain exploitation than larger more established companies do.

Also, the sector the supplier operates is a determining factor for the external context risk.  Sectors that are particularly exposed to cyberattacks include:

  • Retail
  • Public sector and governmental agencies
  • Business services (consulting companies, lawyers, accountants, etc.)

Here the topic of “what information do I share” comes in. You are probably not very likely to share internal company data with a retailer unless you are part of the retailers supply chain. If you are, then you should be thinking about some controls, especially if the retailer is a small or medium sized business.

For many companies the “business services” category is of key interest. These are service providers that you would often share critical information with. Consulting companies gain access to strategic information, to your IT network, gets to know a lot of key stakeholders in your company. Lawyers would obviously have access to confidential information. Accountants would be trusted, have access to information and perhaps also to your ERP systems. Business service providers often get high levels of access, and they are often targeted by cybercriminals and other hackers; this is good reason to be vigilant with managing security in the buyer-supplier relationship.

Realistic assessments require up to date threat intelligence

There are more factors that come into play when selecting a supplier for your firm than security. Say you have an evaluation scheme that takes into account:

  • Financials
  • Capacity
  • Service level
  • And now… cybersecurity

If the risk is considered unreasonably high for using a supplier, you may end up selecting a supplier that is more expensive, or where the level of service is lower, than for the “best” supplier but with a high perceived risk. Therefore it becomes important that the contextual coarse risk assessment is performed based on up-to-date threat models, even for the macro indicators discussed above.

Looking at historical data shows that the threat impact of company size remains relatively stable over time. Big companies tend to have better governance than small ones. On the positive side for smaller companies is that they tend to be more interested in cooperating on risk governance than bigger players are. This, however, is usually not problematic when it comes to understanding the threat context.

Political risk is more volatile. Political changes in countries can happen quickly, and the effects of political change can be subtle but important for cybersecurity context. This factor depends on up to date threat intelligence, primarily available from open sources. This means that when you establish a contextual threat model, you should take care to keep it up to date with political risk factors that do change at least on a quarterly basis, and can even change abruptly in the case of revolutions, terror attacks or other major events causing social unrest. A slower stream would be legislative processes that affect not only how businesses deal with cyber threats but also on the governmental level. Key uncertainties in this field today include the access of intelligence organizations to communications data, and the evolvement of privacy laws.

Also the sector influence on cyber threat levels do change dynamically. Here threat intelligence is not that easy to access but some open sources do exist. Open intel sources that can be taken into account to adjust the assessment of business sector risk are:

  • General business news and financial market trends
  • Threat intelligence reports from cybersecurity firms
  • Company annual reports
  • Regulations affecting the sector, as also mentioned under political risk
  • Vulnerability reports for business critical software important to each sectoor

In addition to this, less open sources of interest would be:

  • Contacts working within the sectors with access to trend data on cyber threats (e.g. sysadmins in key companies’ IT deparments)
  • Sensors in key networks (often operated by government security organizations), sharing of information typically occurs in CERT organizations

Obviously, staying on top of the threat landscape is a challenging undertaking but failing to do so can lead to weak risk assessments that would influence business decisions the wrong way. Understanding the threat landscape is thus a business investment where the expected returns are long-term and hard to measure.

How to take action

How should you, as a purchaser, use this information about supplier threats? Considering now the situation where you have access to a sound contextual threat model, and you are able to sort supplier companies into broad risk categories, e.g. low, medium, high risk categories. How can you use that information to improve your own risk governance and reduce the exposure to supply chain cyber threats?

First, you should establish a due diligence practice for cybersecurity. You should require more scrutiny for high-risk situations than low-risk ones. Here is one way to categorize the governance practices for supply chain cyber risks – but this is only a suggested structure. The actual activities should be adapted to your company’s needs and capabilities.

Practice Low risk supplier Medium risk supplier High risk supplier
Require review of supplier’s policy for information security No Yes Yes
State minimum supplier security requirements (antivirus, firewalls, updated software, training) Yes Yes Yes
Require right to audit supplier for cybersecurity compliance No To be considered Yes
Establish cooperation for incident handling No To be considered Yes
Require external penetration test including social engineering prior to and during business relationship No No To be considered
Agree on communication channels for security incidents related to buyer-supper relationship Yes Yes Yes
Require ISO 27001 or similar certification No No To be considered

If you found this post interesting, please share it with your contacts – and let me know what you think in the comments!

Why “secure iframes” on http sites are bad for security

Earlier this year it was reported that half of the web is now served over SSL (Wired.com). Still, quite a number of sites are trying to keep things in http, and to serve secure content in embedded parts of the site. There are two approaches to this:

  • A form embedded in an iframe served over https (not terrible but still a bad idea)
  • A form that loads over http and submits over https (this is terrible)

The form loading on the http site and submitting to a https site is security-wise meaningless because an attacker can read the data entered into the form on the web page. This means the security added by https is lost because a man-in-the-middle attacker on the http site can snoop on the data in the form directly.

ssl_safecontrols

Users are slowly but surely being trained to look for this padlock symbol and the “https” protocol when interacting with web pages and applications. 

The “secure iframe” is slightly better because the form is served over https and a man-in-the-middle cannot easily read the contents of the form. This is aided by iframe sandboxing in modern browsers (see some info about this in Chrome here), although old ones may not be as secure because the sandboxing function was not included. Client-side restrictions can, however, be manipulated.

One of the big problems with security is lack of awareness about security risks. To counter this, browsers today indicate that login forms, payment forms, etc. on http sites are insecure. If you load your iframe over https on an http site, the browser will still warn the user (although the actual content is not submitted insecurely). This counteracts the learned (positive) behavior of looking for a green padlock symbol and the https protocol. Two potential bad effects:

  • Users start to ignore the unison cry of “only submit data when you see the green padlock” – which will be great for phishing agents and other scammers. This may be “good for business” in the short run, but it certainly is bad for society as a whole, and for your business in the long run.
  • Users will not trust your login form because it looks insecure and they choose not to trust your site – which is good for the internet and bad for your business.

Takeaways from this:

  • Serve all pages that interact with users in any form over https
  • Do not use mixed content in the same page. Just don’t do it.
  • While you are at it: don’t support weak ciphers and vulnerable crypto. That is also bad for karma, and good for criminals.

Trust in business is trust in the security of those you do business with

Without trust in business there would be no growth. When someone grants you credit, they trust you will honor your duty to pay. When you fork over money for a product you trust that the product is what marketing says it is, or at least fairly close to that. If this trust was not in place, we would not be so eager to do business with each other, and growth would stall. With that follows unemployment, poverty, less innovation.

What have we, as a society, put in place to feel OK with trusting strangers when we do business with them? Basically there are three things that build this kind of trust:

  • Mutual dependence and benefit, typically a customer needs a product and a business is supplying it
  • Activities we undertake to make sure we can trust the other party. Here are some examples:
    • Read about the firm in the news – do they seem honest and fair?
    • Check a supplier’s credit rating – do they have a solid operation?
  • Laws that we expect people to follow, such as
    • Regulations for marketing
    • Safety regulations for products

How does this transfer to information and data? Today doing business means exchanging data. Numerous media reports show that information security incidents pose a real threat to businesses, and to individuals. This threatens to erode the trust we need to make businesses successful, and to support growth. There are two issues that make it harder to trust businesses with data than many other aspects of the relationship:

  • There are fewer laws and established practices
  • We don’t really have many established practices for doing the prior checks.

In fact, most buyers don’t even have a procedure for doing any “trustworthiness checks” regarding data when qualifying suppliers. I think this is something we need to change. When people start to expect that customers are checking their security postures, they will improve their practices. This benefits us all; when more people have reasonable security practices to ensure confidential data is kept secure, and to ensure that public data are available to those that need them, we start to build more trust also in the digital economy. And we need that to ensure growth does not stagnate.

As a starting point for what to think about, see this post about supplier risk: Why high-reliability organizations evaluate the threat potential of suppliers

Social engineering and relationship management

Active sales processes are supported by thought-out processes, continuous improvement, A/B-testing, communication in multiple channels – and logging results in databases to analyze performance. The field is typically referred to as customer relationship management, and the cloud king of the field is Salesforce.com.

Some criminals aren’t very sophisticated and they still manage to earn money through cyber-scams. There are many ways they can do this, such as identity theft, document fraud, credit card fraud – or direct extortion schemes. The latter tends to have a faster path to the reward, although credit card fraud is still a big money-making machine for the criminals. But what happens when criminals get organized, and introduce customer relationship management? Most likely the same as happens when an unstructured sales team invests in methodologies, measurements and an improvement culture; they get much more efficient and they increase their revenue streams.

This is where organized crime comes in. Organized crime groups are running efficient business operations, including in cyberspace. They map out their infection processes, and start to optimize. They keep tabs on who they are trying to scam. They use content management to build trust. And they are cashing in big time. Let’s look at the touchpoints for potential revenue optimization for a typical extortion scheme using ransomeware.

ransomeware_process

A common ransomware process: each point in this process is an opportunity for optimization for the adversary. Each transition between two phases is an opportunity for the target to stop the adversary’s process. 

The first part, obtaining contact points, or rather, harvesting email addresses is a first point. If you collect these from generic lists, or buy them from large spam networks on the deep web, they will most likely be of low quality, and with little context. What if the criminal sets up an engaging platform for collecting email lists, curated with “useful content” and collecting information about use patterns, typical interests and the like? The e-mails will be real, they will be active, and the adversary will have intelligence on interests and “click triggers” for each address. Using this information would give a solid boost in the number of successful email transmissions.

The second box has another great opportunity for optimization. Armed with the context information, targeted e-mails can be generated to increase the click-rate. Links that seem to be leading to interesting content, similar to your favorite reads, will get much higher click-through-rates – even better than Google AdWords. And, of course, the click rates can be measured and used to further improve targeting. Using automation techniques – just the same as you would when using marketing automation solutions for legitimate business.

The ransomware download can also be optimized to increase infection rates. It can be disguised as a tool, it can be a JS-file that the user is told to execute, it can be an MS Office macro downloader, and so on. The key is to make the user bypass all sanity checks and allow installation – and armed with the context information from earlier, it is much easier to shape the message, and the piggyback on established trust.

We could go on with this analysis – but the main point is that this is occurring, and the criminals using these techniques are the same organized crime groups that deal in illegal weapons, drugs and human trafficking. They are sophisticated operators abusing our natural instinct to trust things we feel are useful to us.

To counter this, we need to be just as systematic and smart about things on our side too. Baseline security will take you a long way but you also need to keep the people processes up to date in order to reduce the exposure to optimized malware supply chains.

Why high-reliability organizations evaluate the threat potential of suppliers

Cyber attacks tend to penetrate the attack surface using one of just a few initial attack vectors:

  • Phishing e-mails (80%)
  • Abuse of trust relationships
  • Web application session hijacking

Sometimes the easiest way into a large and well protected organization is through compromising a trusted third-party, such as a key supplier with less secure practices. If you are really good at security awareness, application security and network segregation, it may be easier to exploit your trust with a supplier instead. How do the best in class organizations deal with this type of risk?

20150424_155646090_iOS

Your internal security practices may be good – but how does that help if an attacker can abuse a trusted supplier with less degree of organizational hardening to gain access to your systems? Supplier qualification is a key risk management activity – also in the cybersecurity domain.

Qualify your suppliers

Every professional procurement organization already does supplier qualification. They tend to ask for ISO 9001 certification (quality management), they do credit and financial solidity check (you don’t want your supplier to go bankrupt before delivering the crucial goods), and so on. And those organizations that are the most security-aware include security related checks in this process. A quick informal survey on Twitter shows that most people don’t do this (and the result is quite biased – most of the respondents here are IT pros, not “normal people”). A whopping 44% says that they don’t have any process for evaluating the security implications of their supplier selection!

What factors to consider?

There are many ways to qualify a supplier. You might want to do a full due-diligence audit, require ISO 27001 certification, and so on – but then it will most likely be very hard to procure goods as most suppliers don’t have this mature processes in place – unless you deal in very special markets. So what should you have a look at, at the initial state? Here’s a quick list of some important factors:

  • The business sector(s) the supplier is active in. The sector may be of interest to some actors, and loss so to others.
  • The size of the firm. The medium sized businesses tend to be the ones most often targeted by cyber attacks. Smaller to a lesser degree but they often have very weak controls. Large enterprises are less attractive targets because they typically have better controls.
  • Political risk: is the company heavily involved in business relationships in regions with high political risk? Studies indicate that companies in countries with a higher degree of political risk are attacked more frequently than those in more politically stable regions.

Creating criteria based on these factors should give you some relevant hooks to use for supplier qualification. Depending on the nature of procurement you may choose to disqualify a supplier, to introduce more controls in the contract if the risk is perceived as higher, or also to do a more in-depth review before making a decision (such as asking to review their policies, etc.).

The outcomes of doing this in a reasonable manner are:

  • Better risk management for your firm – reduced likelihood of being stung by the third-party bee
  • Driving security culture at your own firm, tying security practices to business workflows in an obvious way, thereby making benefits less mysterious
  • Helping suppliers become more security-aware and resilient – thereby creating shared goodwill that will strengthen the supplier relationships

Earth Day: Fighting climate change with cybersecurity

One of the biggest challenges of our time is climate change. The world struggles to get our ongoing path to environmental destruction under control. Today is Earth Day. This day is for most people about avoiding meat, taking public transport, using reusable shopping bags, drinking wine instead of beer, and turning lights off – but nerds can do more than that. Our biggest challenge is to reduce the climate gas emissions from transport.

trheimtorg

Walkable cities are nice – and cybersecurity can contribute to that! Happy Earth Day 2017!

  • Information technology has a gigantic role to play in the solution to that problem:
  • Self-driving cars, buses, metros make public transport cheaper. But can they be hacked? Of course they can.
  • Smart assistants using AI to help plan your day, your travel and to optimize your choices also with regard to environmental footprint can do a lot. But can they be hacked, thereby destroying all hope of privacy protection? Sure they can.
  • Telework can reduce the need to travel to work, and the need for business travel to talk to people in other locations. This brings a whole swath of issues: privacy, reliability. If people don’t trust the solutions for communication, system access, and if they don’t work reliably, people will keep boarding planes to meet clients and driving cars to go to the office.
  • Cloud services are nice. They make working together over distances a lot easier. Cloud services require data centers. If the reliability of a data center is not quite up to expectations the standard solution is to replicate everything in another datacenter, or for the customer perhaps to replicate everything in his or her own datacenter, or possibly mirroring it to another cloud provider. This may not be seen as necessary if the reliability is super-good with the primary provider – particularly the ability to deal with DDoS attacks. Building reliable datacenters is therefore part of the climate solution – in addition to providing datacenters with green energy and efficient cooling systems.

OK, so DDoS is a climate problem? Yes, it is. And what do cybercriminals need to perform large-scale DDoS attacks? They need botnets. They get botnets by infecting IoT devices, laptops, phones, workstations and so on with malware. Endpoint security is therefore, also, a climate issue. Following sensible security management is therefore a contributor to protecting the environment. So in addition to choosing the bus over the car today, you can also help Mother Earth by beefing up the security on your private devices:

  • Make sure to patch everything, including routers, cell phones, laptops, smart home solutions, alarm systems, internet connected refrigerators and the whole lot.
  • Stop using cloud services with sketchy security and privacy practices. Force vendors to beef up their security by using your consumer power. And protect your own interests at the same time. This is doing everyone a favor – it makes AI assistants and such trustworthy, making more people use them, which favors optimized transport, consumption and communications.
  • Prioritize efficient, safe and secure telework. Use VPN when working from coffee shops, and promote the “local work global impact” way of doing things. Being able to avoid excessive travel, whether it is to the office or to a client on the other side of the globe, your decisions have impact. Especially if you manage to influence other people to prioritize the same things.

Happy Earth Day 2017. Promote climate action through security practices!

Cross-site scripting for fun and profit

Still one of the most common vulnerabilities in web applications, XSS (cross-site scripting) still serves as a useful point of attack for hackers. If you are a we developer, knowing how to properly protect your application from these attacks is a must.

Don’t leave your app ooen to attack – injection vulnerabilities are not nice.


Cross-site scripting vulnerabilities exist when user input in web forms or in API calls are not properly escaped and sanitzed before it is used. Directly reflecting user input back to the browser can be sketchy practice. If the user inputs JavaScript into a form input field, and that script executes, then you have a vulnerability that hackers can take advantage of.

There are two ways users can give input to a web page; through web forms, and through URL parameters (usually by clicking links on the page). Both input types are interesting injection points for someone looking to exploit your page.

Modern web applications seek to filter out this type of input. OWASP has put together a large selection of attack vectors for XSS exploits that try to bypass these filters. You can see the list here: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.

To manually test your own applications you can try the following input strings:

  • [Script]alert()[/script]: usually doesn’t work. (Brackets to avoid getting lost in WordPress escaping… Should’ve been script tags)
  • <img src=x onerror=alert()>: typical stored xss exploit, typically in comment functionality etc. If this one pops an alert on reload of the page you have successfully injected JavaScript into the page that will be used by others too. Now you can just go ahead an change the alert with a more evil kind of thing, like a redirect to you phishing site of choice (don’t do it, it really is evil. And illegal).
  • In url parameters: data:html,alert() or data:text/JavaScript,alert(); or JavaScript:alert()

The URL manipulation is typically used in links supplied in scam emails etc. It makes your code execute within the context of the web application, and is often used to steal session data.

Avoiding XSS as a developer

There are several things you can do as a developer to avoid these vulnerabilities. The best way is to use a framework/templating system that autoescapes dangerous input for you. Most modern web frameworks will do this for you, as long as you enable the right middleware!

You should also test for vulnerabilities, including XSS. You can do this manually by trying to inject strings like the ones above, and you can use a vulnerability scanner. Allow someone else to look at your code to try and find weaknesses – it is harder to see errors when you have made them yourself! You should use multiple test methods when available, and also consider including security tests in unit testing for your code.

Some takeaways:

  • Also big league players have XSS vulns on their sites. See this Register story from 2014 on a plugin bug for WordPress, affecting most of the platform (2014)
  • XSS will allow hackers to attack your users. You are partially to blame if this was possible due to neglect on your behalf. Right? And your customers would get angry.
  • Web application frameworks deal with this in a good way. It is very hard to write context-aware escaping manually, so stick with a framework!