When addressing enterprise security, the weakest links – the points of least resistance – should be hardened to prevent breaches.
An illuminating article came out in the New York Times yesterday about the cyber-security risk posed to large enterprises by third-parties. The article describes a classic, drive-by application-layer attack in which cyber-attackers breached a big oil company by injecting malware into the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the oil company's network — and presumably, access to all kinds of valuable IP such as the quantity and location of all of the company's oil discoveries worldwide. The point of the article is that cyber-attackers are now targeting third-party applications and suppliers — such as the Chinese takeout software used in in the watering hole attack and the HVAC company whose credentials were stolen for the Target breach — as the path of least resistance to sensitive enterprise data. One of the sources quoted in the article suggests that third-party suppliers are involved in as many as 70% of breaches. (Someone posted an amusing comment that “The movie 2001 had it wrong. It won't be HAL that won't open the pod bay door but a pimply faced kid in New Jersey hacking into HAL” — but the reality is that it's more likely to be an organized crime gang in Eastern Europe or foreign military units performing state-sponsored espionage.) As security teams get better at hardening their networks with next-generation technologies such as Palo Alto and FireEye, attackers are simply getting smarter by looking for weak links at the application layer and in the software supply chain. As the article points outs, this is a clever strategy because supply chain vendors are already behind the firewall and “often don’t have the same security standards as their clients.” The analytics collected by our cloud-based application security platform reinforces that point: 90% of third-party applications uploaded to the platform include at least one OWASP Top 10 vulnerability such as SQL Injection and Cross-Site Scripting (Enterprise Testing of the Software Supply Chain). What are the best practices for addressing third-party risk? Start by understanding all aspects of your third-party supply chain: the software you outsource, purchase or use via SaaS; the software you incorporate as components and frameworks in your in-house applications; and the service providers and contractors who have privileged access to your systems. If you aren’t continuously assessing these, you are accepting a much higher level of risk.