An illuminating article came out in the New York Times yesterday about the cyber-security risk posed to large enterprises by third-parties. The article describes a classic, drive-by application-layer attack in which cyber-attackers breached a big oil company by injecting malware into the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the oil company's network — and presumably, access to all kinds of valuable IP such as the quantity and location of all of the company's oil discoveries worldwide. The point of the article is that cyber-attackers are now targeting third-party applications and suppliers — such as the Chinese takeout software used in in the watering hole attack and the HVAC company whose credentials were stolen for the Target breach — as the path of least resistance to sensitive enterprise data. One of the sources quoted in the article suggests that third-party suppliers are involved in as many as 70% of breaches. (Someone posted an amusing comment that “The movie 2001 had it wrong. It won't be HAL that won't open the pod bay door but a pimply faced kid in New Jersey hacking into HAL” — but the reality is that it's more likely to be an organized crime gang in Eastern Europe or foreign military units performing state-sponsored espionage.) As security teams get better at hardening their networks with next-generation technologies such as Palo Alto and FireEye, attackers are simply getting smarter by looking for weak links at the application layer and in the software supply chain. As the article points outs, this is a clever strategy because supply chain vendors are already behind the firewall and “often don’t have the same security standards as their clients.” The analytics collected by our cloud-based application security platform reinforces that point: 90% of third-party applications uploaded to the platform include at least one OWASP Top 10 vulnerability such as SQL Injection and Cross-Site Scripting (Enterprise Testing of the Software Supply Chain). What are the best practices for addressing third-party risk? Start by understanding all aspects of your third-party supply chain: the software you outsource, purchase or use via SaaS; the software you incorporate as components and frameworks in your in-house applications; and the service providers and contractors who have privileged access to your systems. If you aren’t continuously assessing these, you are accepting a much higher level of risk.
Another interesting factoid from the Times article: Unlike banks which spend up to 12% of their IT budgets on security, retailers spend, on average, less than 5% of their budgets on security. To see what leaders in financial services — such Morgan Stanley, Goldman Sachs, GE Capital, Thompson Reuters — are recommending as three critical controls for managing third-party software risk, see the FS-ISAC whitepaper “Appropriate Software Security Control Types for Third Party Service and Product Providers”. One of the controls recommended by FS-ISAC is the use of automated binary static analysis to ensure your third-party software is compliant with corporate security policies, based on minimum acceptable levels of risk (e.g., OWASP Top 10, CWE severity levels, etc.). This matches our experience working with hundreds of third-party vendors — enterprises can successfully reduce third-party software risk by creating ongoing, enterprise-wide governance programs with standardized policies and by working directly with their vendors to ensure they're compliant. As Target taught us, the security posture of your third-party vendors is also your responsibility. And if they turn out to be the path of least resistance for cyber-attackers, it's your company and your customers that ultimately suffer.