By Kelly White | May 14, 2018
Reliably protecting systems and data over time requires the disciplined execution of a robust security program that spans an entire enterprise. As a former CISO and now advisor to third-party risk management teams, I’ve seen some vendors take the contrary position, arguing that customers need only be concerned with security of the systems that host their data.
Rarely can risk be contained to one set of systems and not be impacted by the threats and vulnerabilities of the surrounding systems and people. Grounding your third-party assessments in a correct, practical understanding of the cyber threat landscape will compel you to be concerned with your vendor's complete enterprise cyber risk management program, and not just the systems that you use.
We offer three points to consider when faced with a vendor’s “contained risk” argument:
- Data that can be moved will be moved. On paper, most application stacks are well bounded, supporting the argument that risk is contained to a limited scope. In this perfect world, your data resides in a database, data processing functionality is implemented in an application tier, and presentation logic is fulfilled through a web server layer. Backups may go to encrypted tape or to a remote network archive.
In imperfect reality, data does not just sit in a database. It takes a tremendous and rarely achieved level of organizational discipline and architectural investment to guarantee that data cannot leave its primary systems. If data can be extracted from those systems, it will be:
• Data is written to logging servers
• Analysts pull data from the database for analytics and reporting
• Network and server logs contain sensitive information
• DBAs query subsets of data in the process of supporting databases
• Production data may be used in test or QA systems
A compromise of any of these systems can result in compromise of your data. For example, in early May, Twitter advised its 330 million users to immediately change their passwords; their password hashing algorithm was writing the passwords in plaintext to a log server. - Systems are networked, facilitating unexpected attack paths. The systems that store your data are interconnected with other systems. In most environments, it’s pretty easy to construct an attack path against a “secure” environment that starts with compromise of an “out of scope” workstation or server. At a minimum, administrators, analysts, monitoring systems, back-up servers, remote access servers and related web and application servers can directly access systems that store your data. These systems in turn are connected to other systems. A compromise of any system within the network path can result in compromise of other networked assets.
Consider the Equifax breach reported in September of 2017. Miscreants exploited an Apache Struts vulnerability on a consumer portal to gain initial access, then expanded into other systems. During his Congressional testimony, former CEO Richard Smith described the difficulty in conducting forensic analysis because of the sheer number of systems compromised. Equifax’ admissions of exposed data have expanded since the breach was initially reported, even into this month.
The 2011 breach of RSA offers another example. Hackers used spear phishing to compromise the system of a junior-level RSA worker who was outside of the expected attack profile, then pivoted across the organization until they reached a file server containing SecurID token seed values. - Lack of enterprise-wide security discipline will bite you in the end. All too often I’ve heard third-party CISOs and security professionals argue that severely vulnerable internet-facing systems don't matter because they are "low risk" and are unrelated to the customer environment. But ask yourself—do you trust an organization that spends more energy justifying operation of vulnerable online systems than just fixing the issue?
Third-party cyber risk management is ultimately about trust. Do you trust that moment-to-moment, day-in and day-out, your vendors will reliably protect your risk interests? Do you trust a vendor that has a 10 percent internet system software patching failure rate? Do you trust a vendor that only focuses threat intelligence operations on some internet points of presence but not others?
It may be that the systems hosting your data are patched, but vulnerabilities in other systems could be exploited to attack those where your data resides. If the vendor performs poorly as an enterprise, eventually that poor performance will show up in systems relevant to you.
Be very cautious of vendors who contend that their larger enterprise security program is none of your concern. That very argument demonstrates a lack of understanding of the cyber threat landscape. As Geoff Belknap, CISO of Slack put it, "If your business makes money by collecting, hosting or processing data from others, you're a security company. Act like it."