It’s not easy to tell what your personal devices are connecting to at any given time, so imagine having this problem at an organizational level.
These days, even small companies maintain complicated digital networks of partner companies, clients and customers. Even your standard garage door installation company is connected on the web to parts suppliers, IT services, software suppliers, partner companies, and employees who access company systems within or outside the office, on work devices and possibly personal devices.
It can be a task to count just how many digital connections go into and out of a standard garage door installation company. So, imagine the problem for a large, multinational corporation.
A large corporation will parlay with dozens or, more likely, hundreds of external buyers and suppliers in order to carry out its day-to-day business. We’re talking about major service providers and manufacturers, sure, but even the little company that cleans the floors after work hours at one office location counts.
For a sense of just how many entities connect with a large corporation’s data infrastructure, here’s a breakdown of every supplier to General Electric.
What’s the Problem?
Third-party vendors can provide value and cut costs, and the web allows for efficient, real-time day-to-day business to take place. For example, a fast food chain might have an online portal where the HVAC company which provides air conditioning to eight of their stores can login, and monitor in real time the temperature at each of those eight locations. So far, so good.
The problem is that, in cyberspace, any information can encode malware. Therefore, every channel of digital communication is a way in which a cyber attack can be delivered. A company that connects to many other companies online, therefore, is exposed to many different attack vectors.
As an analogy, imagine you’re standing in a train car, carrying a lot of money in your wallet. If there are only a few people on the train, the chances that any one of them might pick your pocket is low, and so your overall chance of having your wallet stolen is low. If the train car is packed, the chances any one person might pick your pocket is still low. However, the chances your wallet is stolen is higher, because it’s more likely that one passenger is a thief, and it’s more difficult to defend yourself against 70 people than seven.
Each of the hundreds of companies that connect with General Electric on a daily basis can, in theory, provide a vector for an attack. If any of those companies are hacked, that hack might well seep into General Electric. Therefore, General Electric’s cybersecurity is, to an extent, dependent on the cybersecurity of hundreds of other companies they have no control over. That’s a dangerous position to be in.
Case Study: Border Control
This kind of third-party breaching happens all the time, because it’s so effective for hackers. Smaller vendors tend to be less secure than the major organizations they service, so hackers simply break into the weaker target–typically via a phishing email sent to one or more employees–then worm their way to the real target via stolen permissions (e.g. username-password combos to an online vendor portal). Any number of horror stories would suffice to demonstrate how this works in practice, but one particularly good example occurred a couple of years ago.
Have you ever heard of Perceptics? Probably not–they’re a small company, located in a nondescript building, in a town in Tennessee you’ve likely never heard of. Perceptics may well know more about you than you know about them. They make license plate readers, deployed across the U.S at toll stations and border crossings. Your plate, your personal information associated with that plate, and whatever face you made behind your car windshield when Perceptics cameras snapped a photo, may be located in the company’s databases.
In the Spring of 2018, a hacker going by the name “Boris the Bullet Dodger” (a Guy Ritchie movie reference) identified Perceptics as an interesting target. It was part of a plan which, to most of us, would’ve seemed outlandish. Boris intended to hack the U.S. government.
You’d imagine that hacking the U.S. government would be quite difficult. Hacking Perceptics, however, didn’t seem all that hard. They’re a small company, and privately-owned, meaning they weren’t subject to the same security regulations as the government agencies they supplied to.
That’s how Boris–a lone hacker–managed to steal around 400 gigabytes of U.S. Customs and Border Patrol data including internal emails, documents, databases and more. The real victim of the attack, however, wasn’t CBP. It was thousands of ordinary people, whose license plates and pictures (captured, of course, without a choice in the matter) were dumped directly onto the dark web.
What to Do
Neither General Electric nor the U.S. government can stop independent, privately-owned vendors from being breached. They (and other organizations) can, however, take steps to safeguard against the transmission of attacks into their own systems. For example, organizations can establish strict cybersecurity requirements which must be met by vendors in order to do continued business. There’s also network segmentation, where an organization splits their IT network into distinct chunks, typically separated by firewalls, with tightly guarded communications channels between them. The benefit of a segmented network is that, if malware does arrive on one part of the network, it’s less likely to spread to other parts.
The most important step towards protecting against third-party attacks is to actually understand your wider business network, and take steps to mitigate its weak links. We call this “third party risk management” (TPRM): the practice of evaluating, managing and then consistently monitoring all of the third parties associated with your business. It begins with an assessment of each vendor, to identify any security (and regulatory) risks they pose. Next, you work with the vendors to patch up any vulnerabilities identified in step one. Finally, a 24/7 monitoring system is installed over your network in order to identify and excise any suspicious data before, rather than after, it can do serious damage.
It’s not easy to manage all your ingoing and outgoing connections–with a measly smartphone, let alone a whole company. But it’s important. Understand your network better than your attackers do, and you’ll know how to defend it better than they know how to defeat it.