Are your vendors the weak link in your cybersecurity?
Published: Jul 03, 2017
Author: John Grim,Marc Spitler
Everything’s in place. You’ve got firewalls and secure networks. Data is encrypted and you use two-factor authentication. Your security hygiene processes are followed to the letter and your staff knows how to spot the warning signs of a potential threat. You’ve done everything you can to prevent a data breach — or have you?
More connected, more risk.
To improve customer experience and realize more efficient workflows, you’re working more closely with your vendors and partners. And that means you’re giving them more access to your IT systems. You’re sharing customer data with partners so that you can offer new products and services. You’re using Software-as-a-Service to give you the latest collaboration tools. And you’re hosting more and more of your critical services — from your customer-facing websites to your Incident Response Plan — with third-party cloud providers. Today, you’re more connected than ever. But that also means you could be more at risk.
Cybercriminals want an easy way in — they’re not going to exhaust themselves by trying to break through robust defenses. They’re going to search for the weakest link, the lowest hanging fruit, the path of least resistance. That might not be you. But if your vendors aren’t investing the same time and money into cybersecurity as you are, you could still wind up the victim.
This isn’t a hypothetical situation. We’ve seen many examples of cybercriminals using vendors or partners as a route to their intended victim. Take an attack on an e-commerce site investigated by the Verizon Threat Research Advisory Center | Investigative Response Team (formerly known as the RISK Team). When checking out online, customers’ initial transactions had failed, and went through the second time after having re-entered their payment card details.
Upon investigation, it was found that cybercriminals had set up a fake payment page to harvest data, which, after the initial information was entered, was set-up to redirect to the legitimate page to delay discovery. The weak link was a low-cost cloud services provider based in another country and with servers in yet another country.
What should you do?
Reviewing their cybersecurity posture should be part of the same basic audit process. That means assessing their defenses and their approach. And, given that no defense is 100% effective, it’s important to understand where your data will reside and how easy it’ll be to react if there is a cybersecurity incident.
Here are some questions you should be asking before you sign a contract with a vendor:
- Has your provider got the basics covered? It should have a regular patching process, segment critical systems and use robust authentication. And it should be able to show that its staff understand the risks and knows how to spot the signs of a cyberattack.
- Where will your data be residing? If your vendor is using a third party, you need to understand the risks to your data. You also need to know where your data is — and how to get to it quickly — so that you can carry out timely forensic investigations if there is a cybersecurity incident.
- Does your contract oblige your provider to assist during an incident? Without its help, you may never be able to identify what’s gone missing or how an attack was committed.
Knowledge is your best defense
Before you can build strong defenses, you need a thorough understanding of the cybersecurity risks you face. The 2017 Data Breach Investigations Report will help you do that. We reviewed over 40,000 security incidents and almost 2,000 confirmed data breaches to compile this unparalleled source of information on cybercrime. It provides actionable insight on the biggest threats your industry is facing and how you can mitigate the risks. Read it and share it with your partners and providers.
Want to find out more about the e-commerce attack mentioned in this article? You can read the scenario in the 2017 Data Breach Digest. In addition to the scenario discussed above, “Cloud Storming – the Acumulus Datum,” the Data Breach Digest includes details of 15 other investigation scenarios that cover some of the biggest cyber threats you may face. Each of these is told from a different Incident Response stakeholder point of view to help illustrate the complexities and perspectives of modern day data breaches. We walk you through each scenario, from initial incident detection and validation, through response and investigation, to resolution and lessons learned.
As a senior manager of the Verizon Security Research team, Marc Spitler leads the team in its mission to collect, analyze and distribute data to measure and manage information risk. Marc is also involved in the continued development of the Verizon Enterprise Risk and Incident Sharing (VERIS) framework, which aims to better define security incidents. He regularly consults with organizations on VERIS implementations as part of their incident response processes, as well as contributes to Verizon’s Data Breach Investigations Report series.
John Grim, the primary author of the Verizon Data Breach Digest, has over 15 years of experience in conducting digital forensic investigations within the government and civilian security sectors. Currently, John serves as a part of the Verizon Threat Research Advisory Center (VTRAC) and leads a team of highly skilled technical digital investigators. In this capacity, John responds to cyber-security incidents, conducts on-site data breach containment and eradication activities, performs digital forensic examinations, leads pro-active data breach response preparedness training and tabletop exercises, and conducts e-discovery and litigation support for customers worldwide.