How well do you know your vendors?
Vendor due diligence and monitoring
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Related Stories: Cybersecurity for Executives | Supply Chain Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next in my series on Cybersecurity for Executives: your vendors. I recommend two primary questions to ask your security team. 1 How are we vetting our vendors? 2. Are we monitoring vendor activity? Those are two broad questions, so let’s break it down a bit more.
First, a caveat: I wrote this post from the perspective of an organization in the United States. If you live in a different country, the same concepts apply, but you may have a different viewpoint regarding the location vendors create and test products and services. Each country has it’s own political and national security concerns. I reference many news articles because it shows where the data comes from for the points I’m making, but people in different countries may have different perspectives.
Due diligence on vendor products and services
Your security team hopefully invests a fair amount of time in determining the best policies to keep your organization secure. They take action to ensure that everyone follows the policies, which may include security awareness and training. Then your company hires a vendor or buys an application or security appliance. Maybe a department starts using a cloud service. That vendor gets access to your data. Is that vendor following the same security policies as your own company? How do you know?
Do not make assumptions that just because a vendor has a larger organization, more significant customers, or sells security products that they are following best practices. Create a way to evaluate vendors to ensure their security policies are consistent with your own if you are allowing them to have access to or store any of your data. If you have critical requirements that mitigate the most significant cybersecurity risks to your organization, make sure your vendors meet those requirements. Ensure your contract with that vendor enforces any agreement to maintain security standards, policies, and best practices.
Vendors and data breaches
Before I explain things to consider when managing risk and vendors, I want to explain why this is an important topic. Let’s start by looking at some ways the use of vendor products can and has impacted the security of their customers. When I speak of vendors, I mean anything you buy from a third party, including products, applications, cloud services, or outsourcing IT and security functions. All these vendor interactions can be a point of entry into your organization’s network and data.
I already explained Cloud Hopper, but I am guessing this avenue to stealing organizational data is happening more than people realize. I want to highlight the issue with more examples of how vendors hired to manage your systems can be a source of risk. Just to recap, the Cloud Hopper campaign was initiated by APT10 in China. APT stands for Advanced Persistent Threat and refers to an attacker that may target a victim for years, persistently and in stealthy ways, to obtain information or perform some other type of cybercrime. APTs are often associated with foreign governments or organized crime groups.
Some companies outsource IT functions to MSPs (Managed Service Providers) or security to MSSPs (Managed Security Service Providers). Often these companies have remote access and the ability to update the software on client networks. Previous posts covered risks related to networks, data exposure, and deployment system risk. Also, some vendors store data for their clients. These articles highlight what happens when attackers get access to vendors and, in turn, their clients. It’s also good to consider the source of the attack and why that particular actor may be trying to access this data. News agencies, security, and government organizations in the United States and some other countries have accused China of stealing intellectual property for years. A data breach doesn’t just cause loss of customer information and fines related to laws like GDPR. The attackers may be stealing your core business value.
The breach of a German IT provider affected Airbus, Porsche, Volkswagen, and Toshiba.
Brian Krebs reports here how ransomware hit a Managed Service Provider (MSP) for dentists. In cases like this, the attackers are interested in making a profit by holding data for ransom. I explained some strategies to address this in my post on backups and disaster recovery. However, some ransomware is now moving towards threatening to expose data as well. It’s better to make sure vendors are implementing proper security controls in the first place instead of only counting on backups.
The increasing threats posed by the infiltration of vendors led to US-Cert warnings of increased attacks on MSPs and CSPs (Cloud Service Providers).
Vendor products — Including and especially network and security products
Besides the consultants working for your company or vendors that store your data, be careful with vendor products you bring into or give access to your network, data centers, and cloud environments. Assess any sort of network-connected devices, laptops, and especially network and security appliances. It also includes devices that plug into USB ports and network cables. Some types of malware are known as Trojan Horses because it misleads users of its true intent. However, any sort of equipment you install on your network could be the same.
Last year at DEF CON a security researcher announced he was manufacturing fake lighting cables.
Make sure you understand the supply chain and where your vendor products are designed, developed, tested, and transported to your organization.
I focus on cloud pentesting for the most part, so I don’t pentest on-premises most of the time, though I have people who can do that and have certification to do so myself. In my advanced pentesting class, I was sitting next to someone who tests on-premises in corporate environments. She said that she always gets in. I asked her how, and she said it was usually the printer. I had a student in a class that formerly worked for a government agency that made claims about printers I haven’t been able to verify, but let’s just say printers may have facilitated in some national security initiatives.
Have you inspected your printers lately for vulnerabilities? Do you ask your printer manufacturer how they secure the hardware and software? Do you monitor the network traffic coming out of your printer? I sometimes unplug mine from my network when I’m not using it at the moment because I am working on a revamped and more secure network. I have plans to do further inspection of the network traffic if and when I have time. In a large corporate network, you aren’t going to unplug your printer, so hopefully, you are monitoring that and all your other devices sufficiently for unexpected network traffic.
Of course, many IOT devices likely exist on your network. Do you ask your vendor about their security policies and developer training within their organization? Do you request pentest reports? Do you ask them about their supply chain and manufacturing processes? Numerous accounts of compromised IOT devices exist. From cameras to routers, to fish tanks, anything connected to your network can be a source of infiltration, exfiltration, surveillance, denial of service attacks, or pivoting.
I already provided you numerous links above to reports about APT 10 attacks and the link to the Chinese government. What about devices manufactured in China? Could those have embedded malware? Of course. Do they? I don’t know. I haven’t researched them all personally, but the possibility exists. If you are buying hardware and software manufactured or tested in China, you might choose to do additional due diligence. If the Chinese government was involved in APT attacks, what stops them from embedding malware in devices manufactured in China?
Just because a company has a U.S. office doesn’t mean they create hardware and software in the same country. A recent case against a U.S. company called Adventura Technologies, Inc. claims that the company illegally sold Chinese goods it claimed were made in the U.S. the following article states:
Officials say Aventura’s actions endangered military personnel on U.S. Navy ships and military bases by selling them Chinese products with known cybersecurity vulnerabilities.
Be especially careful when purchasing networking and security products. Do not assume that every developer at a security company has had security training. Also, be aware that some may be very good at security, which could be good or bad depending on their motives. The people that are good at security could insert code that the people who are not so good at security won’t catch or understand. Speaking from first-hand knowledge, not every developer in every security company is well-versed in security.
Also, understand that large companies have many different products developed by different teams and lines of businesses. For example, I know some of the people at Cisco who develop StealthWatch Cloud and follow people who work on Duo on Twitter who are very well-versed in security. They may operate differently than the rest of the company, based on my personal experience working for a networking and security vendor so I wouldn’t apply my knowledge of their expertise to all products at the company. Evaluate different products from the same company independently as the processes and security knowledge of the development and test teams may vary. Additionally, the location where a company manufactures and tests each product may be different.
Even if an organization develops software for a product in the U.S., it might not be tested in the U.S. Understand the supply chain for products you buy and the laws in related countries. If an organization tests a security product in China, laws exist that may require a citizen to hand over information to the Chinese government — possibly including security vulnerabilities discovered in the product. It is not that person’s fault if that is what they are required to do by law in their country. Some countries are known for stealing the intellectual property of other countries. Be aware of these issues when you purchase products and how the device might obtain access to sensitive data.
An interesting debate ensued when Google produced the Titan hardware security key manufactured in China that competes with a YubiKey. The CEO of Yubico, who manufactures Yubikey, said the device had Bluetooth security deficiencies. Later, Google did announce a Bluetooth flaw and recalled the devices. Quoting from the first article:
But Yubico’s CEO, Stina Ehrensvard, made it clear in a blog post that Titan was not made by Yubico. Ehrensvard also criticized certain aspects of keys that use Bluetooth.
Google has one of the most competent security research teams in the industry — Project Zero. Just because the company has some incredibly smart security, researchers don’t assume that knowledge also permeates the rest of the company. I once worked on a security research team that not embedded in the day-to-day development and security decision-making at the company. I imagine other security research teams at other companies are structured the same way.
The Huawei 5G debate and why network products are so critical
Much debate has ensued over the use of products developed by Huawei to facilitate 5G networks. If you think about how network equipment works, all the data on the network flows through it. Some organizations design security products that perform the equivalent of a man-in-the-middle attack so they can inspect traffic and look for security problems. That means they break the encrypted connection and decrypt the data so they can inspect the data for security problems, and then re-encrypt it and forward it along.
Even if they do not advertise that functionality, if the traffic is unencrypted, or someone breaks the encryption, the company manufacturing the equipment could route a copy of the data to an alternate destination. They could also plant vulnerabilities to log in and access the data. In terms of breaking encryption, some say quantum computing is on the cusp of breaking all current encryption algorithms in use today.
As mentioned earlier, the Chinese government may force citizens and companies to share data with the Chinese government upon request. The CNBC article below states:
Huawei would have no choice but to hand over network data to the Chinese government if Beijing asked for it, because of espionage and national security laws in the country, experts told CNBC.
Many countries in Europe are debating the prevention of these products from infiltrating their networks. Here are some examples:
Germany is going to make a decision probably by the time I publish this blog post.
Companies in Norway have decided against using Huawei citing security concerns.
China is threatening consequences for governments that choose not to use their equipment.
Some of these are large and complex issues. Substantially vetting every product may be difficult for small organizations. Large companies can do more in-depth security due diligence that helps all the small companies that buy the same product and their customers. They can help find and report vulnerabilities so they can get fixed for everyone.
For example, Starbucks has WiFi hotspots in most of its coffee shops. If they thoroughly scrutinize their network vendors, all Starbucks customers that use Starbucks WiFi benefits. If Starbucks is lax, it potentially hurts customers. If companies that provide Internet connectivity like Comcast Xfinity scrutinize the security of devices they give their customers, that benefits the company and the customers. Citizens in countries making decisions about Huawei benefit from proper security due diligence by experts in cybersecurity — not politicians. In the case of the network backbone in a country, these decisions have a significant impact on national security as well.
How to evaluate vendors
How exactly can companies evaluate vendors? The following steps help with this process. You may evaluate each vendor more or less extensively depending on the size of your company, the sensitivity of the data you are storing, and you need to produce business value and complete projects. Taking any or all of these steps can help your overall security and push vendors to improve their security controls.
Define your CriteriaResearchAsk questionsRequest documentationValidate findingsContracts and InsuranceMonitorDefine your criteria
The first thing you should do is define the criteria by which you evaluate vendors. If you do not define criteria in advance, vendor due diligence may be inconsistent. The other advantage of defining criteria upfront is that you can provide a standardized process to members of your organization. Then they understand that the process is not arbitrary but a process required for all vendors. You can also work to streamline that process so you can perform vendor assessments more quickly.
Once again, define and track exceptions. Some vendors may be accessing sensitive data. Others will not. You may have different levels of criteria and pre-defined exceptions for certain types of projects. For example, you wouldn’t let a one-person company host your sensitive data. However, you might let a small company with only a few employees or contractors provide training or specialized consulting that does not involve accessing, storing, or removing sensitive data.
If you are not sure where to start when defining a list of questions and criteria for how to select vendors, you can start with the questions in this book. These questions are relatively basic but can get nuanced and detailed as you like based on the information I provided about each question. You can also use other standard assessment frameworks such as the NIST Cybersecurity Framework, CIS Critical Controls, or the CSA CAIQ (Consensus Initiative Questionnaire) to come up with a standardized checklist for vendor assessments.
Research
The first thing everyone in your organization can do before considering a vendor product or service is research. You can find a great deal of information about a company online before you even talk to them. You may determine after initial research that they are not a good fit and do not have to do additional extensive research.
Some things I look at initially before I even consider buying a product include looking at who works at or runs the company and who are the investors. Where do these people work? What is their background? Do they have security expertise, if it is a security or networking product? Where did they work previously? How long has the company been in business? Who are their other customers? Do they offer a list of office locations? Does it say where the company develops products and stores your data?
You can also look for statements and reviews from other customers, but be wary of false reviews, or competitor sabotage. As you probably know by now, there is a plethora of misinformation on the Internet! This information can be helpful, but evaluate the source of that information as well and don’t use it as your sole judgment on the quality of the company or service.
You can also ask security professionals questions through organizations like IANS (Institute for Applied Network Security). Full disclosure, I am a faculty member of IANS. However, I don’t typically take calls to recommend products except for possibly a comparison of different infrastructure cloud providers like AWS, Azure, and Google Cloud Platform. Some other faculty members can answer questions about different products and services they have used in several different product categories.
Look at any available documentation. You can evaluate the product documentation from the company on their web site to find out any security information they have publicly available. Also, you can look for any security assessments, audits, or certifications they have, such as SOC2 compliance, CSA STAR, ISO, or other indications that they have had third-party review and validation of their security controls.
Read the news. You can easily search for news reports about the company by searching for the company name or product name in Google and then clicking the News link. You can find information about security issues and the company as a whole, but just like the customer reviews, be wary of jumping to a conclusion based on a news article. Some who write about cybersecurity tend to sensationalize issues, and additionally, initial reports sometimes turn out later not to be true.
Investigate the number of vulnerabilities related to the product or service you are using. You can use sources like MITRE’s CVE database, a site called CVE Details, and US-Cert Advisories. If a company has repeated, serious vulnerabilities, you may want to ask them about those vulnerabilities, and their internal software development training and practices. Note also, that companies with no CVEs may merely not be reporting them, or they don’t have a bug bounty or mechanism for people to report vulnerabilities to them. At big companies, CVEs may be present in some products more than others. This example demonstrates again why you need to evaluate products independently.
Ask Questions
After doing initial research, ask questions. Use the criteria you have defined to ask questions about the vendor’s security controls that you could not determine from online resources. Document and track the answers to questions so you can refer to them later. I have helped with audits where the auditors later requested those assessments to review them for consistency and accuracy.
When asking questions, dive deeper if needed. Instead of asking, “Do you encrypt data?” ask the vendor what encryption algorithms they use, how they protect encryption keys, and who has access to those keys. Sometimes delving into the details reveals vulnerabilities a yes or no question would not uncover.
Request documentation
Although your vendor tells you that they have specific security controls, request documentation to back up their claims. Try to get these things in writing if at all possible. Evaluate the documentation for completeness and accuracy. Sometimes documentation is out of date or missing the information required to evaluate the product or service thoroughly. Claims that vendors are not willing to put in writing may be suspect.
Validate findings
Validate the findings by testing when possible. For example, if a vendor gives you a free trial, you can pentest a product and evaluate the security controls in advance of purchasing the product. If you have the expertise, evaluate the hardware as well as the software. You may be able to perform a security audit or assessment of the vendor environment yourself. Then you can determine first-hand if the claims the vendor is making are valid. You can interview staff and review product and service information at a deeper level.
Some vendors may not do this because they don’t want competitors to reverse engineer their products. In some cases, the vendor does not allow access to their data centers for security reasons. One great example is AWS (Amazon Web Services) data centers. Amazon does not grant access to their data centers because people are only allowed access on a need to know basis. Some security professionals complain about this, but my response is if they are letting me into the facility, who else are they granting access? I like that they do not let every random person come in for a tour. How can you deal with situations like this where the vendor does not grant you access to validate security controls yourself?
First of all, if you are big enough, they let you in. The U.S. government did obtain access to assess GovCloud. Whichever company is bigger and needs the relationship more likely obtains what they request. However, if you cannot gain access, you can request third-party audits, attestations, penetration tests, and certifications. Although you were not able to personally do the evaluation, you can look at the paperwork, who performed the work, and the thoroughness and adequacy of the results related to your desired security controls.
Contracts and Insurance
With any vendor relationship, the responsibility for security controls may vary. Understand who owns each security control. AWS calls this their shared responsibility model, and the other major cloud providers have adopted something similar. For each vendor, determine what security controls should be in place for the product, service, or work to be performed. Then define who implements and maintains each control. If necessary, go farther and determine how the vendor implements the controls, but be careful with defining specifics that may change over time. For example, instead of defining a specific encryption algorithm, state that encryption algorithms must be industry best practice or acceptable by NIST standards.
Next, make sure your contract addresses these responsibilities. I told a story about how my contract could have been an important factor when a vendor failed to back up all my data. Just because a vendor tells you they are doing something doesn’t mean they are doing it. If they fail to meet those obligations and a data breach ensues, how would a judge decide who is at fault if the case goes to court? In my experience, it comes down to the contract. I have faced issues on both sides of this problem, as a vendor and as a customer. It’s a good idea to have a lawyer who can tell you what laws apply and how the case may be decided in court if you have questions about enforcement of security policies.
Sometimes companies use insurance to offset the risk associated with vendor data breaches. They may try to get the vendor to cover the deductible that their insurance won’t cover and then have insurance cover the rest. Insurance is likely necessary in this day and age of data breaches and cyber threats, but insurance may not save you in all scenarios. First of all, as noted in my first blog post and others, the cost of a mega-breach is probably more than most insurance policies cover. Your insurance policy likely covers the average cost of a breach.
Besides the amount of coverage, you need to make sure that you are meeting any of the requirements in your insurance contracts to obtain payment in the case of a data breach. Insurance companies would be wise to request at least basic security controls. Finally, most insurance policies include a clause that excludes “acts of war.” What defines an act of war? That gets tricky. Most people say we are already in a cyberwar, as I explained in my first post.
Vendor monitoring
Once you have signed a contract with a vendor and start using that vendor, perform on-going monitoring. Many changes can impact your initial risk assessment. Products change over time. Product managers change. Developers change. Executives and company ownership may change. Product services and features change. Certain events may trigger a re-assessment of the vendor relationship. For example, each time you renew a contract, you might want to re-evaluate vendor security. If a company is acquired or executive leadership changes, that may be a good point for another evaluation.
In addition to changes at the vendor, the way your company uses the product or service may change. The original assessment may have approved the product for a particular use case and a specific type of data. Over time, people may start putting more sensitive data into the product, setting up new connections, or using additional features. I talked about monitoring compliance with security policies in another post. This monitoring also applies to the use of vendor products.
In terms of contractors, monitor both data and network access. Ensure they are using MFA to access your systems. Another post covers monitoring and incident handling, all of which apply to vendors just as it does to your employees. You also need to monitor your vendor contracts and insurance. As the industry changes, you may need changes to the agreements and level of insurance required to reduce the risk associated with data breaches. Other factors that may impact vendor agreements include new privacy laws like GDPR and the overall political environment if you are dealing with companies in other countries.
Vendor Relationships
Outsourcing and vendor relationships may make sense when the service offered by the vendor is not your organization’s core competency. Products and services can help your company create efficiencies, obtain knowledge, improve security, get products to market, and sell them. Just make sure that when you purchase products or services from vendors, you perform the appropriate level of due diligence to allow the business to achieve its objectives while preventing exposure of customer data, business plans, or intellectual property through insecure vendor practices.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2019
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab