The world is agog at a news report that Russian intelligence two years ago stole classified U.S. National Security Agency documents from a contractor’s laptop. However, there are Canadians organizations as well that have fallen victim to attacks via third parties.
Those most recent, ITWorldCanada.com has learned, occurred several weeks ago when a company in the financial sector suffered a ransomware attack delivered through a software company that created and maintained a custom application for it. To do the maintenance the software company had access to the on-premise server on which its application resided.
According to a forensic investigator with knowledge of the case, it is believed criminals compromised the computer of a one of the software company’s employees through a phishing attack, which let them get into the financial service’s company’s system. From there they launched the ransomware attack.
The company had to pay the equivalent of $85,000 in bitcoin to get access back to its data.
“Cyber criminals are increasingly targeting third parties that can serve as an easier attack vector to their clients data,” notes Toronto- based cyber security expert Kevvie Fowler, . “There have been several high profile examples such as law firms and cloud providers,  who were targeted by criminals looking for sensitive data of one of the suppliers clients. Aggregators such as insurance providers and regulators who have a lot of sensitive data belonging  to several clients are also at risk.”
According to a summary of a survey (registration required) for risk management and compliance firm Opus by the Ponemon Institute, 56 per cent of respondents said their firm suffered a data breach caused by a third party, a seven per cent increase from the same survey done in 2016. The new survey also found that 42 per cent of companies experienced cyberattacks against third parties that resulted in the misuse of their company’s sensitive or confidential information, an eight per cent increase from 2016. Three-quarters of respondents believed the total number of cyber security incidents involving third parties are increasing.
The number of third parties an enterprise deals with can be significant. Of those respondents who said their company has a list of third parties it shares sensitive information with, 21 per cent said there were 1,000 names on the list and 19 per cent said there were between 500 and 1,000 names on the list.
Arguably the most memorable third party attack was the 2014 Target stores breach, where attackers got into the chain’s point of sales system through an HVAC (heating and ventilation) supplier. More recently, attackers leveraged the software update process of an accounting software provider in Ukraine to spread the Notpetya/ExPetr ransomware.
Canadian organizations do see third party organizations as an extension of their own and an important focus of their security program, Fowler said. Those who follow leading security practices know the level of security at third parties should be equal to or greater than that of their clients. The way it is enforced is mainly through the contract. Still, he adds, “many Canadian organizations struggle embedding the contractual terms and conditions that will allow them to govern into the contracts. This is especially present when dealing with large third parties such as cloud providers.”
Fowler said leading CISO’s use these methods to protect sensitive data from exposure by authorized outside parties:
- Segregating sensitive data and applying restrictive permissions granting only those with explicit reasons access to the data;
- Leveraging behavioral analytics to identify anomalies in employee behavior which may associated with an active or forth-coming data theft. For example an authorized third party logging into a system and copying a large number of sensitive data records to a USB key, although being an allowed action, would be non-standard if other users in the team don’t exhibit the same behaviour;
- There is an increase in insider attacks. Many organizations are leveraging security awareness training to educate employees, including third parties of cyber risks. However, they are also using the training to discuss the importance of detecting insider attacks,  at a high level, the investments they are making in doing so and how employees can report suspicious behaviour anonymously . The joint-messaging of the training helps protect data from unintentional and intentional exposure.
John Pescatore, director of the SANS Institute, said in an interview that a digital rights management solution that encrypt documents can ensure third parties aren’t downloading sensitive information. Windows Active Directory Rights Management Services does this through enforcing access. However, he added, DRMS only protects Microsoft Office files, not PDFs or other document formats. “There are no universal solution to this problem that works across everything,” he said.
Other access/privilege management solutions can be granular, restricting document access to one server or system, or forbidden from using Telnet or accessing the command line, he added. Logging everything a third party does is also useful. Supply chain security should also include a requirement that vendors/suppliers undergo a security audit.
Robert Steadman, vice-president of security and compliance consulting at the Herjavec Group, which has offices in four provinces, says any requirements for information or facility access by a third party should be integrated into contracts before consultants are allowed into work with an organization. “Security and technology consultants especially, given the access and sensitivity of what they are doing, should be prescreened and sign nondisclosure agreements, which helps to protect the organization from possible intentional or accidental breaches of confidentiality,” he said in an email. “The ability to take paper documentation out of a company may not be able to be restricted, so there needs to be repercussions to the individual consultant if such unauthorized activity occurs.”
“If the organization does not want the consultant to disclose any details about the business relationship, nature of work, or particular system configuration, the organization must write these restrictions into the contract. Consultants often request permission to use work as reference to other companies as part of their resumes, but a client organization is not obligated to grant this permission.”
He offers this advice:
·         Have consultants review and agree to the same set of policies as regular full-time personnel;
·         Restrict any system access on a least privilege basis to only that information required to do the specific task that they were hired for;
·         If access has been granted to sensitive information or systems, then monitoring of that login ID can be enabled to ensure that no undesired activity has occurred
·         When the consultant leaves make sure all access granted should be revoked;
·         Audit/assess any external communication links to ensure that privacy and confidentiality stipulations are being enforced, and no unauthorized access or data transfer has occurred.