[BreachExchange] Weak Security Socializes Risk

Destry Winant destry at riskbasedsecurity.com
Mon Aug 27 09:04:38 EDT 2018 

https://www.securityweek.com/weak-security-socializes-risk

Rather than some technical development, I was recently intrigued by
something more “social” in nature, specifically the important levels
of trust so many companies place in one another. Even while on my
recent (otherwise) blissful vacation, I couldn’t miss the news in the
New York Times and here in SecurityWeek that a small company had
exposed 157 GB’s of highly sensitive data from over 100 customers,
including the likes of GM, Ford, Fiat Chrysler, Toyota, Volkswagen and
Tesla. The exposed data trove included everything from assembly line
schematics to employee VPN access information, along with the small
company’s own corporate contracts, bank account details, and scans of
employee passports and driver’s licenses.

Are you a trojan horse?

I’m not an economist and hardly qualified to weigh the overall costs
and benefits of the accelerating interconnectedness of our modern and
frequently “virtual” economy. However, I can speak with modest
authority to one real and specific risk, which very obviously many
businesses still must take to heart and more aggressively manage,
namely the ability of a single company to cause significant damage to
their vendors, customers, and partners by being the weakest
cybersecurity link in whatever business ecosystem they inhabit.

Enabled by technology, and in a quest for speed and efficiency,
companies grant access to corporate data and give access to all sorts
of systems today with the expectation that their business partner
won’t turn out to be a trojan horse, carrying hackers and their
malware (and trojans...) into the heart of their business.

This is not a new problem, but anybody feeling complacent should
understand that it is a growing one. As business models evolve with
technology and the degree of economic interdependency keeps growing,
so does the shared “supply chain risk.” A lot of discussion of this
phenomenon cites the annual Ponemon Institute survey of large
companies on (the very subject of) data risk due to third parties.
Often quoted is the survey’s fact that the number of companies
experiencing a data breach – caused by a third party – keeps rising
year-to-year, with over half now indicating they have had that unhappy
experience at some point.

This was, for me, important confirmation, but not a shock. The number
from the study which did surprise me was the average number of
companies the survey respondents said they had given access to
“sensitive information” – 471! – with the median around 100. Imagine
if you gave 471 friends a copy of the key to your house – you trust
them all, of course, because they’re your friends (right?). But what’s
the likelihood of one of them not being as conscientious as you would
like?

Socializing risk

The 25 percent growth year-to-year in the number of companies with
access to sensitive information also deserves attention, and I connect
this rate of growth in interdependency to the growing number of
“supply chain hacks” in the headlines, where a small- or mid-size firm
has found itself at the center of the uproar. Among the more famous
ones, there was the Target hack via an HVAC vendor employee who
received an email that was carrying a system password-stealing malware
attachment, the Home Depot multi-stage attack which began with stolen
vendor credentials, and the Wendy’s breach via a supplier with remote
access to cash registers.

In each case (and hundreds of others), the cost of ineffectual
security fell hard on someone other than the initial victim, a kind of
modified “moral hazard” problem, where one pursues risky behavior
because the consequences are diluted or even transferred elsewhere. I
say “modified” because I’m certain the weak links in this chain
weren’t being reckless, and I believe they also suffered consequences.

But I think there is something to be said for the idea that too many
businesses today continue to “underthink” and underinvest in the
necessary layers of security, and therefore are, deliberately or not,
guilty of socializing their risk. The fact is that many small- to
medium-sized businesses are still relying on solutions they
implemented some time ago – adequate for yesterday’s threats, but not
our current and fast-evolving threat environment. Or, they think they
can “fly under the radar” when it comes to making even a modest
investment in appropriate layers of cybersecurity. Although perhaps
they won’t be able to do that for much longer, as security is
increasingly a factor when companies choose new suppliers.

More information about the BreachExchange mailing list