[BreachExchange] It’s third parties, cry if you want to...

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 7 19:53:27 EDT 2018


You’ve got board support and the biggest cybersecurity budget. You’ve got
best-practice policies and procedures in place, hired the right people,
built state-of-the-art threat intel and other systems, you test
continuously and you have created a cybersecurity culture throughout your
organization. That’s great. But you still have a problem that is largely
beyond your control and that can render all that useless.

One of the most publicized hacks (and the one mentioned by almost all the
CISOs below) is the 2013 attack on US retailer Target and its payment
system that affected more than 41 million of the company’s customer payment
card accounts. The initial intrusion into its systems was traced back to
network credentials stolen from a heating and air conditioning (HVAC)
subcontractor that had access to the network for legitimate reasons.

Aside from the immediate stock price fall, the reputational damage and the
firing of the chief executive, the breach prompted a series of lawsuits
that were only finally resolved in 2017 when Target agreed to pay $18.5
million to settle claims by 47 states and the District of Columbia.

A large bank has thousands of different third parties, clients and
suppliers – and their clients and suppliers and so on. (Interestingly, the
Target hack itself forced banks, including Citi, to reissue debit cards
because of the amount of personal data that was stolen.) They are also
relying ever more heavily on Cloud providers – another subject that could
fill a book, but one that worries CISOs and institutional investors alike.

“The more you store stuff in the Cloud, the more vulnerable we think you
are,” says one. Sure enough, a big bank was hit with a third-party breach
in the last year. In July 2017, Milan-based UniCredit revealed, in a press
release marked ‘price sensitive’, that it had been the “victim of a
security breach in Italy due to unauthorised access through an Italian
third party provider to Italian customer data related to personal loans

A first breach seems to have occurred in September and October 2016 and a
second breach which has just been identified in June and July 2017. Data of
approximately 400,000 customers in Italy is assumed to have been impacted
during these two periods. No data, such as passwords allowing access to
customer accounts or allowing for unauthorised transactions, has been
affected, whilst some other personal data and Iban numbers might have been
accessed... Customer data safety and security is UniCredit’s top priority
and as part of Transform 2019, UniCredit is investing €2.3 billion in
upgrading and strengthening its IT systems.”

The fact that the attack went undetected for 10 months and was apparently
only discovered by a new IT director is a serious concern and emphasises
how dangerous third-party breaches can be. Regulators are also becoming
worried about this form of cyber-risk. In January this year, The Office of
the Comptroller of the Currency (OCC) used its Semiannual Risk Perspective
report to stress the growing threats from cyber attackers in general, and
the security issues that the supply chain, the use of third-party security
solution providers and a growing connectivity with other platforms create.

“Companies that provide information technology products and services or are
otherwise part of the supply chain, including those that allow remote
access and system management, are increasingly targeted for cybercrime and
espionage,” the OCC says. “When exploited, these third parties provide back
doors into client businesses’ operations. This trend coincides with many of
the large breaches that have occurred throughout the last year.”


How do banks secure the supply chain? The first answer is somewhat
unsatisfactory. Banks are notorious for sending enormous questionnaires –
varying from 300 questions to more than 3,000 – to each other and everyone
else, and using the data gathered as the basis for evaluating third-party
security. The issues with this compliance-driven approach are obvious:
there is no standardization, making comparisons impossible; there is no
guarantee anyone will fill out a questionnaire accurately even if they try
to; there is huge duplication; and, at best, the results give an
out-of-date snapshot of a moving target.

“We have a whole team managing questionnaires that the vendors have to
answer,” says one bank CISO. “What do they do? In the Target breach, the
original compromise was in the HVAC vendor. In their questionnaire they had
said that they had AV [anti-virus] and listed the product and it listed a
freeware product! So, we do things like ask: ‘Would we have validated
that?’ We review that kind of thing and do a really detailed evaluation.
The problem is that I have 25 questions and someone else has 45 questions
and someone else has three questions. So the question is how do we
harmonize this process? We’re looking at how to create a set of utilities
to do this to give us standardization and compliance.”

A second answer is to build cybersecurity into contracts. The most basic
way to do this, as one CISO says, is to make sure that “our security
clauses include a clause that says that a third-party vendor’s security
clauses cannot be weaker than our own.” But, as he then adds: “It’s turtles
all the way down!”

Another bank explains its policy: “We have guidelines and templates which
set forth minimum terms for contracts with third-party vendors to mitigate
third-party cyber-risk covering notification, security, liability, data
protection, confidentiality and insurance. As regards material
subcontractors and fourth parties, these are required to be declared by the
responsible officer for any outsource due diligence process (ODP) and they
are recorded in the ODP inventory. Any use of subcontractors for the
delivery of services must be approved in advance.”

Which sounds fine but contains no real assurance that what is essentially a
compliance process is able to ensure real security. A better solution is to
classify suppliers into categories based on level of access and proximity
to critical data, and to combine remote interrogation with site visits.

But there are problems there too, as one large institution explains: “We
divide our suppliers up into different tiers depending on criticality and
we do site visits for the most important ones. So we need to visit key
third parties. I reckon 100 vendors can be covered by one person in a year.
We have 4,000, not including really small ones. So, 40 people? No way I
have the budget. So we have residual risk. The FCA [Financial Conduct
Authority] says: ‘Is that good enough?’ and I say: ‘I don’t know.’

“And even if I was given the budget for those 40 people, I’m not sure I’d
spend it on them. I mean, look at Target: hit by its HVAC supplier. Would
they have been on my visit list? I don’t think so.” The most sophisticated
institutions have multiple mechanisms that layer questionnaires, site
visits, threat intelligence and dedicated third-party management processes.

One large US institution’s cybersecurity chief explains their method: “We
have 14,000 vendors who touch us, of whom between 300 and 400 are the most
critical and we track those. Over the last two years, we have invested in a
third-party management process way beyond simple information security. It
includes financial risk, compliance and, depending on how we have
risk-rated them, they get visits from us once or twice a year. Of course
that evaluation is only as good as the day we did the assessment.

“We also register our suppliers’ IP addresses and ranges with an external
monitoring tool, so if a vendor leaks data to a known bad bot or other
destination, it will send an alert to our threat intel guys. If that keeps
happening, we will call the vendor and tell them. They must disclose data
breaches, and we monitor the top 400 vendors constantly.”

What about the lawyers?

Even with that level of focus, banks, like everyone else, remain vulnerable
to third-party cyber-risk. This is partly because those third parties also
have their own supply chains and partly because many supposedly
sophisticated sectors are way behind when it comes to cybersecurity. One in
particular is a real problem for the banks: law firms.

Even before the Panama and Paradise Papers leaks and the DLA Piper network
shutdown, law firms had been criticized by both the banks and the FBI,
among others, for not taking cybersecurity seriously.

Hardly any of the large global law firms even had a CISO until recently. It
was big news when Linklaters, two weeks after the DLA Piper incident,
advertised for its first-ever CISO – although the ad was only for a
fixed-term 12-month contract even then. And those that have had a CISO,
like Clifford Chance, have found it hard to keep them. “Cultural issues”
were the darkly muttered reasons by hires from the financial sector who
quickly returned to it.

This is a serious issue for the financial sector because of the sensitivity
of the data that law firms handle. What is the problem?

“Why don’t law firms take cybersecurity seriously? Easy,” explains the CISO
at a large financial institution. “Their key variable is profit per partner
– so they will invest in something if it pays for itself in year one, or
maybe if you’re lucky year two. Otherwise, no. If a significant investment
is suggested that will pull down profit per partner for years – or indeed
permanently – then the partners can simply walk. You might occasionally be
able to plan ahead and put in a technology budget for four years, but there
still has to be a positive return on investment for the partners at the end
of it.”

It is a simplistic explanation and law firm remuneration structures are
changing substantially, but banks and lawyers agree that there is a
cultural problem that involves both money and the attitude of nontechnical,
senior partners who neither understand the risks nor are used to being told
what to do by people they see as junior staff.

There is also a structural problem. The large global firms are not single
entities. They are federations of regional businesses and acquisitions
often structured as Swiss vereins or UK CLGs (companies limited by
guarantee) precisely to maintain that lack of centralization. The smaller
firms themselves are also de-centralized silos, organized around partners
and their specializations and clients.

These structures are anathema to modern needs for centralized IT,
centralized financial functions and centralized cybersecurity policies,
processes and risk management. “Law firms, because of their structure, find
it difficult to have centralized policies and they can’t drive large scale
change,” says one CISO. “They find it difficult to track compliance, and
people’s interpretation of cybersecurity tends to be different in different
parts of the organization and in different law firms across the sector. You
still have law firms saying: ‘Don’t worry about this, I have a great guy
doing this for us’. That is a huge red flag.”

Trickle-down effect

So what is the solution to the third-party problem – and law firms in
particular? One simple answer lies with the banks themselves. Banks cannot
afford to spend billions on internal cybersecurity only to have that
investment undone by the supply chain. They will increasingly refuse to
deal with suppliers who fail to secure themselves and in so doing will also
prompt their own suppliers to recognize that they too have a third-party
problem. This trickle-down will raise standards across the board.

As one bank CISO puts it: “The large organizations are very challenging to
the supplier base because they have invested huge amounts in their own
cybersecurity and they need to guarantee that. So they will drive
improvements down through the security posture of the smaller suppliers by
saying: ‘You don’t meet our standards against threat X and unless you do we
will not do business with you.’

“The suppliers are then saying: ‘Well if we have to do this with them, then
it will be the same with other banks, so we might as well fix this because
then we will be able to deal with all of the banks.’ Once they’ve done
that, they will then ask questions about their own supply chain and it will
become a normal part of contracts and it will become part of [corporate

As it does so, stakeholders – lenders, shareholders, customers and
employees (also at risk from poor cybersecurity at their employers) – will
demand increasing transparency on cyber-risks from all firms, further
driving change.

The refusal to work with the cyber-insecure is already putting pressure on
law firms. Banks are demanding physical access to check on security. At one
event recently, a UK clearer told an audience of legal IT specialists that
they would simply not work with firms unless they cleaned up their act.

Lawyers touting for new business are complaining that all they are asked
about is cybersecurity, but also say they are starting to take
cybersecurity staff on sales calls to reassure clients. Now that the issue
is hitting the business, law firms are beginning to change. Others will
have to follow.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180507/0c0155c5/attachment.html>

More information about the BreachExchange mailing list