When we think about the security of our customers’ HR and payroll information, one of the key focus areas for our security team is the suppliers we use. We all know the importance of suppliers and it’s reinforced on a daily basis by the news of data breaches.
The most recently published data breach is the one that impacted MOVEit, a managed file transfer software product. While ELMO doesn’t use the product, many other companies have been impacted.
When these types of breaches occur, we analyse them to see what can be learnt, in particular the techniques that were used in the attack. We then create training for our technical teams to make them aware of these real-world risks and how to mitigate against them.
Suppliers are a valuable target for hackers
We all hold valuable sensitive data in our systems, either about our company’s operations or our customers. Often suppliers process a company’s data to perform services the business requires but does not want to own, as it does not make economic or operational sense.
Unfortunately, such relationships create opportunities and motivation for hackers to access greater amounts of data given the increased ‘security surface’ that exists across the supplier and all of their customers. In a perverse way hackers are driven by similar economic drivers as the rest of us and these targeted attacks give a greater return for cost and effort.
This focus on suppliers is evident in the number and scope of reported data breaches. The MOVEit data breach is a case in point, with global private companies and government departments impacted due to a simple SQL injection vulnerability. It is estimated that 16 million people were caught up in this data breach. It just goes to show that we now live in an age of ‘large-scale industrial’ data breaches.
Understanding data sensitivity and risk
Here at ELMO, we are very mindful of the sensitive data that we process and we take a detailed driven approach to risk mitigation, which pays particular attention to the use of suppliers.
The amount of data processed by a supplier, and its actual sensitivity, has a direct impact on the risk incurred. For example, a supplier that processes credit card information is considered more sensitive than one dealing with leave entitlements or holiday planning. It’s a question of what benefit could a hacker gain from the data and what security controls have been implemented by the supplier to minimise the risk of an attack.
This sensitivity analysis is performed during the initial stages of a Supplier Security Review. It sets the stage for the threshold of minimal controls you want to see in the supplier application. A structured security review can also reveal how the data is used and if that usage is warranted, making sure the transfer of data as well as access are kept to a minimum.
How to assess your third party suppliers
Thoroughly vetting your vendors can be challenging without the right knowledge. To help, we’ve outlined six key areas to consider to help you assess and manage the risks involved with third parties.
1. Security certifications and personnel
Something we always consider is whether a supplier has their own security certifications. We say “their own” because whilst their IaaS provider has security certifications, this only goes so far. It’s quite possible to use a secure cloud provider and host an insecure application within it. So, we check if the supplier has ISO 27001 certification (or equivalents). We also check to see that they have security roles with the right security experience in the organisation.
2. Cloud based or on-premise?
It can be convenient to tie the usage of cloud services to an on-premise solution, but this can make it more difficult to assess risk, as there are multiple paths of attack across an increasingly complex security surface.
The MOVEit breach highlighted a common attack method – SQL injection. Some MOVEit clients had the on-premise solution installed on a Windows Server, which provided secure file transfer and had HTTPS remote access for management. The SQL injection that started the breach was enacted via the HTTPS remote access because corporate firewalls could not ‘see’ into the HTTPS traffic to block the SQL injection. To secure against such an attack requires Corporate IT to set up a HTTPS proxy at the network edge to scan and forward on the traffic to the MOVEit instance. This can be challenging to set up correctly.
In some cases, it could have been an unfortunate error in that the purchasing company selected the cloud solution and actually implemented the on-premise solution or Corporate IT did not set up the appropriate proxy. The cloud and on-premise solutions should have been distinctly considered for risk analysis and approval.
A key takeaway from this is that an on-premise solution might prove less secure than a cloud offering as it requires specific network security knowledge, something that may not exist on the customer’s side.
3. The data lifecycle and retention
All supplier integrations have a data processing lifecycle, in that they take data, process it, and return results. A Supplier Security Review will assess the suitability of these processes. Data retention, however, is also critical as the more data a supplier ‘hangs on to’ the greater the risk.
So, you need to determine:
- What data and how much a supplier stores.
- How long they keep such data and under what conditions it is deleted.
You will often see this described in a Data Retention Policy or in the Terms & Conditions. They will have good reasons for keeping customer data for specific retention periods, such as Disaster Recovery or operational backups.
You also need to consider where and how they store such data. Is it encrypted at rest? Can you request it to be deleted?
Remember, if you keep your customers’ data within a supplier application and that supplier suffers a data breach, you will need to contact those customers. That’s why opting for minimal data retention reduces your risk.
4. Keeping a Supplier Register
Shadow IT remains a reality for many organisations and represents ‘unknown’ risk. Use all of the tools available, including awareness campaigns, to identify every supplier used in the business.
Maintain a supplier register that contains the following information:
- The internal owner for the application
- Who is responsible for provisioning and deprovisioning access
- Information classification and data maintained
- Data retention periods
- Supplier risk ratings and criticality
- Supplier review dates.
Such a register is an effective way of matching announcements of vulnerabilities to suppliers, so you only need to inquire after those suppliers who may be impacted.
5. Appropriate access controls
Depending upon the sensitivity of data processed in supplier systems, there needs to be appropriate access controls. So, for instance:
- Does the tool support SSO (Single Sign On) or MFA?
- Can access be restricted by IP?
- Are there different levels of admin roles?
The goal is to have the most control over those systems which process the most sensitive data, and if a system is unable to meet those requirements, reject it.
You also need to consider how access provisioning and deprovisioning is done. Is this something IT can do? Or is it something the internal owner is expected to do? This should be recorded in the Supplier Register.
6. Regular supplier auditing
Something we recommend is to review your suppliers on a regular basis. If you are ISO 27001 certified, a good time to do this is during internal security audits.
This provides an opportunity to reassess the security controls and see if the tool is continuing to be used as originally intended. Is it still fit for purpose? It might be that the supplier has implemented additional security controls that you can take advantage of.
You can also check that data is indeed being processed in accordance with the Data Retention Policy and that ‘dead’ user accounts have been disabled or deleted in a timely manner.
Taking your supplier risk seriously
Suppliers increase your security surface and so managing them should be taken seriously. No supplier should be introduced into the organisation without being reviewed by the appropriately skilled personnel. Even “free” subscriptions should undergo rigorous reviews.
In addition, awareness of the dangers of suppliers should be communicated and understood across the organisation. Learn from others’ misfortunes, because every data breach has a lesson for us all. What the MOVEit data breach taught us is that not all data breaches are caused by human error. Instead, the breach was caused by an erroneous understanding of the technology being offered.
Want to keep up-to-date with ELMO’s content? Subscribe to our newsletter for first-look access to our free research, blogs, and resources.