Homepage Cybernetic Global Intelligence newsroom

The Domino Effect – One Hack to Rule Them All

Announcement posted by Cybernetic Global Intelligence 04 Aug 2015

Learn how hackers are leveraging your business partners

The increasing sophistication of hackers and their repertoire of attacks has made cyber security a must for companies and many have done a good job of beefing up their defense mechanisms in response. However, what many of even the largest and most successful companies often fail to do, with detrimental consequences, is ensure that their subcontractors, partners, supply chain members and others with network or application access maintain the same level of vigilance and defensive frameworks when combating cyber threats.

Criminals are finding that third-party partners may provide relatively easy access to confidential data, and are increasingly committed to exploiting these opportunities. Hacking just one third-party supplier or partner provides criminals with an indirect path to ill-gotten gains from hundreds of companies involved with that vendor. This makes for an increasingly popular and lucrative tactic because most organisations make no effort to assess the cyber security practices of their suppliers. In fact, the 2014 Cyber Crime Survey found that about 70 percent of organisations fail to vet the security of third party providers, placing themselves at risk of security slips of their trusted partners.

Every week the news are littered with reports of security breaches caused by security lapses of business partners or vendors. The most prominent of these breaches last year were Target and Home Depot, however, other companies such as Bell Canada, Dropbox and Snapchat also deserve a mention. A Montreal-based telecommunications company, Bell Canada, had confidential account information of more than 22,000 of its customers exposed after an attack on its third-party supplier, and Dropbox and Snapchat had nearly 7 million usernames and passwords and 100,000 photos leaked respectively, after both falling prey to data breaches through third party apps. While these breaches may be old news today, the lessons learned are just as relevant now, if not more so, as they were a year ago.

One of the major reasons for Target’s data breach was its failure to properly segregate systems handling and sensitive payment card data from the rest of its network – a security lapse that many organisations today are still prone to. The initial intrusion into Target’s systems occurred when the retailer’s network credentials were stolen from a third party heating and cooling subcontractor that worked with Target and several other popular retailers. 

After uploading malware to Target’s point-of-sale devices, intruders gained access to approximately 40 million debit and credit card accounts over a two-week period. As a result of the breach, Target could now be facing losses of up to $420 million in bank reimbursements, fines, legal fees, and customer service costs.

Another example of similar proportions is the case of Home Depot, the world’s largest home improvement chain, which in 2014 reported that criminals used a third-party vendor’s credentials to enter its network and deploy custom-built malware across self-checkout systems gaining access to 56 million credit and debit card accounts in Home Depot’s North American market. What all of these cases show, is the risk companies face when organisations they share information with fail to take critical steps to safeguard it. The fact of the matter is, your third party vendors are simply not as invested as you when it comes to protecting your clients. As we become increasingly reliant on third-parties and continue to trust them with our data the scale and frequency of cyber-attacks exploiting this will only continue to grow.

Although the outlook is glum, there are several practical steps you can take to mitigate the growing risks associated with third-party security lapses. These steps will require you to implement security controls to ensure secure access to protected systems, or to avoid Target’s mistake – segregate your systems handling and sensitive payment card data from the rest of the network. Conduct a comprehensive inventory of all service providers and determine which pose the greatest risk. Vet all existing and prospective vendors for any security breaches they may have experienced and their subsequent remediation steps, carefully review all contracts for details regarding the vendor’s responsibilities and liabilities in the event of a breach (e.g. employee background checks, encryption of data, timely notification of breaches, etc.), and be ready to switch providers if problems arise.

When selecting service providers that will have access to sensitive information be sure to choose those that that employ strong, two-factor authentication, monitor and log user activity, and encrypt their network traffic. Last but not least, demand that your vendors and partners conduct thorough security checks including yearly Security Audits and Penetration Tests to maintain the highest level of vigilance over their networks. Taking these steps will ensure that every link in your security chain remains strong and insulates your business from possible attacks.