"I've been in the security business for 25-years. The industry spent the first 20 of those developing perimeter security products. Then five years ago, we simply let everybody in, building an ecosystem of third-party vendors and service providers that are now part of our federated enterprise," says Mo Rosen, COO, Xceedium.
Once attackers enter these small organizations, they access the large enterprises those small companies serve. The trust relationship that big enterprise shares with these small vendors manifests itself in networking and communications technologies that bridge the organizations and pass data between them with a degree of acceptance and approval. The large enterprise network errantly trusts the manipulations of the hackers as though these are approved behaviors of the small business.
The enterprise saw how a lack of emphasis on security on the part of third-party POS and HVAC vendors placed them as vulnerabilities for the large retailers that used their services. CSO reveals how any of these small enterprises share their vulnerabilities with large customers and how those big companies can push back.
A case of the malware measles
It is not uncommon for small vendors to let the robber in the back door (yes, a Trojan Horse, or figuratively), out the front door, and into larger concerns. Such is the case with the Managed Service Provider (MSP).
"The MSP installs computer updates and manages and fixes software, typically manually, from their office," says Kevin Jones, senior information security architect, Thycotic. When an attacker infects the MSP's network, that infection is communicable to the large enterprise customer through the Remote Access Connection, which is a common bridge between big business and small vendors.
Without a great deal of preparation and care, it is hard for the large organization to differentiate between an attacker and the MSP. "The MSP becomes the weak link in the large enterprise's security chain," says Jones.
How small companies make infection easy
Small companies open the door to attackers through a variety of unsecure practices. Small businesses delay security updates and patches due to a continuing concern over the purity and reliability of updates, particularly updates for Microsoft Windows and Office products. "A lot of the updates break Windows and Office, and that impedes the business, which affects the bottom line," says Jones.
Businesses will often wait a month to hear what happened to other companies who applied the latest updates before they risk using them. In the meantime, the companies that wait become infected by attacks that leverage those unpatched vulnerabilities. Deciding whether to apply the updates or wait is a 'damned if you don't, damned if you do' scenario. The large enterprise that trusts traffic from bedeviled businesses that delay patching is damned along with them.
In another ill-fated practice, small businesses neglect to enforce strong access credentials. "Small companies frequently use weak passwords," says Rosen. It is common for third-party vendors and contractors to use weak passwords when logging into large enterprise networks; these include networks for stores like Target or Home Depot. Often the small company employee is using the same password they use everywhere, whether for their personal Facebook account, Gmail account, or financial account.
That's why hackers who confirm a username and password for any account on the Internet will try that same combination of credentials on other sites they attempt to hack into, and why re-using credentials is a very bad idea. Logon credentials are only as good as password policy and policy enforcement. If the small enterprise can't enforce the use of long, complex, unique passwords, then they and their larger customers should expect to be infected.
Small business behaviors that invite trouble from attackers are as numerous as they are infamous. Small enterprise security policies that don't quell missteps such as employee downloads of unauthorized software, rogue Wi-Fi installations, and password sharing will actually promote such behaviors. If big business is going to suffer under these ties, they have to find a way to manage those relationships and their threat-laden baggage.
Mitigating the small company as security hole
To mitigate the security vulnerabilities that small companies bring to the table, the big enterprise has to move from a trust but verify model to a least privilege, zero trust model when working with these organizations. Permit the least access and permissions necessary to do the work required. Consider anything outside or inside the network as untrusted. Standard best practices when using least privilege, zero trust include network segmentation and enforcing up to date patch management, says Rosen.
Implement Privileged Identity Management (PIM) so that even if credentials are stolen it's very hard for the hackers to move laterally in the network. Privileged identity management makes it very hard to compromise another account. And those credentials are always rotated. "Even if they grab the credential, it's not useful for very long," says Rosen.
Big business should ensure that small businesses come into the enterprise with two-factor authentication. "The old expense of $75- to $100-per user for two-factor authentication no longer applies. Enterprises can now implement two-factor authentication at reasonable rates," says Rosen.
Large enterprises should use multiple intelligent, polymorphic next-generation threat detection technologies such as (but hardly limited to) behavior-based IDS/IPS and cloud-based web security scanning. These will help them to enforce the zero trust model and to find breaches that are coming in and that have already come in from the perimeter, whether from small concerns or otherwise. "The breaches are going to come in," says Rosen. It's a matter of mitigation, not elimination.
The large enterprise must use contracts with third-party vendors and service providers that require audits of their security. "The large organization has to require the audits and make sure they do them," says Rosen.
For large enterprise CISOs, hearing that their MSP/third-party vendor family is the security vulnerability that won't go away is like receiving a cold slap in the face at four in the morning. But just as they deal with every other threat, they must gather their resolve, acquire and target resources, determine how to live with second-hand vulnerabilities, and try to get a good night's sleep.
Feel free to leave the night light on.