The weak link

Robin Oldham, Head of Security Consulting Practice, BAE Systems, discusses what questions should be asked and what can be done to help protect businesses from cyber-attacks via a third party supplier network.

We all know that businesses outsource various tasks to suppliers, but the scale of this may not be widely known. According to the Arvato Outsourcing Index 2016, the ﬁrst half of 2016 saw £3.91bn worth of outsourcing contracts delivered in the UK - an increase of 19 per cent compared to 2015 ﬁgures. From managed telecommunications and payroll, to personal storage services such as Dropbox and internal messenger services such as Slack, traditional perimeters to company networks no longer exist.

Organisations need to be more aware of how their extended network is managing sensitive data and what security measures they have in place to protect against attacks. Organisations both large and small, rely on third party providers for a host of different services. This is a common business practice that can reduce costs and allow businesses to focus on their mission while suppliers take care of background tasks.

However, providers naturally require access to systems and data in order to deliver an efficient service. Therefore, these companies often hold large volumes of customer data and also may have privileged remote access connections into networks they manage.

This network connectivity, which exists between managed service providers (MSPs) and their customers, can provide a window for attackers to jump through if security precautions are not followed.

Top of the news agenda

The use of third party suppliers as an attack vector has been in the news recently due to a sustained and sophisticated cyber-attack on MSPs.

Known as Operation Cloud Hopper, we worked closely with PwC and the UK’s National Cyber Security Centre (NCSC) to uncover and disrupt what is thought to be one of the largest ever global cyber espionage campaigns. Our threat intelligence team conﬁrmed these intrusions were attributed to a cyber-espionage group known as ‘APT10’ who compromised several major MSPs in order gain to access to and syphon data from their customer’s networks.

Businesses need to manage their supply chain risk. In order to do this successfully, procurement and security teams need to collaborate and enable the business to deliver its products and services to customers whilst they are procuring the best and most secure MSPs to take care of other tasks. Driving for the lowest cost is not the objective.

From an MSP’s perspective, strong focus needs to be put on security architecture, network hardening, monitoring, detection and response. We would also suggest third party risk management and a robust supply chain security programme.

How businesses can ﬁght back When analysing the security of your supply chain, you must ensure you fully understand what you’re asking your supplier to provide you with:

What is the level of security and protection you need?
How much data and what sort of information will they be protecting?
Have they got customer references that demonstrate how they’ve managed and responded to previous security incidents
Can they quantify the value of what you’re giving them access to?
What is the potential damage that could be done if your supplier was compromised?
What other data could be unlocked through a back door in your network?

You must be willing to be totally transparent and clear on what you expect from an obligations perspective, and not simply at the beginning of the relationships, but throughout the term of the contract. Always ensure you have milestones and check points to ensure your suppliers are reporting back to you on how they are protecting your data. Don’t be distracted by the size of the supplier contact - the most damage is done where information is the currency - make sure you’re considering the £50 Drop Box subscription account that your CEO is using more so than the £1m printer maintenance contract.

Just as information is currency for those trying to gain access into your MSP networks, the same can be said for organisations when it comes to selecting suppliers who you feel will be best placed to protect your data and sensitive materials. Whilst attackers have skill, persistence, evolving tools and infrastructure - more often than not it is older techniques such Office documents with macros and SQL injection attacks by which organisations can be compromised.

There is nothing about the techniques themselves that should make this hard to detect or mitigate. The lessons learned from these incidents should be used as an opportunity for security improvements for both MSPs and their customers. By being aware and tackling the vulnerabilities, organisations should see the supply chain continue to operate as the high performance network your business needs to survive and compete.