Your device is at risk!!, your network is at risk! it’s all over the news, it is said every day, researchers and security officers lament over it every time, the question arises what is the computer security risk towards third-party software and what is the way forward?
Security is most effective when practiced proactively, not reactively. Take public transport security for example.
Airports and airlines invest massively in preventing terrorists from boarding airplanes, not because they don’t have measures on board to mitigate damage, they do. But once an armed assailant has boarded a plane the question becomes not whether the damage can be avoided but rather how much of it will be caused.
Taking a gaze in the past, the operating system/software vendors were targeted highly as the weakest link. But as these software giants evolve due to market pressures and software needs, they have worked upon their security flaws and loose ends and have paid attention and listened to complaints, hence implementing scheduled patch release cycles and their security levels have improved.
On the other hand, third-party software developers have no budget or resources to implement a thorough and well detailed and documented quality development and patch release cycles to properly protect the enterprise. The exposure is, therefore, greater when using third-party software on enterprise platforms.
It’s always seen as common knowledge that many companies outsource some, if not all, of their critical IT to vendors. As though outsourcing to third parties itself increases operational efficiency, it contributes much to a world of risks that are not anticipated for. Some of the threats posed by third-party vendors are described below to help users be aware of these risks.
1. Data breaches and ransomware
Even organizations regarded to be with most robust IT security systems are susceptible to data breaches on an account of their third-party vendors.
Case: Local scene;
It was reported in January 2019 on standard news of Kenya that a hacker breached the inter-bank money transfer system to steal Sh 6.9 million from a bank in the first week of January.
This hack triggered a massive cyber-crime investigation into the loss of billions of shillings by the bank. Pesa Link (hacked system) facilitates real-time inter-bank transactions. Barely two months after it was launched in 2017, two million customers signed up.
The application was designed in such a way that a customer can transfer money from their account to others held in other banks. It also allowed customers to wire money to their mobile phones and facilitated paying bills or purchase of goods.
Papers filed by police in court to obtain warrants of arrest for 130 fugitives wanted by the Directorate of Criminal Investigations (DCI) detail how suspects hacked bank systems, moved cash into holding accounts and then withdrew it from multiple accounts.
Some of the withdrawals were done from Automated Teller Machines hundreds of kilometers from the affected banks, highlighting the wide reach of the racket.
Although the figures captured in papers filed in courts in Nairobi and Kiambu were modest, DCI boss George Kinoti said the money involved in the investigation runs into billions of shillings.
“They have stolen billions of shillings from innocent Kenyans. Financial institutions are suffering because of these suspects’ actions,” Mr Kinoti told The Standard. Read more
It was notably 2018’s most significant and costly breaches, including Tesla, Equifax, Universal Music Group, and Applebee’s, are as a result of the vulnerabilities on the part of third-party vendors.
Over 100 banks worldwide were hit in a cyber-heist that Kaspersky Lab estimates could have netted as much as $900 million in stolen funds.
The massive theft was discovered in late 2013 when an ATM in Kiev went crazy and started dispensing cash at apparently random intervals throughout the day, even though no one had touched the machine. Further investigation by Kaspersky indicated that a cash machine gone wild and dropping piles of cash with little-to-no prompting was the absolute least of the bank’s problems. The bank’s real issue was that its internal computers had been compromised by malware.
That malware lurked on the back end of the bank’s computer systems for months, sending back video feeds and images that gave a gang of cyber-criminals a wealth of information about how the bank carried out its daily routines, according to the investigators.
And this was not an isolated incident, according to Kaspersky’s report (which The New York Times had an opportunity to preview). This international criminal syndicate – with members hailing from China, Russia, and Europe – was able to successfully impersonate bank officers at over 100 banks around the world. The group was able to do far more than just turn on various cash machines; they also managed to transfer millions of dollars from banks in Russia, Japan, Switzerland, the United States, and the Netherlands into dummy accounts set up in other countries.
How they did it? Read more
According to the increased number of bad actors seeking to steal data, either directly from you or via your vendors, all organizations must have complete visibility into all remote access actions into their systems. One important remedy is to limit the scope of a vendor’s access to outsourced systems and data so it has only what’s needed to perform its duties. Something we like to call least privileged access.
An even more concerning situation involves malware — in particular, ransomware. This can encrypt one’s data for weeks or months, overwrite backups, and leave businesses in a vulnerable position: either pay the ransom or lose the data.
Non-compliance with legal and industry regulations can occur when an outsourced provider has inadequate control systems and knowingly or accidentally causes a customer to violate that regulation. The consequences of non-compliance for companies in high-stakes industries like finance and healthcare can be especially harsh.
Organizations are found liable for illegal or negligent actions taken by their vendors under many new (and tightening) protocols including HIPAA, GDPR, CCPA, and others. These findings can result in fines, penalties, and even revocation of license or charter.
3. Downtime and outages
Even if a hacker does not succeed in exfiltrating data from a target system, downtime and outages can occur both from damage done during the attack or from time to restore systems to an uninfected state. And in cases of the aforementioned ransomware, the victim’s systems are simply completely locked up till the ransom is paid or recovery from backups (assuming they aren’t infected too) can occur. This is bad enough for enterprises in non-regulated industries, where these outages cost revenue and customer loyalty, but it is even worse for those in highly regulated industries.
How to handle challenges as a result of third-party software utilization
When your organization agrees to take up third-party software, all the vulnerabilities are directly linked to the risks of that business. A flaw in the software can impact customer satisfaction, brand or business image, revenue, time to market and competition for market leadership.
The relationship between software security and business risk is emphasizing the importance of securing third-party software and ensuring it is developed with quality, safety, and security in mind.
The following can be taken to mitigate the security risk and determine the integrity of the software:
- Weigh up the business risk with the advantages of using the third-party software option. Ask yourself the right questions to achieve your business risk tolerance levels compared to your business requirements.
- Put policies in place that the third-party software management must conform to when developing to ensure your security and compliance requirements are effectively met. Third-party software suppliers should use mature development practices and provide a track record that quality, safety, and security requirements are met.
- View the software in terms of your business because the software security risk is directly related to you achieving your business requirements.
- Do you know of any listed vulnerabilities with the third-party software or code?
- Is it possible to test the third-party code for security flaws in a test environment before going live?
- If you are compromised because of a third-party flaw, what is the worst outcome for your business?
- Once live can the third-party component be tested?
In this fourth industrial revolution where there are rapid developments, many if not all organizations are heavily reliant on third-party software.
BYOD (Bring Your Own Device) and the mobile computing environment of businesses leave many with little confidence in what is running on their desktops, and many don’t know at all that third-party applications are presently making it increasingly difficult to put security policies in place and manage them effectively.