Accellion Data Breach Highlights Third-Party Risk
Two mega-breaches caused by third parties earlier this year, following the SolarWinds supply chain hack created a growing tsunami of third-party risk for enterprises and government organizations. Security software provider Accellion also suffered a breach in their FTA tool which caused many of their clients to have their data exposed to hackers. A number of high-profile customers were affected, including the Jones Day law firm, Kroger stores and Shell Oil, along with other government and educational institutions. Given the software’s purpose – storing sensitive data for clients – these breaches are sure to cause lots of pain for the victimized companies, and it’s likely more victims will emerge as the investigation continues.
Following on the heels of these breaches, the French government discovered that hackers (likely the Russian Sandworm group) have been using a Centreon platform to breach numerous state and enterprise users for years – as far back as 2017. These brazen, large-scale attacks show that hacking groups have enthusiastically embraced the “hack one, breach many” strategy as a way to maximize the illicit returns on their efforts. The more sophisticated cybercrime organizations, usually nation-states or organized crime groups known as advanced persistent threats (APTs), have realized that going after technology companies can be a real force multiplier in terms of profits and propaganda. Rather than simple, shotgun-style phishing attacks blasted out to millions of companies in the hopes of landing a big fish, these attackers are going after third-party vendors who tend to aggregate access to many client organizations under one roof. By focusing on a single, complex hack, as the cybercriminals did in the aforementioned attacks, they can gain access to a wide variety of cross-industry targets. And since these vendors are often trusted suppliers, the intrusions are rarely discovered until it is too late.
And the complexity and sophistication of these third-party attacks are increasing at an exponential rate. Brad Smith, president of Microsoft, a company affected by the SolarWinds incident, was quoted as saying that there may have been as many as 1,000 developers working on the malware used in the attack. Given the type and scale of resources the APT hacking organizations are using for cybercrime projects, what can the average organization, many of whom do not even employ that many developers, do to defend against this new breed of third-party attacks? Even though it might seem impossible against these overwhelming odds, there are things that security teams can do to protect against these attacks and to lessen the impact, should a breach occur.
Don’t Use Old Software!
This should go without saying, but far too many organizations continue using dated or out-of-support software tools that often contain vulnerabilities. Hackers know this, and frequently scan for versions of software they know they can exploit. Listen to your vendor’s warnings and don’t put off patching. Have a good patch management program and stay on top of updates, especially critical security ones. And definitely don’t wait for a product to go out of support before you upgrade. I know it’s difficult and time-consuming to do these upgrades, but trust me, it’s not as painful as dealing with a breach.
Build a Robust Third-Party Risk Management (TPRM) Program
If you don’t already have a TPRM program, get one in place, now. If you do have one, improve it. Here are some ways you can start implementing a program, or refine your current one:
- Do better and more frequent vendor risk assessments before onboarding new vendors.
- Implement more controls for risky and critical vendors.
- Multifactor authentication (MFA) should be a standard control.
- Add credential vaulting and privilege access management for any use of privileged credentials by third-party vendors.
- Institute closer reviews of key supply chain vendors.
Assume the Breach
Finally, given the resources of major hacking groups, it is only a matter of time before most organizations suffer some kind of breach. The question is, will it be a minor issue, or will it be a potentially company-ending event? As a final defense against the latter fate, companies should “assume the breach” and do regular explorations and threat hunting to find any signs of current or past exploitation. By doing this, you will protect your organization from the worst impacts of even the most powerful bad actors in the cybercrime world.
There is no doubt that third-party risk is becoming one of the most important contributors to cybersecurity breaches. Attackers are only going to increase their use of this vector to get access to as many companies as possible with each hack. Proper management of this risk is the only way to prevent your company from becoming the next cybersecurity breach statistic.
