Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a massive breach. Ten years later, unfortunately, the same attack pattern continues to be successful. Are we yet to learn?
Businesses of all types and sizes deal with third parties – vendors, contractors, partners, and the like for various reasons. While outsourcing IT services is a predominant activity, many organizations deal with third parties as part of their supply chain. These third parties are often provided administrative access to the internal IT infrastructure to carry out tasks.
Even if organizations follow all security best practices, they might still be vulnerable to attacks if third parties follow lax security measures at their end. Targeting the weaker links in the supply chain makes it incredibly easy for hackers to gain access to a larger organization ultimately.
Third parties with weak network security cause the bleeding of critical passwords and other business information. Breaches due to third parties can greatly impact big corporations, educational institutions, hospitals, and government organizations.
The data breach faced by Target in 2013 is a classic example showcasing how third party vendors can be the weakest links in your organization's security chain. However, even ten long years after the Target breach, supply chain attacks of similar patterns are repeatedly happening across the globe.
Target data breach: A quick recap
The Target data breach in 2013 was one of the first well-known data breaches to make headlines across the globe. The hackers used a spear phishing attack against Target's third-party HVAC (Heating, Ventilation, and Air Conditioning) vendor, and from there, they moved upstream and gained access to Target's internal IT systems.
An unsuspecting employee of the HVAC vendor opened a malicious email attachment, and malware gained a foothold on his machine. The malware kept harvesting credentials quite for some time and got into Target's supplier portal. They then exploited a known vulnerability in billing software, gained access to the Active Directory credentials, moved laterally, and exfiltrated data.
About 40 million credit and debit card accounts and the personal data of about 70 million Target consumers were compromised over two weeks beginning in November 2013.
How did Target fall short despite having cutting-edge software with a 24/7 continuous monitoring setup?
An employee of the HVAC vendor opened an email attachment that the cybercriminals sent him after falling for a phishing scam. A malicious software program that infected the organization's machines had its roots in the mail attachment.
As the company lacked an extensive security infrastructure like Target, the malware remained undetected on their network for a long time. The hackers gained access to Target's internal systems through the login credentials of the HVAC vendor.
A few security errors, inadequate access controls for third-party partners, and the lack of proactive risk monitoring related to the supply chain allegedly led to the attack.
This attack remains one of the most significant data breaches ever. It created ripples in the IT security arena and became a case study for security researchers. Combating attacks happening through the supply chain was a hot topic at conferences. Yes, ten years later, we are still witnessing similar types of attacks happening across the globe.
2013-2023: – A Decade of supply chain attacks
Even after past breaches teach us about weak basic security controls (especially with respect to handling third-party access and supply chain), it continues to be a chink in the armor for most organizations. According to a recent study by the Ponemon Institute and Mastercard's RiskRecon, around 59% of respondents confirmed that their companies had had a data breach led by one of their third parties.
Here are a few recent data breaches emphasizing the need for third-party security.
A recent breach suffered by Uber stands out as an example of supply chain attacks on third parties, which are growing more prevalent. A hacker reportedly gained access to the backup server hosted on AWS by an asset management vendor of Uber. The backup server stored code and data files of many of the vendor's customers, including Uber. The hack downstream on the supply chain led to the leak of critical information upstream from Uber's database, including details of over 77,000 employees.
Software products creator SolarWinds faced a massive breach in 2020.
SolarWinds's IT performance monitoring tool Orion is used by more than 30,000 public and private organizations, including local, state, and federal agencies, to manage their IT resources. As an IT monitoring solution, SolarWinds Orion had access to IT systems to collect log and audit system performance data.
The hackers only needed to upload malicious code into the Orion software that SolarWinds released as an update or patch. Any system that came into contact with the infected software would become compromised or lose critical data.
Threat actors used the Orion software as a weapon to obtain access to numerous government networks and thousands of private systems all across the globe, making this supply chain attack a worldwide breach.
Kesaya, one of the most popular solutions used by MSPs worldwide, faced a similar attack in 2021. The attackers exploited Kaseya VSA software to release a fake update that propagated malware through Kaseya's MSP clients to their downstream companies.
WannaCry attack of 2017 exploited the Windows Server Message Block to proliferate ransomware affecting hundreds of computers worldwide.
In 2018, British Airways suffered a supply chain attack leading to a significant breach in its payment section of the website.
It is evident that a vulnerability somewhere downstream in the supply chain could lead to a high-profile attack all the way upstream. What are the lessons we should have learned? Let's analyze.
Importance of fundamental security controls
Some organizations rely extensively on advanced technologies to safeguard their internal systems but forget the basics of password management. Cybercriminals can easily exploit systems if basic security measures are not implemented.
Password security best practices, timely patching of systems and applications, enforcing MFA at all stages, analyzing access logs, and IT access controls (for internal and external users) are among the fundamental security practices.
Strict internal access controls
Failing to enforce internal access control causes major security risks, such as exposure of sensitive data, unrestricted privileges, and more.
Access controls prevent unauthorized access to data and data handling systems. Only when there is an access control policy can you easily control where, when, and who can access your confidential data.
Ensuring granular, least privileged access to third parties
Access privileges granted to third parties might make your organization vulnerable to breaches. Granting VPN access often proves to be risky. The credentials your contractors use to connect to your environment may be weak, login access could be shared amongst your vendor's employees, and passwords may have been reused. Every enterprise must have a complete understanding and visibility into the cybersecurity posture of each of its vendors.
Let your contractors only access what's needed and nothing more. Avoid giving permanent and unrestricted access to your vendors. The goal is to minimize your exposure.
Make sure your vendors access your internal systems only through a just-in-time access model and are granted permissions only after certain prerequisites are met. Some of those include adhering to vendor privileged access management/third-party risk management regulations such as FED SR 13-19 Guidance on Managing Outsourcing Risk, General Data Protection Regulation (GDPR), System and Organization Controls (SOC), ISO/IEC 27001, etc. Based on your industry and the type of data you handle, ensure your vendors comply with relevant data privacy regulations.
Continuous Monitoring
The third-party cyber risk grows as the number of vendors your organization works with increases. There are higher chances of malicious activities going unnoticed if there are no monitoring mechanisms to keep track of all your suppliers' activities.
Continuously monitor your vendor ecosystem for any risks or violations; it effectively reduces the threat posed by your third parties. You should have records of when they access your systems and what actions they carry out.
Measures to safeguard your organization from outsourced businesses
- Password management best practices should be strictly followed. Using strong and unique passwords, periodic password rotation, checking password reuse practices downstream, eliminating the practice of hardcoding of credentials on scripts and configuration files, and monitoring the dark web against the use of compromised credentials are among the few password-security best practices that shouldn't be ignored.
- Maintain an up-to-date inventory of resources/assets used by third-party technicians.
- Allow users to launch connections and access resources without revealing underlying passwords.
- Use a highly secure mechanism to enable remote access to your service providers.
- Giving your third parties unrestricted access could raise several security issues. Impose strict least-privileged access and grant permissions based on users' roles and responsibilities so they only have the exact privileges to fulfill their tasks.
- Standing privileges give your users limitless access to resources. If a user account with standing privileges is hacked, the cybercriminal would have complete access to all IT systems the account had access to at any time.
- Enforcing Just-in-Time (JIT) access enables administrators to grant third-party users time-limited access to the required resources, which can be revoked after usage.
- Record and continuously monitor all the activities carried out by your third-party partners and terminate access immediately on detecting suspicious activity.
- Perform regular reviews and audits of your third-party vendors; maintain a detailed document answering 'who' had access to 'what' and 'when.' Use these reports to examine how your vendors handle sensitive data and critical systems.
- Establish defined cybersecurity guidelines for your staff who work with third-party vendors. Create an internal policy specifying the roles and duties of each party and the expected course of action upon violating these guidelines.
Supply chain attacks have emerged as a big threat to IT organizations - big and small. You can select from a wide range of cybersecurity solutions available in the market. Let's see how Securden's suite of solutions helps in combating supply chain attacks.
How does Securden help?
A range of privileged access security solutions from Securden help organizations enforce key security best practices. Securden Unified PAM helps establish a completely controlled, constantly monitored, least privileged, and zero-trust-based access across your enterprise.
With Securden Unified PAM in place, you can significantly prevent the risks associated with the supply chain, and effectively streamline vendor privileged access management.
Instead of giving permanent access to your third-party vendors, you can provide them with granular, temporary, just-in-time access to your internal systems, that too eliminating the need for VPN access. It allows third-party users to launch remote connections in just a single click without getting any access to the underlying credentials.
You can randomize the passwords after each session launched by third parties, ensuring that even if the credentials are stolen, they cannot attempt to reuse them. Also, it helps in securing passwords with best password management practices.