The epic Target breach raised our awareness that third-party service providers are a significant cybersecurity risk. It showed us how an employee at an HVAC vendor could click a phishing link and result in 40 million credit / debit card numbers and 70 million customer and employee records being compromised.
Following this massive breach, the Federal Financial Institutions Examination Council (FFIEC) published Appendix J: Strengthening the Resilience of Outsourced Technology Services in their Information Technology Handbook for Business Continuity. They recognized that financial institutions were utilizing third-party services providers (TSPs) more frequently. And that the industry was consolidating, so more specialized TSPs provided services to a larger number of financial institutions.
The result was increased concentration risk. Meaning this trend had increased the potential impact of a widespread disaster because a TSP would have to support recovery services to a large number of financial institutions all at once. This lack of diversity in TSPs could slow down recovery times and reduce resiliency of the institution.
Concentration risk is not only applicable to the financial sector though. It has become the norm for organizations in all industries – large and small – to rely on a multitude of TSPs to support core business functions. Cloud service providers are particularly popular because they provide a great deal of value to organizations that have limited resources, budgets, and / or expertise.
Cloud service providers present high concentration risk as well because they are an attractive attack vector for cybercriminals. Why? Because they can compromise once, and hopefully get access to many. It’s performing simultaneous attacks on vendors and their clients.
For example, we are seeing a lot of Office 365 mailbox compromises. Many are due to weak password choices because password spraying attacks are very successful. Once an attacker compromises an account, they can start doing all kinds of social engineering attacks against an organization to try to gain more access, send fraudulent wire-transfer requests, and leverage the email compromise to execute other successful attacks.
This helps them streamline their attack pattern. They don’t need to go around enumerating vulnerabilities across the entire worldwide web. They know where this one vulnerability exists in a platform that many are using. They can just do the same attack repeatedly, and be successful!
Concentration risk is especially high when you are using a limited number of cloud service providers for most of your services. You can think of it as a monoculture in agriculture. When you grow a monoculture – say one type of potato – one disease can take out the whole crop. That’s pretty risky.
The way to control monocultures – or reduce your concentration risk – is to put in layers of control. Diversify. Don’t put all your eggs in one basket. Be sure to understand the controls your cloud service providers have in place should the worst happen. Be sure you have a contingency plan in place for both protecting the data stored in the cloud as well as for retrieving your data stored in the cloud.
Reverse Concentration Risk
It’s also important to be aware of reverse concentration risk. This is a newer concept because it’s a new business model and strategy for cybercrime organizations. Reverse concentration risk is realized when a multi-client provider is compromised, and all client customers downstream are affected. Or a software vendor’s source code is compromised and then distributed in its compromised state to customers / clients. Targeting these types of vendors represents a clear strategic shift in cybercrime organizations, and it’s very profitable.
Let’s take a look at three real world examples of reverse concentration risk.
In 2015 and 2016, a group of Russian agents known as Sandworm hacked into dozens of Ukrainian governmental organizations and companies. They penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data. In the winters of both years, they caused widespread power outages — the first confirmed blackouts induced by hackers.
In the spring of 2017, these Russian military hackers hijacked a software company’s update servers and created a hidden back door in the code. This code was then released into thousands of PCs around the world when users updated their software. Then in June 2017, the saboteurs used that back door to release a piece of malware called NotPetya, their most vicious cyberweapon yet.
They used a two-pronged attack pattern. First, they took over unpatched servers using a penetration tool (Eternal Blue). Then they perpetrated a Mimikatz attack – which is a memory scraper for passwords – so they were able to compromise patched servers as well. While NotPetya resembled ransomware, its goal was purely destructive. It's been estimated that the attack cost companies more $1.2 billion worldwide.
Wolverine Solutions Group
Wolverines Solutions Group is a healthcare billing services provider. They suffered a ransomware attack where 600,000 Michigan residents had their information at least encrypted – and potentially breached. Their clients impacted included Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health, and North Ottawa Community Health.
The data that was encrypted – and potentially exfiltrated and exposed – included names, addresses, phone numbers, social security numbers, insurance, contact information, and medical information. Criminals were able to gain access to a great deal more data from multiple sources, just by infecting the service provider.
Magecart is an e-commerce hacking organization. They are known for injecting a skimmer code into e-commerce software on websites and stealing credit card numbers. Then they decided they could be much more efficient. Instead of compromising an individual website, they went after the source code of a modules vendor and poisoned their popular e-commerce software.
Organizations purchased and installed this poisoned product on their websites. Using this tactic, Magecart was able to take 800 sites with this one attack, including British Airways and Ticket Master.
- Know the software development life cycle inside an organization where you're buying Software-as-a-Service.
- Be diligent in your vendor management and have develop a robust program.
- Dig deep and ask probing questions of you cloud service providers.