July 25 · 6 min read
Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a massive breach. Ten years later, unfortunately, the same attack pattern continues to be successful. Are we yet to learn?
Businesses of all types and sizes deal with third parties – vendors, contractors, partners, and the like for various reasons. While outsourcing IT services is a predominant activity, many organizations deal with third parties as part of their supply chain. These third parties are often provided administrative access to the internal IT infrastructure to carry out tasks.
Even if organizations follow all security best practices, they might still be vulnerable to attacks if third parties follow lax security measures at their end. Targeting the weaker links in the supply chain makes it incredibly easy for hackers to gain access to a larger organization ultimately.
Third parties with weak network security cause the bleeding of critical passwords and other business information. Breaches due to third parties can greatly impact big corporations, educational institutions, hospitals, and government organizations.
The data breach faced by Target in 2013 is a classic example showcasing how third party vendors can be the weakest links in your organization's security chain. However, even ten long years after the Target breach, supply chain attacks of similar patterns are repeatedly happening across the globe.
The Target data breach in 2013 was one of the first well-known data breaches to make headlines across the globe. The hackers used a spear phishing attack against Target's third-party HVAC (Heating, Ventilation, and Air Conditioning) vendor, and from there, they moved upstream and gained access to Target's internal IT systems.
An unsuspecting employee of the HVAC vendor opened a malicious email attachment, and malware gained a foothold on his machine. The malware kept harvesting credentials quite for some time and got into Target's supplier portal. They then exploited a known vulnerability in billing software, gained access to the Active Directory credentials, moved laterally, and exfiltrated data.
About 40 million credit and debit card accounts and the personal data of about 70 million Target consumers were compromised over two weeks beginning in November 2013.
An employee of the HVAC vendor opened an email attachment that the cybercriminals sent him after falling for a phishing scam. A malicious software program that infected the organization's machines had its roots in the mail attachment.
As the company lacked an extensive security infrastructure like Target, the malware remained undetected on their network for a long time. The hackers gained access to Target's internal systems through the login credentials of the HVAC vendor.
A few security errors, inadequate access controls for third-party partners, and the lack of proactive risk monitoring related to the supply chain allegedly led to the attack.
This attack remains one of the most significant data breaches ever. It created ripples in the IT security arena and became a case study for security researchers. Combating attacks happening through the supply chain was a hot topic at conferences. Yes, ten years later, we are still witnessing similar types of attacks happening across the globe.
Even after past breaches teach us about weak basic security controls (especially with respect to handling third-party access and supply chain), it continues to be a chink in the armor for most organizations. According to a recent study by the Ponemon Institute and Mastercard's RiskRecon, around 59% of respondents confirmed that their companies had had a data breach led by one of their third parties.
Here are a few recent data breaches emphasizing the need for third-party security.
A recent breach suffered by Uber stands out as an example of supply chain attacks on third parties, which are growing more prevalent. A hacker reportedly gained access to the backup server hosted on AWS by an asset management vendor of Uber. The backup server stored code and data files of many of the vendor's customers, including Uber. The hack downstream on the supply chain led to the leak of critical information upstream from Uber's database, including details of over 77,000 employees.
Software products creator SolarWinds faced a massive breach in 2020.
SolarWinds's IT performance monitoring tool Orion is used by more than 30,000 public and private organizations, including local, state, and federal agencies, to manage their IT resources. As an IT monitoring solution, SolarWinds Orion had access to IT systems to collect log and audit system performance data.
The hackers only needed to upload malicious code into the Orion software that SolarWinds released as an update or patch. Any system that came into contact with the infected software would become compromised or lose critical data.
Threat actors used the Orion software as a weapon to obtain access to numerous government networks and thousands of private systems all across the globe, making this supply chain attack a worldwide breach.
Kesaya, one of the most popular solutions used by MSPs worldwide, faced a similar attack in 2021. The attackers exploited Kaseya VSA software to release a fake update that propagated malware through Kaseya's MSP clients to their downstream companies.
WannaCry attack of 2017 exploited the Windows Server Message Block to proliferate ransomware affecting hundreds of computers worldwide.
In 2018, British Airways suffered a supply chain attack leading to a significant breach in its payment section of the website.
It is evident that a vulnerability somewhere downstream in the supply chain could lead to a high-profile attack all the way upstream. What are the lessons we should have learned? Let's analyze.
Importance of fundamental security controls
Some organizations rely extensively on advanced technologies to safeguard their internal systems but forget the basics of password management. Cybercriminals can easily exploit systems if basic security measures are not implemented.
Password security best practices, timely patching of systems and applications, enforcing MFA at all stages, analyzing access logs, and IT access controls (for internal and external users) are among the fundamental security practices.
Strict internal access controls
Failing to enforce internal access control causes major security risks, such as exposure of sensitive data, unrestricted privileges, and more.
Access controls prevent unauthorized access to data and data handling systems. Only when there is an access control policy can you easily control where, when, and who can access your confidential data.
Ensuring granular, least privileged access to third parties
Access privileges granted to third parties might make your organization vulnerable to breaches. Granting VPN access often proves to be risky. The credentials your contractors use to connect to your environment may be weak, login access could be shared amongst your vendor's employees, and passwords may have been reused. Every enterprise must have a complete understanding and visibility into the cybersecurity posture of each of its vendors.
Let your contractors only access what's needed and nothing more. Avoid giving permanent and unrestricted access to your vendors. The goal is to minimize your exposure.
Make sure your vendors access your internal systems only through a just-in-time access model and are granted permissions only after certain prerequisites are met. Some of those include adhering to vendor privileged access management/third-party risk management regulations such as FED SR 13-19 Guidance on Managing Outsourcing Risk, General Data Protection Regulation (GDPR), System and Organization Controls (SOC), ISO/IEC 27001, etc. Based on your industry and the type of data you handle, ensure your vendors comply with relevant data privacy regulations.
The third-party cyber risk grows as the number of vendors your organization works with increases. There are higher chances of malicious activities going unnoticed if there are no monitoring mechanisms to keep track of all your suppliers' activities.
Continuously monitor your vendor ecosystem for any risks or violations; it effectively reduces the threat posed by your third parties. You should have records of when they access your systems and what actions they carry out.
Supply chain attacks have emerged as a big threat to IT organizations - big and small. You can select from a wide range of cybersecurity solutions available in the market. Let's see how Securden's suite of solutions helps in combating supply chain attacks.
A range of privileged access security solutions from Securden help organizations enforce key security best practices. Securden Unified PAM helps establish a completely controlled, constantly monitored, least privileged, and zero-trust-based access across your enterprise.
With Securden Unified PAM in place, you can significantly prevent the risks associated with the supply chain, and effectively streamline vendor privileged access management.
Instead of giving permanent access to your third-party vendors, you can provide them with granular, temporary, just-in-time access to your internal systems, that too eliminating the need for VPN access. It allows third-party users to launch remote connections in just a single click without getting any access to the underlying credentials.
You can randomize the passwords after each session launched by third parties, ensuring that even if the credentials are stolen, they cannot attempt to reuse them. Also, it helps in securing passwords with best password management practices.
Mother of all breaches – Reinforces the need for enhanced password security
Yes, you read it right. 26 billion records have been leaked online. Researchers from Security Discovery...
Feb 7 · 4 min read
Local admin rights for Developers – Balancing the scales between basic necessity and security risk
Local admin rights for Developers – Balancing the scales between basic necessity and security risk...
Jan 25 · 5 min read
Privileged Access Management Best Practices for Unparalleled Security
Privileged accounts are the keys to your kingdom. Protecting and managing access to these sensitive...
Dec 21 · 5 min read
Endpoint Privilege Management: Filling the gaps in Intune (Part 2)
Intune EPM (Now Microsoft Entra) helps organizations manage admin rights in a very basic manner ...
Oct 10 · 3 min read
Endpoint Privilege Management: The local admin rights dilemma (Part 1)
The debate over giving unrestricted admin rights is a constant struggle between IT staff and ...
Oct 6 · 4 min read
2013 Target Data Breach: 10 Years On, but the Same Threat Pattern Looms Large!
Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a...
July 25 · 6 min read
Password management best practices: Practice or Pay!
Passwords leaked from data breaches in the past continue to cause ripples in 2023, even amidst...
May 26 · 5 min read
Identity thefts and data breaches - The aftermath of privileged access mismanagement
Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals...
Dec 27 · 4 min read
Spate of cyberattacks rock the land down under
Lack of API security, exposed credentials, and misuse of privileged access continue to cause harm...
Nov 25 · 4 min read
Make this Thanksgiving a memorable one. Treat yourself to a surprise!
We're planning to make this year's Thanksgiving extra special.
Nov 21 · 2 min read
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us...
Oct 20 · 4 min read
We're at GITEX, Dubai. Come, meet us!
Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a ...
Oct 10 · 2 min read
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Dec 21 · 4 min read
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Jun 12 · 8 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Mar 13 · 6 min read