Like everything in technology today, the activities of cybercriminals are constantly evolving. Your organization must keep pace to protect your data and your reputation. The place most clients are with this query is, “What are our peers doing?”
It’s a good question and the answer is simple: you and your peers are moving services and infrastructure to third-party cloud providers. It’s a critical relationship, so you've done due diligence research and assessments and reviewed their SOC reports. Still, do you know enough?
To answer this question, you need to understand the latest business strategy employed by cybercriminal organizations. So, let’s review briefly the Magecart case. Magecart is a cybercrime organization focused on injecting its card-skimmer code into e-commerce websites.
Formerly content to attack individual sites, this group made a change to its strategy that other threat-actors have also pursued with great success. Why attack a single site, when you can poison the code of application developers and have them distribute it to their customers? Magecart was able to compromise a third-party vendor of e-commerce software and inject their skimmer code into the legitimate software. Then Magecart successfully breached eight Ticketmaster sites and British Airways, among others, who had purchased from that e-commerce software vendor and were using the infected software on their sites.
Another example is notPetya, the global ransomware attack that reportedly infected 2,000 users in Russia, Ukraine, Poland, France, Italy, the UK, Germany and the US in 2017. The cause of the infection was poisoned update code for a popular accounting software. When organizations updated this software — a common exercise — they unknowingly installed the malware.
We refer to both of these as examples of “reverse concentration risk.” They relate directly to the risk organizations face as more and more services are moved to the cloud and consolidated among a few specialized service providers.
It’s no wonder cybercriminals are beginning to focus their efforts on attacking cloud service providers and software developers. For this reason, it is crucial to perform due-diligence research on these critical vendors – and require verifiably strong control environments, by contract whenever possible.
Let’s look at the information you need to know when assessing the cybersecurity resilience of your third-party cloud services providers.
Software Development Lifecycle (SDLC)
How much do you know about your vendor’s SDLC controls? Here are some key questions to ask:
- Are the developers training in security coding practices?
- How are test and development networks segregated?
- What segregation of duties controls are in place between development and test environments?
- Where is source code stored and what extra protections are applied?
- What security testing is performed at each development stage, and against the final versions?
- What is the remediation practice to mitigate findings from testing engagements?
- What detective controls are in place, such as activity and access reviews?
Considering the success of advanced ransomware variants capable of finding and infecting backup storage locations, we need to know that backup and replication functions are specifically engineered to prevent and detect malware compromise of data at rest. Some questions to consider:
- What are the “air-gap” controls applied to replicated data stores?
- How often are backups and replicated virtual environments tested for integrity?
- How often are these environments security tested?
- What are the detective controls applied to these stores and environments?
Multifactor Authentication (MFA)
Unfortunately, there are still many examples of single-factor remote access. From 0ffice 365 to critical banking systems, we are still writing frequent findings in this control area. It’s worth noting that there is some confusion over what constitutes MFA. True MFA consists of multiple active challenges to the user attempting access. Installed certificates and IP Restriction are great controls, but they are not examples of MFA. I’ll address them in the next section. MFA includes:
- Something you know.
- Something you have.
- Something you are.
In each of these three components of MFA, the “you” refers to a challenge to the active user, not a computer or user account.
Questions to ask include:
- Does your service provider allow single-factor remote access to its information systems and resources by its employees?
- Do employees at your TSPs with Administrator privilege use MFA for all access, and do they use separate accounts for daily activities that don’t require elevated privilege?
User-based digital certificates installed on laptops and tablets are excellent multi-layer authentication controls. The reason these are not considered MFA is that the certificates are associated with the user account and don’t actively require an action from a user, once installed, apart from the first factor of MFA, something you know. If I have the device and the user’s logon credentials, I am gaining access, whether I’m the authorized user or not.
Similarly, IP Restriction is a great multi-layer control. Again, there is no active challenge to the user, but rather, a coded challenge to the device’s IP Address of origin, at work.
Be sure to find out about the people who work at your cloud service provider.
- What are their experience and expertise?
- What are their certifications and qualifications?
- What is the workforce-to-customer ratio?
Redundancy & Resilience
Understand the controls they have in place for redundancy and resilience in their data centers.
- What is their replication and geo-location strategy?
- What does the infrastructure look like?
- What is the speed of the pipe?
- Are there backups?
- Are they using fourth-party, sub-service providers? How much of their own are they outsourcing?
- Are you going to be able to find where all the services actually live?
Assess the Risk
In all cases, the business strategy should be driving the selection of controls and cloud services providers. However, that strategy should incorporate cybersecurity risk considerations from the very beginning. We need to move from “bolted-on” to “baked-in.” This has never been a more important concept.
- You must consume SOC reports, but don’t stop there.
- Consume all independent security testing and audit reports. Always request your own security testing.
- Read all of your cloud service providers policy and program documents.
- Engage in co-continuity and disaster recovery testing. At a minimum, consume internal continuity of operations plan and disaster recovery test reports.
- Perform an incident response plan test together. At a minimum, consume internal incident response plan testing reports.
- Understand their incident response procedures. How do they notify you of incidents or new vulnerabilities?
- Speak with clients and customers.
With the shift in cybercriminal attack strategies, it is incumbent upon organizations to respond appropriately. Any environment can be reasonably secured to reduce cybersecurity risk to acceptable levels. Knowing the right questions to ask, and requiring the right answers, is a big part of risk awareness that provides organizations with the information they need to make sound risk-based decisions.