Security on the web is everyone’s responsibility
From the February 2018 print edition
Many years ago (information changed to protect the innocent) I was called in to support the security at a large organization’s supply chain operations. When I arrived, the manager of the ERP system—a friendly but panicked and clearly overworked individual—exclaimed that the production line where the most important widgets were assembled was down because the ERP system crashed and the team was unable to bring it back online.
That ERP system interfaced with numerous third-party suppliers and the entire production line was very reliant on JIT (Just In Time) processes. The trouble was that as soon as someone attempted to bring the system online, all computing resources would overload and the system unceremoniously came crashing down.
The company attempted the usual things, including vendor support, and even authorized emergency purchasing to increase computing resources to handle the unexpected load. To add insult to injury, this could not have happened at a worse time, as it was just before the high season for retail purchasing. It was estimated that this outage was costing the organization several million dollars per hour not to mention the possible impact to company brand and long-term revenue impact if consumers decided to purchase from competitors due to the lack of widgets on store shelves.
Teams of technology professionals were troubleshooting the issue, with great focus on the ERP system, the database, the network, the servers. Things were not going well, executives were furious and the technical people were working 24/7 and were burning out.
Our team took approximately four hours to review all the activities and information to-date, and another 30 minutes to realize that a third-party connection was making some bizarre calls to the system and crashing it. Once access to the ERP system was blocked for the offending third party, the system was running and normal operations were restored (with the exception of the third party that had to rely on manual processing until the issue was further investigated and corrected).
What does the incident above has to do with cyber security? Truth is, the incident was a well-orchestrated cyber-attack. That attack involved compromising a vendor with the intent of attacking the ultimate target, the supply chain for a well-known widget company. It was never clear who perpetrated the attack, however, they spent time infiltrating the partner, then analyzed the applications and specific connections they would make to the ERP system, discovering the application calls they needed to generate, using the partner’s systems to overwhelm the ERP system. It was estimated that the incident cost well over $200 million. The incident could have been avoided, with a little due-diligence, well-designed processes and some technology components. We estimated it would have cost about $100,000 to procure and maintain the security of the system annually.
This attack happened in early 2000s, which is important, because cyber attacks are not new nor are they frequently publicized. For every cyber attack we read about, there are hundreds that never make the headlines.
These days, cyber attacks are evolving and staying the same. We see attacks that have been around for decades and many cyber security professionals have stiff-necks from shaking their heads in disbelief.
For example, the Nigerian prince, ailing rich widow, or some mischievous political figure who all have a lot of money and are aching to share their untold fortunes with you, their trusted partner whom they have known for many a minute. These scams still manage to hook some people and get them to surrender their hard-earned money.
More complex and targeted attacks are also taking place. These attacks require intelligence gathering from the social web we all use and love. Information about anyone can be collected in seconds and data analytics allow criminals to create a comprehensive profile of anyone and determine their potential value.
Let’s assume Jane Doe has just been promoted to a CxO role. She posts something on LinkedIn, perhaps the press release. Perhaps she even posts something on Twitter or Facebook. Bad-Bob, a professional cyber-criminal, monitors new press releases and extracts the information about Jane publicly available on social websites as well as search engines. He quickly generates a profile and now needs only figure out how to make his approach. Perhaps he’ll send a connection request on LinkedIn, browsing Jane’s connection list and pretending to email her from a familiar email address. The attack doesn’t take place right away, but rather after a few exchanges have taken place.
Another popular example we see are breaches that result due to an email that arrives to the mailbox of an individual with decision-making responsibilities, such as purchasing or finance. The emails appear legitimate although they have been sent by malicious software that infected a legitimate contact’s computer and utilized the contacts list to send email replies to previously received legitimate email threads. These emails contain malicious attachments in the guise of an invoice, or some other document.
And these are just of the low-tech examples. Between system bugs (or vulnerabilities as the professionals refer to them) that allow attackers into an organization, to human-nature that aches to be helpful, the number of attack avenues is on the rise—and with it the promise of a rich payback.
Cyber-crime “dark web” marketplaces are growing, and the cost to purchase specialized attack tools is decreasing. The barriers to entry for an aspiring cybercriminal are non-existent, the possibility of prosecution is still extremely low and the rewards increasing. Couple this with society’s increased reliance on digital assets and services which include information (structured data) and documents (unstructured data) and we have a perfect recipe for cybercrime market that is growing exponentially. Organizations face some key cyber challenges:
• Non-targeted attacks: phishing; exploitation of vulnerabilities; and
• Targeted attacks: spear-phishing; targeted identification and exploitation of vulnerabilities; attacks via trusted thrid parties; internal attackers (e.g. mailroom employee who works for a competitor).
These are some of the most common, but a small subset of an ever-growing attack and risk portfolio cyber-criminals utilize. Many attacks result in the following major compromises:
• Credential theft;
• Exfiltration of valuable data; and
• Use of computing resources to attack other parties.
These are just some of the more common ones. Obviously, there are significantly more complex scenarios that include nation-state attacks, industrial espionage and political hacktivism to name a few. The most frequent question on this topic is always a variation of “how do we protect ourselves?” While the question is simple, the answer is not and depends on the context. However, in the context of supply chain and procurement, the following are some common tips we can offer:
• Stay informed: this means both awareness of evolving threats and intelligence gathering. Intelligence gathering in this context means establishing trusted peer groups where information can be shared to minimize risk. The bad guys are evolving their tactics and we should always learn about how this takes place. Some tactical actions can include:
• Fundamentals: focus on the basic actions we can take within our realm of responsibilities. As cyber professionals, we talk about the concept of the “human firewall,” meaning we’re all responsible for cyber security. Of course, how you impact the cyber posture of your organization varies by role. However, we can always influence decisions, in our actions (think before you click on a link or attachment) or how we influence others (how we incorporate cyber security controls in business decisions, for example project planning or process design) and how we educate others. Some key tips include:
• Preparedness: It’s not a matter of “if” but “when” an attack happens. Preparation could be the difference between a minor security incident and major breach that hits the news. This means organizations should:
Have an incident management plan and test the plan regularly. Who would you call when a breach happens?
Cyber security is not a technology problem and it is everyone’s responsibility. While there’s no one solution that will solve this evolving business challenge, managing risks associated with cyber security should be an ongoing process, a marathon rather than a sprint. The more cyber-savvy you are the less of a target you’ll be. Cyber criminals are lazy. In almost all instances, they seek low-hanging fruit. Don’t be that fruit. Instead, be an onion, with many layers. As the crooks try to peel the layers, make them cry.