Cybercriminals learn quickly. In a couple of decades’ time, they’ve gone from pretending to be Nigerian princes to compromising the entire software supply chain, and every day brings news of a new attack technique or a clever variation on an old one.
Incidents like those that rattled SolarWinds and Kaseya and their downstream customers changed the game. By slipping malicious code into software used by thousands of businesses as an essential part of the supply chain, the cybercriminal fraternity managed to simultaneously infect a great many users at one time, a feat of remarkable efficiency.
One casualty of these supply chain attacks has been trust between businesses and their key vendors, suppliers, and even customers.
Partner organizations, after all, may be reluctant — if unlikely — to admit to cybersecurity weaknesses. And they may not even be aware that they have them. Howard Taylor, CISO of Radware, goes so far as to call it the “death of trust.”
“SolarWinds drove the death of trust, as thousands of the company’s customers were compromised by one cyberattack when updates to its Orion software were hijacked,” Taylor told eSecurity Planet. “People were shocked to discover that a long-trusted product had been compromised, creating vulnerabilities that bypassed thousands of its customers’ carefully built security.”
As a result, some are now taking extra precautions such as hiring specialized companies to conduct penetration testing audits on externally facing partner resources. The process may include an in-depth search for IP addresses and ports inside their networks that may be communicating with suspect hosts. In other cases, businesses may go as far as scanning the dark web looking for any leakage of sensitive information from partners.
See the Top Pentesting Tools
Some say there is nothing legally wrong with pentesting your business partners. But the mere presence of closet security testers secretly carrying out pentests on partner and customer internet-facing resources could have serious repercussions on relationships if discovered. Yet who can blame organizations for taking extra steps as they look for liabilities that might eventually compromise them? How can a partner truly say they are risk-free in this day and age?
“Testing entities run the pentests and present the results to service providers and businesses,” said Taylor. “As they are guilty until proven innocent, they must address all the findings, including a myriad of false positives, that result from conducting tests without the full context of the environment.”
Taylor terms this “shadow compliance.” And he says that it poses two significant risks — negative impact on company reputation and lost productivity. Company reputation is not only of interest to current and potential customers, but it’s also important to market analysts, lenders, and insurance companies.
“Poor cybersecurity reports can impact analyst recommendations and raise costs for loans and cyber insurance,” said Taylor. “Productivity is impacted when skilled IT and security staff must postpone planned tasks to swiftly respond to these reports.”
He suggested that businesses should take the advent of potential snooping and testing by their partners as a reason to redouble their own cybersecurity efforts. Continuous monitoring of their cybersecurity posture by an outside entity can lower risk in the long term. Taylor urges businesses to allocate budget to hire a technically competent partner to proactively provide results and assist with the remediation of issues before vendors, supply chain associates, and customers find out and report them to you.
Automated testing tools like breach and attack simulation (BAS) could help too.
“All organizations should know and understand their current physical and logical security, where the gaps are, where are areas for improvements, what new technologies, services, tools, process and people education are needed to improve,” said Greg Schulz, an analyst with StorageIO Group.
There is no advantage in publicizing the fact that you are doing your own pentesting, Schulz said, particularly what and how you’re testing, other than general assurances that you have taken steps to protect, preserve, secure, and ensure information services are served when, where and how needed. Schulz would prefer that companies secretly test and inspect the security of vendors, partners, and even large customers rather than going through the security motions for the sake of compliance.
Internal Threats Could Be Exposed
The practice of snooping on vendors, partners, and customers may bring about a side benefit, said Schulz: Better detection of insider threats. Yes, pentesting and other forms of surveillance can help spot external threats. But that is where the bulk of attention is spent in cybersecurity. Relatively little time is given to insider-originated attacks or data exfiltration attempts.
“While outward internet-facing IT resources, services, apps, and data get headline news coverage and bring awareness to security vulnerabilities, what’s commonplace yet off the media radar are threats that occur from within,” said Schulz. “Everyone – organizations, vendors, partners, solution providers, pundits, and the media – are tunnel vision-focused on only internet-facing attacks and attack surfaces. They may be missing, or vulnerable to, incidents that occur or originate from within.”
With organizations pentesting and checking up on each other, those extra eyes are more likely to expose the efforts of disgruntled employees, attempts at theft of intellectual property, theft of mailing lists, and other internally generated actions.
Potential Liabilities for Secret Pentesting
But a professional pentester had a different take. Steve Kerns, President of SKernal Security Consulting, has been pentesting for over 16 years. He said he had heard of the likes of Microsoft and Google quietly doing pentesting on each other.
“I would not be surprised if others were doing it,” he said. “But it could be dangerous to be pentesting other companies without their permission; you could be opening up your company to lawsuits.”
He always obtains permission before pentesting another company.
“I would suggest that companies ask partners and customers if they have had a pentest done on their internet-facing resources and what the results were, who did it (third party or internal) and when it was done,” said Kerns. “If they want to verify it, they should ask for permission first.”