Zero trust, basic cyber hygiene best defence against third-party attacks
Adopting a zero trust security strategy can better safeguard organisations against third-party attacks, where suppliers should not simply be entrusted to do the right thing. In this second piece of a two-part feature, ZDNet looks at how businesses in Asia-Pacific can establish basic cyber hygiene as well as better data management to combat attacks from across their supply chain.
There had been a spate of third-party cybersecurity attacks since the start of the year, with several businesses in Singapore and across Asia impacted by the rippling effects of such breaches.
Just last month, personal details of 30,000 individuals in Singapore might have been illegally accessed following a breach that targeted a third-party vendor of job-matching organisation, Employment and Employability Institute (e2i). Earlier this year, personal data of 580,000 Singapore Airlines (SIA) frequent flyers as well as 129,000 Singtel customers also were compromised through third-party security breaches.
He dismissed suggestions that supply chain attacks could be mitigated through a network of trusted suppliers. Noting that few of them imposed strict access, Beloussov said every supplier had employees and it took just one “untrusted” source to breach a network.
Humans made mistakes and this had always been the primary challenge, he said, noting that employees would forget to follow procedures or circumvented these to make their job easier.
“Zero trust isn’t just about not trusting [anyone], it’s about personal [cyber] hygiene,” said Beloussov, who likened it to not sharing toothbrushes even with one’s spouse. “Unless you have some proper measures [in place], you’ll be more often sick if you shared toothbrush.”
Security policies also should be implemented, and adhered to, with regards to how supply chains were protected, he said. Regular checks as well as vulnerability assessment and penetration testing should be carried out, he noted, stressing the need to monitor and control all suppliers.
Acronis’ chief information security officer (CISO) Kevin Reed said organisations needed to know who and what were accessing their data. This meant they would have to consistently assess their partners’ trust level, and not just at the start of their business relationship when a new contract was inked, he said.
“Three months after [the beginning of the partnership], they might suffer an attack and their trust level would decrease, but if you only evaluated at the start, you would not be able to catch this,” Reed said. “With zero trust, you need to re-evaluate all the time and preferably in real-time. This should apply to anything that touches your data.”
Check Point’s research head Lotem Finkelstein added that security should always be a criterion against which products and suppliers were evaluated.
Questions should be asked about security measures they had put in place and whether connections with these suppliers were secured, to limit the risks of engaging with them, Finkelstein said.
Reed noted that prevention would play a key role. With the majority of security attacks today opportunistic, he said this meant that organisations would be able to thwart most attempts if they adopted preventive measures to decrease their probability of getting breached.
“You’re not hacked because someone wants to hack you; you’re hacked because it was easy,” he added. “So if you have some level of hygiene, you raise the bar for attackers and it’s more expensive for them to hack you than another company.”
Adopt best practices, replace old technology
Businesses also could mitigate their risk by adopting better data management.
CyberGRX’s CISO Dave Stapleton pointed to the attack on SITA, which impact on some airlines might be comparatively small due to the types of data shared. This could indicate good data protection practices such as data segmentation and categorisation, where not every piece of information was stored on one database and access to data was given only to facilitate specific functions.
Stapleton also recommended adopting the zero trust approach as well as minimising the data organisations collected. “The data can’t be breached if you don’t have it, so don’t have it if you don’t need it,” he said, adding that there also should be transparency so customers knew exactly who would have access to their data.
He also stressed the need for clear expectations about breach notifications, which he said should be included in any contract with organisations that stored or exchanged data.
“Security needs to be baked in, rather than bolted on, and we’re not there yet as a society,” he said. “I fear we’re getting outpaced and we don’t have sophisticated defence to counter sophisticated attacks.”
Above all, there was need to instil basic cyber hygiene, said Benjamin Ang, senior fellow of cyber homeland defence and deputy head of Centre of Excellence for National Security (CENS). Established in April 2006, CENS is a research unit of the Nanyang Technological University’s S. Rajaratnam School of International Studies and consists of local and overseas analysts specialising in national and homeland security issues.
Ang suggested that there should be fundamental checks businesses were required to implement to be given, for instance, cyber insurance coverage. This would be similar to how fire insurance required owners not store flammable materials in their property, he said.
“There are good practices out there, we just need to implement them,” he noted. “And it really is about people, process, and technology. I’ve seen how even the best process and technology can be easily undone by people. People have to step up. “
For one, Stapleton urged software vendors to take more care in managing patches, which should be tested before they were issued.
“If you release a patch for your product that doesn’t do what you purport it to do, that’s on you. It’s a disservice to your customers and that’s a problem,” he said. “Bigger enterprises also should test all patches before pushing them to production, which will ensure they don’t break other systems and validate the effectiveness of the patch”
In cases such as Accellion, which involved a 20-year-old product and ineffective patches, he said both the vendor and bigger enterprise customers then should share the blame.
He also would not expect large enterprises with deeper resources to use decades-old technology, especially if its manufacturer had made clear was reaching end-of-life.
The onus then was on the organisation to figure out a migration plan, he said. Doing so would be much cheaper than the potential cost of having to pay ransomware should the software vulnerabilities result in a breach, he added.
Beloussov put it simply: “Nothing that is old is safe. Something that was built 20 years ago can be penetrated. You have to constantly check and update the system. It’s like being in the military…[where] in a war, if you have the latest [weapon], [the opponent] would have the latest anti-radar system [to detect it], so you have to constantly upgrade your product.”
Reed added that the security industry had progressed over time. With modern programming compilers and frameworks, software these days were more secured with protection already built-in by design.
However, Ang noted that businesses sometimes chose to retain older software so existing production would not be disrupted. He said he still retained a copy of Windows XP because he needed to access a handful of older applications that could only run on the aged Microsoft operating system.
Organisations in older industries, such as the energy sector, typically operated industrial control systems that were more than 20 years old and upgrading these could mean taking down power systems, he said. So they would end up retaining these old equipment, he added.
Teo Yi Ling, senior fellow at CENS, noted that there also was corporate inertia or an issue of cost that held organisations back from replacing ageing software.
Larger organisations such as Singtel also could have more red tape and, hence, employees might have less flexibility in their ability to make changes, Teo said.
However, Ang noted, a lot more could be done to enable organisations to detect abnormalities or unusual activities within their network so these could be promptly resolved. Alerts should trigger and companies should have a means to isolate or shut down the system to contain the breach, he said.
He added that if attackers could not be blocked from breaching the network, there should at least be processes in place to detect and mitigate its impact.
“Ultimately, the safety net is being able to detect and mitigate. Legislations are great to require [organisations] to have more checks done across their supply chain, but laws have limits,” he said.
Ang explained that software and IT environments were complex, with some individuals using some 20 different applications that they could not access on the corporate network, but had running on their work laptops.
In such cases, enterprises must have the ability to assess these applications and ascertain who should have the authority to do so, he said.
Teo further expressed frustration that, despite frequent warning and an increase in public awareness, there still were people who would not change the default password on their connected devices.
“Every time there’s a breach, we’re told we need to be vigilant, but why are we not getting better at this?” she said. “We need to stop thinking [about security] in a linear way as supply chains are [complex]. All the different players, stakeholders, and companies contribute to each node that’s connected to the supply chain and entire ecosystem. Organisations need to understand how to defend it on a granular level, determine what security-by-design looks like, and build it in.”
Stapleton also expressed concern that security breaches had become so commonplace that individuals were becoming desensitised and no longer cared about the need to safeguard their data.
It was also worrying that business leaders were not prioritising security at the same rate as their adversaries, he noted. He added that CISCOs needed to claim seats on the same table that carried out executive decisions, including budgeting and strategic moves.