Making The Case For Third-Party Risk Management; Is CISO Advice Being Followed?

A Roundup Of Recent InfoSec News With Takeaways For Every Enterprise



Jeff Orr
07/26/2019

Making The Case For Third-Party Risk Management

President and CEO of Task Force 7 Radio and Task Force 7 Technologies, George Rettas, flew solo on this week’s episode #93 of Task Force 7 Radio and recapped some of the big cyber news from around the world. Russia’s FSB intelligence agency was recently hacked and demonstrates the reason why organization’s need to understand security capabilities of their suppliers and contractors. George also discussed how cyberwarfare is changing the battlefield tools of nation states. In the closing segment, a survey of information security professionals found that the majority of respondents believe management are ignoring advice designed to help them stay safe from cyber attacks. Every enterprise will be able to find value in these news stories.

Russia’s FSB Got Hacked

In a July 20 Forbes articles by Zak Doffman entitled, “Russia’s Secret Intelligence Agency Hacked: Largest Data Breach in its History”, a hacker group calling itself Ov1ru$ managed to steal 7.5 terabytes of data from Russia’s FSB intelligence agency. The FSB contractor, SyTech, worked on a range of live and exploratory internet projects. The stolen server data was passed to a larger hacking group that shared files with various media outlets. BBC Russia broke the news and described breached project names and SyTech project managers responsible for the programs, which included social media scraping of Facebook and LinkedIn services, as well as de-anonymization of the Tor browser favored by those wanting to remain anonymous.

Forbes’s Doffman notes that the information gleamed from the hack itself is not necessarily earth shattering. If you're someone who actually takes an interest in nation state activities in the cyber realm, especially from a national security perspective, this isn't going to come as a complete shock to you.

See Related: “Telling The Cautionary Tales Of Cyber Crime

“But what is really interesting is the breach itself,” said Rettas. And that's what's really turning heads, “because someone was able to breach the FSB – one of the most secret organizations in the world – with presumably some of the most sophisticated, well-versed technologists in the world protecting their digital assets.”

The data breach also highlights the threats companies continue to face around third party risk. Third party risk is often described as one of the three leading material risks – along with insider threats and destructive malware – associated with any business entity. Large organizations from Fortune 500 enterprise to governments rely on contractors and third parties, which remain the weak link in the cyber security risk management chain.

Cyber Warfare: An Interchangeable Battlefield Tool

An additional Forbes article caught the attention of Rettas warning that Iranian state hackers are targeting LinkedIn users with new malware. Forbes’s Doffman reports that the cyber warfare situation is becoming “an interchangeable battlefield tool.” An attack in one domain can lead to retaliation in another domain. The catalyst has been the continuing escalation of tensions between the United States and its allies and Iran.

Doffman further states that Iran understands that retaliation against the U.S. military in the cyber domain might be akin to throwing rocks at a tank, but it can hit a vast and under-protected U.S. corporate sector at will. Rettas disputed the assertion that the cyber security posture of the U.S. military is far superior to the cyber security posture of the private sector. While the maturity of critical infrastructure security varies from sector to sector, the efforts of each to bolster detection and augment response to new threats cannot be understated.

[Editor Note: We think this military versus private sector analysis would make for a great future episode of Task Force 7 Radio. Drop us a comment and we’ll share your thoughts with show host George Rettas!]

U.S. cyber security firm FireEye has warned of a malicious phishing campaign that it has attributed to the Iranian-linked APT 34. The campaign has been targeting LinkedIn users with plausible but bogus invitations to join a professional network in email attachments laced with a malware that seeks to infect systems with a hidden back door to steal data and credentials. While this isn’t new to cyber experts, it’s increasingly common on a vector other than email. This is one of the reasons, explains Rettas that many companies don't let brick and mortar personnel, aside from corporate HR employees, access LinkedIn.

As part of a cyber hygiene review, Rettas recommends that organizations ask themselves:

  • Should employees have access to social media sites if it’s not imperative for their job?
  • Should employees have email privileges if non-essential for their duties?

Basic cyber hygiene needs to focus on eliminating risk for the organization and there are too many examples of it being dismissed, expressed the Task Force 7 Radio host. He added, “It’s a matter of having that cultural shift in everybody’s mind where security is everyone’s responsibility.”

Is The C-Suite Listening To Its InfoSec Leaders?

We generally talk about the talent shortage that exists in cyber security and the need for attracting more candidates to fill roles across all industries. Rettas asked, "But what about the lead roles in an organization’s cyber security department?" Enterprise senior executives must “place competent, risk-oriented, business-minded information security professionals at the helm of the organization's cybersecurity department. And do it objectively.”

In a July 15 ZDNet article by Danny Palmer, the fundamental question is asked: Cybersecurity: Is your boss leaving your organisation vulnerable to hackers? The article describes a survey of security professionals that found over half of respondents believe management is ignoring advice designed to help them stay safe from cyber attacks.

In a complex and interdependent world, “some attacks are bound to succeed,” said Rettas. “Organizations must look to a strategy of resilience. And they'll survive only by planning in advance for how the inevitable successful attacks will be handled.”

On the bright side, three-quarters of the RedSeal survey respondents said their organizations have cyber insurance, suggesting most are preparing for the aftermath of an incident should one occur.

Does the survey reflect your observations of the InfoSec leadership role? Share your thoughts in the comments!

RECOMMENDED