Issue #02 - October 14, 2022

Welcome to Alice in Supply Chains!

We are back with our second issue of the?Alice in Supply Chains newsletter, bringing you the?third-party cyber risk management (TPCRM)?stories that you shouldn’t miss!

In September, the United States government published new guidance for software supply risk management in the private sector. They are also signaling intent to mandate minimum security requirements for the administration's software suppliers, which has sparked some major discussions related to the software supply chain as a whole – with no shortage of criticism for the quality of the government's advice.

News outlets also reported updated statistics related to TPCRM, as well as new breaches and incidents, some of which bring up the security failures of airlines, hotels, and other companies in the travel industry, a sector which usually remains outside the scope of third-party risk management policies. These stories warrant some reflections from all of us, as the risks are subtle yet worrying.

September was also a busy month for us at? Tenchi Security ?as we prepared for?Tenchi Day, our first-ever third-party cyber risk management event. We gathered a group of fantastic speakers and panelists in S?o Paulo on October 4, including Stuart Okin , from Ofgem — the energy regulator from the UK — and Robert Martin from MITRE . The event was invite-only, but we look forward to sharing many of the highlights in the coming weeks – Tenchi Day was full of insights for getting ahead in third-party risk management.

Stay tuned!

Alexandre Sieira , Co-Founder and CTO at Tenchi Security

=================================================================

Report finds a link between third-party access and cyberattacks in 2022

We kick-off this month’s newsletter with a few reports and surveys dealing with third-party risks, beginning with “The State of Cybersecurity and Third-Party Remote Access Risk,” from EdTech Magazine. This report points out that third-party access?is a common component of breaches in 2022:

More than 50 percent of organizations?reported a third-party data breach in 2022, and more than 70 percent found third-party breaches or cyberattacks in 2022 resulted from giving too much privileged access to third parties.

In another survey by the Neustar International Security Council (NISC),?76% of security professionals said they now view supply chain risk as a top security priority, with 73% also saying they believe closer integration with partners is exposing their organizations to increased risk. This survey also goes into more detail as to why organizations are increasing their reliance on third parties – one of them being the inability to find in-house talent, a challenge that arises from the current labor market and the phenomenon that has been called “The Great Resignation.” To wit: many workers are leaving their jobs, and while organizations rightfully have concerns about company data departing with those workers, they also face a real challenge in vetting new talent or suppliers who will also require at least some level of access to that data.

Ending this round of surveys is a report on?the link between ransomware and the supply chain, putting some numbers to the visibility problem as it relates to the ransomware threat. Trend Micro found that 53% of organizations don’t share knowledge regarding ransomware attacks with their suppliers, and 25% don’t share useful threat information with partners.

=================================================================

Software supply chain security recommendations, objections, and incidents

The software supply chain came to the spotlight in September after the U.S. government published security recommendations aimed directly at it (find them here, or?check an overview). Kelly Shortridge highlighted many of the problems with the document and put forth?several objections, including that most enterprises will neither want nor have a chance to implement it:

The document’s guidance contains a mixture of impractical, confusing, confused, and even dangerous recommendations.

There is a collective ignis fatuus in the information security community that it is the “job” of an organization’s employees to prioritize security above all else. This fallacy holds us back from achieving better defense outcomes. Unfortunately, “Securing the Software Supply Chain” calcifies this falsehood.

Shortridge’s critique can be taken as good advice in its own right, so it’s a very good read.

Google Cloud’s DevOps Research and Assessment (DORA) also weighed in on the issue with a timely release of its annual Accelerate State of DevOps,?arguing that culture has a broader impact?than specific technical measures when it comes to making sure teams adhere to security frameworks. And that velocity and automation can actually benefit security, reinforcing the first major point made in Kelly Shortridge’s rebuttal.

Some actual incidents came to light as well. MiMi, a Chinese messaging app,?was sabotaged with malicious code, possibly by state-backed attackers, bringing to mind the SolarWinds hack from 2020. Meanwhile, a new investigation by Sysdig shed some light on threat actors that?compromised thousands of container images. These images were modified to mine cryptocurrency for profit.

Finally, it bears remembering that despite all of the hype around software supply chain security these days, two things have not changed:

1. there are big limitations to the percentage of software bugs that can be found via automation alone, so critical software should go through regular, specialized human reviews and TPCRM teams should request the same from vendors;
2. more software security tools in your pipeline won't save you if attackers are able to subvert its infrastructure (as they did to SolarWinds) or your developer's endpoints. Good security architecture and practices in the infrastructure used to produce software is key.

=================================================================

LastPass: ‘no customer data stolen’ after development environment breach

After investigating a security breach on its development environment, password manager LastPass stated no customer data was taken – not even encrypted password vaults. Furthermore, the attacker was?unable to insert any malicious code, which would be required for passwords to be stolen directly from the client software. The company’s statement outlines some of the procedures they had in place to achieve this:

Firstly, the LastPass Development environment is physically separated from, and has no direct connectivity to, our Production environment. Secondly the Development environment does not contain any customer data or encrypted vaults. Thirdly, LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model.

In order to validate code integrity, we conducted an analysis of our source code and production builds and confirm that we see no evidence of attempts of code-poisoning or malicious code injection. Developers do not have the ability to push source code from the Development environment into Production.

Good results in the aftermath of a security incident stem from good practices and security measures adopted beforehand. It’s very important to understand they are not accidental. This could have become a software supply chain issue for anyone that uses LastPass, but a proper security architecture prevented it.

LastPass isn’t the only password manager that takes this seriously and they also aren’t the only ones to adopt zero-knowledge in this field. Password managers still fight an uphill battle to gain trust from both users and organizations. But the same cannot be said about all software or SaaS vendors, or even security vendors. Relying on third parties for what they do best can be great for the business, and it’s even better when they can be confidently transparent about their security practices.

=================================================================

Travel industry breaches: TAP, American Airlines, and Intercontinental Hotels Group

Airline companies TAP and American Airlines, and hotel chain Intercontinental Hotels Group (IHC) all have warned customers about separate data breaches. TAP’s?advice to customers?is focused on phishing:

TAP said in a letter to customers the cyber attack last month obtained from its servers people’s names, nationalities, email and home addresses, phone contacts and frequent flier numbers. “The release of the personal data via open sources could increase the risk of their illegal use, namely aimed at obtaining other data that could compromise the digital systems in fraudulent attempts such as phishing,” TAP said.

TAP also recommended changing passwords to stronger ones and said it would abstain from further contact with individual clients about the issue to avoid confusion.

The IHG breach came to light as people reported problems with booking and check-in, and was later revealed to have been perpetrated by?a vindictive couple that found a database?protected by a weak password, “Qwerty1234.” As for American Airlines, the breach?revealed in mid-September?happened two months prior with the compromise of employee email accounts.

We highlight these stories because many organizations don’t look at airlines or hotels as “suppliers.” This means they are often exempt from the security requirements imposed to other vendors. And while phishing is a risk, it’s far from the only concern: travel history can indicate business movements (mergers, new ventures, etc.), and access to future travel plans make executives vulnerable to kidnapping, blackmail, or?evil maid attacks. Maybe it’s time for a different approach? For example, celebrities have long used aliases when traveling, to better evade stalkers and photographers.

=================================================================

2K Games says hacked help desk targeted players with malware (and other breaches)

Game publisher 2K Games had its support services compromised after an attacker obtained the credentials used by a third-party vendor to access their help desk platform, Zendesk. The attacker abused this access to?send a message to customers with a malicious link containing?RedLine, a malware capable of extracting credentials, browser sessions and autocomplete data, among other things. In response, 2K Games took down the whole support system:

2K added that its support portal was taken offline earlier while the video game publisher investigates and addresses the incident’s fallout. The company said it would issue a notice to let players know when it will be safe to start interacting with its support staff again.

This is an interesting case also from the customer’s perspective: while 2K Games had an issue with its vendor, customers were ultimately put at risk by that third party they had no knowledge of.

This was unfortunately not the only breach of note related to a third party that was discussed recently.?KeyBank warned its customers?after a breach at Overby-Seawell, a third-party service provider for its mortgage business; insurance company Humana is?notifying state governments in the US about a breach at Choice Health, a third-party; and Delta Dental?has warned customers of a data leak after a breach at Kaye-Smith, a print and mail services provider.

While some of these are not new, it’s only now that these companies are notifying their customers, as is required by law in many US states. The attacks on healthcare providers may not be a coincidence, however, as the FBI warned that criminals are?targeting payment processors specifically used in this industry. Also, the NHS story we discussed in last month's edition is still ongoing and the disruption "could continue for weeks."

=================================================================

CISA looking for comments on the definition of ‘supply chain compromise’

The Cybersecurity and Infrastructure Security Agency (CISA) has opened a request for information procedure to help them develop the regulation prescribed by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). In brief, CISA must write the specific regulations that will implement CIRCIA, and?they want input on how to better define some of the terms, including “supply chain compromise.” This piece of regulation, which may take up to 24 months to be finalized, should eventually say exactly who will be the covered entities that have to report security incidents to CISA and which incidents they’ll have to report (under labels such as “supply chain compromise,” for example). CISA will be accepting comments until November 14, 2022.

CISA is particularly interested in input on definitions for and interpretations of the terminology to be used in the proposed regulations; the form, manner, content, and procedures for submission of reports required under CIRCIA; information regarding other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited; and other policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations.

A modest suggestion we would like to make is to ensure we don't fall into the trap of making "supply chain security" synonymous with "software supply chain security" as so much marketing messaging is doing. There is more to supply chain security than just software.

In another move by the U.S. government, the White House intends to implement software supply chain security requirements. You can read?a summary, and?some reactions. For now, only self-attestation will be required from software vendors, which we believe doesn't go nearly far enough for critical software, but this may be a sign of things to come.