Accellion Data Breach Highlights Third-Party Cyber Risk

sbn color

Two mega-breaches caused by third parties have occurred over the last month, adding to the recent Solarwinds epic supply chain hack, to create a growing tsunami of third party risk for enterprises and government organizations. Security software provider Accellion suffered a breach in their FTA tool which caused many of their clients to have their data exposed to hackers. A number of high-profile customers were affected such as the Jones Day law firm, Kroger stores, and Shell Oil company along with other government and educational institutions. Given the software’s use for storing sensitive data for clients, these breaches are sure to cause lots of pain for the victim companies, with more victims likely to emerge as the investigation continues.

And following on the heels of that announcement, the French government discovered that hackers (likely the Russian “Sandworm” group) have been using a platform by Centreon to breach numerous state and enterprise users for years, as far back as 2017. These brazen, large-scale attacks show that hacking groups have enthusiastically embraced the “hack one, breach many” strategy as a way to maximize the illicit returns of their efforts. The more sophisticated cybercrime organizations, usually nation-states or organized crime groups known as Advanced Persistent Threats (APTs), have realized that going after technology companies can be a real force multiplier in terms of profits and propaganda. Rather than simple, “shotgun” style phishing attacks blasted out to millions of companies hoping to land a big fish, they are going after third-party vendors who tend to aggregate access to many under one roof in order to support and service them. By focusing on a single, complex hack, as they did in the aforementioned attacks, they can gain access to a wide variety of cross-industry targets. And since these vendors are often trusted suppliers, the intrusions are rarely discovered until it is too late.

And the complexity and sophistication of these third-party attacks are increasing at an exponential rate. Brad Smith, President of Microsoft, a company affected by the Solarwinds incident was quoted as saying that there may have been as many as 1,000 developers working on the malware used in the attack. Given these kinds of resources that the APT hacking organizations are using for cybercrime projects, what can the average organization, many of whom do not even employ that many developers, do to defend against this new breed of third-party attacks? Even though it might seem to be an impossible task to fight off these overwhelming forces, there are things that security teams can do to protect against them and to lessen the blow, should they happen.

Don’t use old software

This should go without saying but far too many organizations continue using dated or out-of-support software tools that often contain vulnerabilities. Hackers know this and frequently scan for versions of software they know they can exploit. Listen to your vendor’s warnings and don’t put off patching. Have a good patch management program and stay on top of updates, especially critical security ones. And definitely don’t wait for a product to go out of support before you upgrade. I know it’s difficult and time-consuming to do these upgrades but trust me, it’s not as painful as dealing with a breach.

Build a robust third-party risk management (TPRM) program

If you don’t already have a TPRM program, get one in place now. If you do have one, improve it. Here are some ways you can start implementing a program or refine your current one: 

  • Do better vendor risk assessments before onboarding new vendors and on a more regular basis.
  • Implement more controls for risky and critical vendors. 
  • Multi-factor authentication (MFA) should be a standard control.
  • Add credential vaulting and privilege access management for any use of privileged credentials by third-party vendors. 
  • Closer reviews of key supply chain vendors should also be instituted.

Assume the Breach

Finally, given the resources of major hacking groups, it is only a matter of time before most organizations suffer some kind of breach. The question is, will it be a minor issue, or will it be a potentially company-ending event? As a final defense against the latter fate, companies should “assume the breach” and do regular explorations and threat hunting to find any signs of current or past exploitation. By doing this, you will protect your organization from the worst impacts of even the most powerful bad actors in the cybercrime world.

There is no doubt that third-party risk is becoming one of the most important contributors to cyber breaches. Attackers are only going to increase their use of this vector to get access to as many companies as possible with each hack. Proper management of this risk is the only way to prevent your company from becoming the next cyber breach statistic.

This article originally ran on Security Boulevard.