{"id":25349,"date":"2022-09-28T18:44:17","date_gmt":"2022-09-28T18:44:17","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=25349"},"modified":"2022-09-28T19:05:58","modified_gmt":"2022-09-28T19:05:58","slug":"supply-chain-hacks-lead-to-partner-pentesting","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/supply-chain-hacks-lead-to-partner-pentesting\/","title":{"rendered":"Businesses Secretly Pentest Partners as Supply Chain\u00a0Fears\u00a0Grow"},"content":{"rendered":"\n

Cybercriminals learn quickly. In a couple of decades’ time, they’ve gone from pretending to be Nigerian princes to compromising the entire software supply chain<\/a>, and every day brings news of a new attack technique or a clever variation on an old one.<\/p>\n\n\n\n

Incidents like those that rattled SolarWinds<\/a> and Kaseya<\/a> and their downstream customers changed the game. By slipping malicious code into software used by thousands of businesses as an essential part of the supply chain, the cybercriminal fraternity managed to simultaneously infect a great many users at one time, a feat of remarkable efficiency.<\/p>\n\n\n\n

One casualty of these supply chain attacks has been trust between businesses and their key vendors, suppliers, and even customers.<\/p>\n\n\n\n

Partner organizations, after all, may be reluctant \u2014 if unlikely \u2014 to admit to cybersecurity weaknesses. And they may not even be aware that they have them. Howard Taylor, CISO of Radware, goes so far as to call it the “death of trust.”<\/p>\n\n\n\n

\u201cSolarWinds drove the death of trust, as thousands of the company’s customers were compromised by one cyberattack when updates to its Orion software were hijacked,\u201d Taylor told eSecurity Planet<\/em>. \u201cPeople were shocked to discover that a long-trusted product had been compromised, creating vulnerabilities that bypassed thousands of its customers’ carefully built security.\u201d<\/p>\n\n\n\n

As a result, some are now taking extra precautions such as hiring specialized companies to conduct penetration testing<\/a> audits on externally facing partner resources. The process may include an in-depth search for IP addresses and ports inside their networks that may be communicating with suspect hosts. In other cases, businesses may go as far as scanning the dark web looking for any leakage of sensitive information from partners.<\/p>\n\n\n\n

See the Top Pentesting Tools<\/a><\/p>\n\n\n\n

‘Shadow Compliance’<\/strong><\/h2>\n\n\n\n

Some say there is nothing legally wrong with pentesting your business partners. But the mere presence of closet security testers secretly carrying out pentests on partner and customer internet-facing resources could have serious repercussions on relationships if discovered. Yet who can blame organizations for taking extra steps as they look for liabilities that might eventually compromise them? How can a partner truly say they are risk-free in this day and age?<\/p>\n\n\n\n

\u201cTesting entities run the pentests and present the results to service providers and businesses,\u201d said Taylor. \u201cAs they are guilty until proven innocent, they must address all the findings, including a myriad of false positives, that result from conducting tests without the full context of the environment.\u201d<\/p>\n\n\n\n

Taylor terms this “shadow compliance.” And he says that it poses two significant risks \u2014 negative impact on company reputation and lost productivity. Company reputation is not only of interest to current and potential customers, but it\u2019s also important to market analysts, lenders, and insurance companies.<\/p>\n\n\n\n

\u201cPoor cybersecurity reports can impact analyst recommendations and raise costs for loans and cyber insurance<\/a>,\u201d said Taylor. \u201cProductivity is impacted when skilled IT and security staff must postpone planned tasks to swiftly respond to these reports.\u201d<\/p>\n\n\n\n

He suggested that businesses should take the advent of potential snooping and testing by their partners as a reason to redouble their own cybersecurity efforts. Continuous monitoring of their cybersecurity posture by an outside entity can lower risk in the long term. Taylor urges businesses to allocate budget to hire a technically competent partner to proactively provide results and assist with the remediation of issues before vendors, supply chain associates, and customers find out and report them to you.<\/p>\n\n\n\n

Automated testing tools like breach and attack simulation (BAS)<\/a> could help too.<\/p>\n\n\n\n

\u201cAll organizations should know and understand their current physical and logical security, where the gaps are, where are areas for improvements, what new technologies, services, tools, process and people education are needed to improve,\u201d said Greg Schulz, an analyst with StorageIO Group.<\/p>\n\n\n\n

There is no advantage in publicizing the fact that you are doing your own pentesting, Schulz said, particularly what and how you’re testing, other than general assurances that you have taken steps to protect, preserve, secure, and ensure information services are served when, where and how needed. Schulz would prefer that companies secretly test and inspect the security of vendors, partners, and even large customers rather than going through the security motions for the sake of compliance.<\/p>\n\n\n\n

See the Best Third-Party Risk Management (TPRM) Tools<\/a><\/p>\n\n\n\n

Internal Threats Could Be Exposed<\/strong><\/h2>\n\n\n\n

The practice of snooping on vendors, partners, and customers may bring about a side benefit, said Schulz: Better detection of insider threats<\/a>. Yes, pentesting and other forms of surveillance can help spot external threats. But that is where the bulk of attention is spent in cybersecurity. Relatively little time is given to insider-originated attacks or data exfiltration attempts.<\/p>\n\n\n\n

\u201cWhile outward internet-facing IT resources, services, apps, and data get headline news coverage and bring awareness to security vulnerabilities, what\u2019s commonplace yet off the media radar are threats that occur from within,\u201d said Schulz. \u201cEveryone \u2013 organizations, vendors, partners, solution providers, pundits, and the media \u2013 are tunnel vision-focused on only internet-facing attacks and attack surfaces. They may be missing, or vulnerable to, incidents that occur or originate from within.\u201d<\/p>\n\n\n\n

With organizations pentesting and checking up on each other, those extra eyes are more likely to expose the efforts of disgruntled employees, attempts at theft of intellectual property, theft of mailing lists, and other internally generated actions.<\/p>\n\n\n\n

Potential Liabilities for Secret Pentesting<\/strong><\/h2>\n\n\n\n

But a professional pentester had a different take. Steve Kerns, President of SKernal Security Consulting, has been pentesting for over 16 years. He said he had heard of the likes of Microsoft and Google quietly doing pentesting on each other.<\/p>\n\n\n\n

\u201cI would not be surprised if others were doing it,\u201d he said. \u201cBut it could be dangerous to be pentesting other companies without their permission; you could be opening up your company to lawsuits.\u201d<\/p>\n\n\n\n

He always obtains permission before pentesting another company.<\/p>\n\n\n\n

\u201cI would suggest that companies ask partners and customers if they have had a pentest done on their internet-facing resources and what the results were, who did it (third party or internal) and when it was done,\u201d said Kerns. \u201cIf they want to verify it, they should ask for permission first.\u201d<\/p>\n\n\n\n

Read next: How Hackers Compromise the Software Supply Chain<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n