Learning from Breaches: How to Mitigate the Risk of Third Party Applications

January 26, 2021

Major security technology providers are getting hacked. Even more alarming is these same security organizations are not discovering their own breaches in a timely manner, if at all! These breaches are frequently discovered months after the actual compromise took place.

Here are some recent examples:

  • Solarwinds – Compromised September 2019 by UNC2452/Dark Halo threat actors. a third party security vendor identified the weaponized updates in December 2020. MFA was bypassed successfully to access emails. Impacted over 18,000 customers. Investigation ongoing.
  • Malwarebytes – Learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15, 2020, which detected suspicious activity coming from the dormant Office 365 security app. Attackers gained access to a limited subset of internal company emails. Threat actor added a self-signed certificate with credentials to the service principal account. From there, they were able to authenticate using the key and make API calls to request emails via MSGraph. Malwarebytes stated that there is no evidence that the software they distribute to their customers is compromised.
  • Microsoft – Hackers viewed their source code and in turn using their apps for malicious activity. Still under investigation.
  • SonicWall – January 2021 it was reported that a cyberattack against its internal systems had revealed zero-day product vulnerabilities. Multi-factor authentication is being recommended on all SonicWall SMA, firewall and MySonicWall accounts. Still under investigation. See Notice.

Neil Daswani, author of “Big Breaches: Cybersecurity Lessons for Everyone”, found that there were six technical root causes behind breaches:

  • Phishing
  • Malware
  • Third-party compromise and abuse
  • Software vulnerabilities
  • Unencrypted data
  • Inadvertent employee mistakes

We also believe the following myths contribute to a risky security posture:

  • The mistaken belief that cloud infrastructure has cybersecurity built-in as a feature. COVID-19’s shift requiring a quick move to a remote workforce was a catalyst for many organizations to rapidly migrate to the cloud.
  • The belief that “I’m too small for the cybercriminals to be interested in my organization”
  • The supposition that there are so many other targets out there for cybercriminals, that my organization is not likely to be attacked
  • The assumption that purchasing a cyber liability insurance policy will protect my business and cover any type of attack

In 2020, we saw lots of phishing emails, malware and inadvertent employee mistakes. Now in 2021, we are seeing cybercriminals run extremely sophisticated high-level attacks via third-party compromises. We predict that these attacks will be commoditized giving more hackers access to these tools/tactics, thus making organizations from small businesses to midsize businesses (SMBs) profitable targets for hackers. In combination with traditional ransomware, these types of attacks can impact SMBs enough to take them out of business.

What does this mean for Small to Medium Businesses (SMBs)?

As IT teams implement third party software and move their networks to the cloud to function and scale rapidly their businesses, they also inherently increase the risk by unwittingly exponentially adding more vulnerabilities. Unfortunately, it takes just one vulnerability for a criminal gang to gain a foothold into your network and access/steal your confidential and sensitive data.

The important cybersecurity shifts SMBs need to be aware of:

  • Your network(s) could be relatively secure at the moment, but you could be using software which has already been breached yet listed as a trusted vendor with your security devices.
  • Your cloud network may have been configured by a qualified sysadmin or developer, but you might be susceptible to exploits that more recently have been developed by cybercriminals. With these permissions granted and susceptibilities left unaddressed, cybercriminals have access to areas of your network in a way that would not typically trip a security alert.
  • Consider lateral and deceptive detection technologies which specialize in the ability to identify an unauthorized intruder.

The True Cost of a Breach

According to IBM, on average, it takes companies about 197 days to identify and then 69 days to actively contain a breach. We predict that as bad actors, such as Dark Halo, become more sophisticated, these numbers will multiply. Typically, the longer the breach is undetected, the more damage and the higher the cost to the business.

The direct cost of a breach can include expenses such as replacing hardware, hiring security forensic experts, obtaining years of credit monitoring for impacted individuals, disclosure to customers and even loss of revenue while down or due to negative reputation. If your breached data is subject to regulatory compliance such as PCI, GDPR, FINRA or HIPAA, then you can also expect to face regulatory fines which will exponentially increase by the extent of records exposed. In this case, you must then add the expense of technical legal counsel who are needed to mitigate this costly situation.

Top Initiatives to Mitigate Risk From Third Party Applications:

  • Perform Routine Security Assessments
  • Perform Routine Web Application Assessments
  • Active Dark Web Monitoring
  • Implement Managed Detection and Response
  • Monitor Alerts in Near Real-time 24/7
  • Active Directory Monitoring
  • Training and Cybersecurity Awareness

The reality is we need to have monitored near real-time cybersecurity with multiple layers because just a firewall and endpoint is no longer a safe solution.

Considerations on Budgeting for Cybersecurity

There is no universal magical formula for understanding how much of your IT budget should be dedicated to Cybersecurity. However, we do recommend thinking in terms of a Return on Investment, which varies from business to business. For example, spending $15,000 per year is a good investment to prevent a potential $1 million per year lost in cyber attacks. Another question to ask your leadership is if the business was down for a week due to cyberattack, how much would that cost us in revenue? Although that is just scratching the surface on the expense of a breach, it is usually something feasible to calculate by leadership. Regulatory compliance fines, followed by ransom from ransomware are usually the hardest for businesses to recover from due to the additional expenses on top of traditional breach costs. Learn more about mitigating the risk of ransomware here.

A common misconception is that SMBs cannot afford to follow best practices because the cybersecurity solutions recommended end up being too expensive. SECNAP has created a pricing structure that scales with the size of our clients’ networks via our security-as-a-service platform, CloudJacketX. Our flexible modules allow for clients to choose only what they need, all while having our 24/7 Security Operation Center(s) monitor their alerts. This removes the upfront spend on hardware, hiring specialized personnel, and the constant burden of staying on top of security alerts.

Request a Free Vulnerability Scan

To help your organization get started, we encourage you to take advantage of our complementary external vulnerability scan. This is a great first step in helping your IT team prioritize and mediate gaps in your security posture. This offer is only valid to the first 25 qualified organizations who complete this request.

Request a Free Vulnerability Scan
SECNAP-CloudJacket-Xi

Ensure your organization has robust cybersecurity protection that quickly identifies and contains potential breaches.

Name(Required)
I want to learn more about SECNAP's solutions.

Stay up-to-date with the latest news and trends in cyber security. Follow SECNAP Network Security’s social media channels and get valuable insights, tips, and information to help protect your organization from online threats:

More Related Posts