“I’ve been in the security business for 25-years. The industry spent the first 20 of those developing perimeter security products. Then five years ago, we simply let everybody in, building an ecosystem of third-party vendors and service providers that are now part of our federated enterprise,” says Mo Rosen, COO, Xceedium.
Once attackers enter these small organizations, they access the large enterprises those small companies serve. The trust relationship that big enterprise shares with these small vendors manifests itself in networking and communications technologies that bridge the organizations and pass data between them with a degree of acceptance and approval. The large enterprise network errantly trusts the manipulations of the hackers as though these are approved behaviors of the small business.
[ CSO's guide to the Target data breach ]
The enterprise saw how a lack of emphasis on security on the part of third-party POS and HVAC vendors placed them as vulnerabilities for the large retailers that used their services. CSO reveals how any of these small enterprises share their vulnerabilities with large customers and how those big companies can push back.
A case of the malware measles
It is not uncommon for small vendors to let the robber in the back door (yes, a Trojan Horse, or figuratively), out the front door, and into larger concerns. Such is the case with the Managed Service Provider (MSP).
“The MSP installs computer updates and manages and fixes software, typically manually, from their office,” says Kevin Jones, senior information security architect, Thycotic. When an attacker infects the MSP’s network, that infection is communicable to the large enterprise customer through the Remote Access Connection, which is a common bridge between big business and small vendors.
Without a great deal of preparation and care, it is hard for the large organization to differentiate between an attacker and the MSP. “The MSP becomes the weak link in the large enterprise’s security chain,” says Jones.
How small companies make infection easy
Small companies open the door to attackers through a variety of unsecure practices. Small businesses delay security updates and patches due to a continuing concern over the purity and reliability of updates, particularly updates for Microsoft Windows and Office products. “A lot of the updates break Windows and Office, and that impedes the business, which affects the bottom line,” says Jones.
Mo Rosen, COO, Xceedium
Businesses will often wait a month to hear what happened to other companies who applied the latest updates before they risk using them. In the meantime, the companies that wait become infected by attacks that leverage those unpatched vulnerabilities. Deciding whether to apply the updates or wait is a ‘damned if you don’t, damned if you do’ scenario. The large enterprise that trusts traffic from bedeviled businesses that delay patching is damned along with them.
In another ill-fated practice, small businesses neglect to enforce strong access credentials. “Small companies frequently use weak passwords,” says Rosen. It is common for third-party vendors and contractors to use weak passwords when logging into large enterprise networks; these include networks for stores like Target or Home Depot. Often the small company employee is using the same password they use everywhere, whether for their personal Facebook account, Gmail account, or financial account.
[ 4 small business security lessons from real-life hacks ]
That’s why hackers who confirm a username and password for any account on the Internet will try that same combination of credentials on other sites they attempt to hack into, and why re-using credentials is a very bad idea. Logon credentials are only as good as password policy and policy enforcement. If the small enterprise can’t enforce the use of long, complex, unique passwords, then they and their larger customers should expect to be infected.
Small business behaviors that invite trouble from attackers are as numerous as they are infamous. Small enterprise security policies that don’t quell missteps such as employee downloads of unauthorized software, rogue Wi-Fi installations, and password sharing will actually promote such behaviors. If big business is going to suffer under these ties, they have to find a way to manage those relationships and their threat-laden baggage.
Mitigating the small company as security hole
To mitigate the security vulnerabilities that small companies bring to the table, the big enterprise has to move from a trust but verify model to a least privilege, zero trust model when working with these organizations. Permit the least access and permissions necessary to do the work required. Consider anything outside or inside the network as untrusted. Standard best practices when using least privilege, zero trust include network segmentation and enforcing up to date patch management, says Rosen.