Great Article on Spotting Skimmers

I ran across this great article with tips on spotting credit card skimmers. Check it out for some pretty good info.

Ever wondered about the prices that criminals pay for skimmers? We recently studied this and found that the average price for magnetic stripe skimmers was between $100 – $300 US. Kits that include cameras and other techniques for also capturing PIN data (ATM & Chip/PIN transactions) were around 10x that amount on the black market. Home grown solutions are significantly cheaper to build, but often lack the subtlety and camouflage of the more “commercial” offerings.

By the way, note that even where Chip and PIN transactions have become the norm (outside the US), capturing the magnetic track data is still useful for attackers to focus on e-commerce and other card holder not present transactions.

Just a few things to think about… While the credit card theft underground is robust, interesting and dynamic, companies and issuers are working hard to stay on top of things. Unfortunately, the economics involved is complex, and attackers are continually refining all phases of their operations.  

Supply Chain Security: Another Data Breach Blamed on 3rd Party Vendor

One of the tasks I perform at MicroSolved is working on our Daily Threat Briefing. We use our TigerTrax™ threat intelligence gathering platform to pull in security information from all over the web and social media sphere. And one of the things I notice constantly is data breaches and other security compromises that are caused not by poor security at the affected organizations, but by security failures in their supply chain. This week’s example is the Bizmatics hack that exposed the private health information of patients from institutions such as the Pain Treatment Centers of America and the Interventional Surgery Institute. It is still unclear if the hacker actually collected this information, but it is sure he had access to it. Since this information is protected under HIPAA and HITECH, there could be regulatory and legal consequences from the breach. And, ultimately, the responsibility for protecting this patient health information lies with the medical organizations affected, not Bizmatics. The name of the game here is performing “Due Diligence” when you chose and maintain relationships with a third party service provider or vendor. Did you examine their information security policies and assessment results? Did you check out their financial standing? Did you check their history to see if they have had problems in the past? Did you check with other users of their services to see if they have experienced any difficulties with the provider? Have you been performing such checks not just once, but on a recurring basis? If you have been performing due diligence in these matters, chances are you will fare well legally. If you haven’t, chances are your organization will suffer for it. Despite this, many organizations do not perform proper due diligence. They find it is difficult to get the information needed, and even if the information is available, they find accessing it uses up lots of man hours. This is an area where the new MicroSolved passive assessment platform can help. The platform employs the powerful TigerTrax™ platform to perform automated research, intelligence gathering and correlation from hundreds of sources, both public and private, that describe the effective security posture of organizations. And best of all, it performs these tasks very quickly and without touching the target’s network or systems directly in any way. So if yours is one of the organizations out there that is having trouble performing proper due diligence in choosing and maintaining supply chain relationships, try doing it the easy and effective way. Contact MicroSolved today and see how we can help.

Hosting Providers Matter as Business Partners

Hosting providers seem to be an often overlooked exposure area for many small and mid-size organizations. In the last several weeks, as we have been growing the use of our passive assessment platform for supply chain assessments, we have identified several instances where the web site hosting company (or design/development company) is among the weakest links. Likely, this is due to the idea that these services are commodities and they are among the first areas where organizations look to lower costs.

The fall out of that issue, though, can be problematic. In some cases, organizations are finding themselves doing business with hosting providers who reduce their operational costs by failing to invest in information security.* Here are just a few of the most significant issues that we have seen in this space:
  • “PCI accredited” checkout pages hosted on the same server as other sites that are clearly under the control of an attacker
  • Exposed applications and services with default credentials on the same systems used to host web sites belonging to critical infrastructure organizations
  • Dangerous service exposures on hosted systems
  • Malware infested hosting provider ad pages, linked to hundreds or thousands of their client sites hosted with them
  • Poorly managed encryption that impacts hundreds or thousands of their hosted customer sites
  • An interesting correlation of blacklisted host density to geographic location and the targeted verticals that some hosting providers sell to
  • Pornography being distributed from the same physical and logical servers as traditional businesses and critical infrastructure organizations
  • A clear lack of DoS protection or monitoring
  • A clear lack of detection, investigation, incident response and recovery maturity on the part of many of the vendors 
It is very important that organizations realize that today, much of your risk extends well beyond the network and architectures under your direct control. Partners, and especially hosting companies and cloud providers, are part of your data footprint. They can represent significant portions of your risk, and yet, are areas where you may have very limited control. 
 
If you would like to learn more about using our passive assessment platform and our vendor supply chain security services to help you identify, manage and reduce your risk – please give us a call (614-351-1237) or drop us a line (info /at/ MicroSolved /dot/ com). We’d love to walk you through some of the findings we have identified and share some of the insights we have gleaned from our analysis.
 
Until next time, thanks for reading and stay safe out there!
 
*Caveat: This should not be taken that information security is correlated with cost. We have seen plenty of “high end”, high cost hosting companies with very poor security practices. The inverse is also true. Validation is the key…

Bonus from March: Supply Chain Security Model

Thanks for reading our supply chain security content throughout the month of March. We just wanted to sneak this one in, despite the calendar… 🙂 

If you click here, you can download a PDF version of a nice maturity model for assessing your vendor supply chain security maturity. We added passive assessments in to it to make it easy to show where you can leverage this powerful new approach. 

Check it out, and let us know if you would like help building, improving or auditing your program. In addition, if you would like to retain MSI for your third party oversight needs, please get in touch with your account executive or call us at (614) 351-1237. We have a strong history of program oversight across disciplines and would be happy to help keep your initiative on track!

Have a great April!

How to Engage MSI for Supply Chain Security Help

The month of March is about to wrap up and come to a close. I hope it was a great month for you and your security initiatives. I also hope you took advantage of our focused content this month on Supply Chain Security. If you want to go back and read through some of the articles, here are quick links:

3 Reasons Your Supply Chain Security Stinks

Ideas for Vendor Discovery

Sorting Vendors into Tiers

Mapping Control Requirements to Vendor Tiers

An Example Control Matrix for Supply Chain Security

What is MSI’s Passive Assessment & How Does it Empower Supply Chain Security?

Many folks have asked us about how to engage with MSI around the Supply Chain. I wanted to add this bit of information in order to make it easier for folks to know how we can assist them.

You can engage with MSI around Supply Chain Security in three primary models:

  • Focused Mission Consulting Model – This model is when you have a specific set of tasks and deliverables in mind that you would like MSI to create/review/audit or test. We scope the work effort up front and provide a flat rate engagement price. The work is then completed, usually offsite, and the deliverables are worked through until completed. This is fantastic for organizations looking to build a program, create their tiers and control matrices and document the processes involved. Basically, you hire us to do the heavy lifting…
  • Retainer-Based Consulting Model – This model lets you hire MSI resources for a specific time frame (usually 1 year) for periodic oversight, design, review or operational tasks. Our team supplements your team, providing experience and assistance to your process. Basically, you do the heavy lifting – and we make sure you build an efficient, effective and safe program for supply chain security. This is a flat rate, billed monthly, for a set number of resource hours.
  • Virtual CISO Model – In this model, you can hire MSI to manage and provide oversight for security needs across the enterprise. You get an assigned MSI resource who is responsible for ensuring your initiatives get completed and performed in accordance with best practices. This resource can draw from other MSI subject matter experts and our services, as needed, to build out/supplement or support your security initiative. This is a great offering for small and mid-size organizations who need deep expertise, but who might not have the budget or capability to retain world class talent across multiple security domains. Basically, in this type of engagement – you hire us to solve your security problems and build/manage your security program. We do that with attention to cost/efficiency/effectiveness and safety. Pricing for this service type varies based on the maturity and requirements of the security program.

You can also retain MSI to leverage our passive assessment platform to assess your vendors passively, “en masse”. For information about how to engage with us to serve as a fulcrum for your security program, arrange for a free, no pressure, exploration call with your account executive. If you don’t have an account executive, give us a call at (614) 351-1237 or drop us a line at info (at) microsolved /dot/ com and let us know of your interest. We would love to share some demo information with you and walk you through how we can help.

If you have any other questions about Supply Chain Security or other issues, please get in touch, as above. You can also reach out to me on Twitter. As always, thanks for reading and until next time, stay safe out there!

What is MSI Passive Assessment & How Does it Empower Supply Chain Security

MSI’s passive assessment represents a new approach to understanding the security risks associated with an organization, be it yours or a vendor, prospect or business partner’s. MSI’s passive assessment leverages the unique power of the MSI TigerTrax™ analytics platform to perform automated research, intelligence gathering and correlation from hundreds of sources, both public and private, that describe the effective security posture of an organization.
 
The engine is able to combine the power of hundreds of existing tools to build the definitive profile of an organization’s security posture –  such as:
  • open source intelligence
  • corporate data analytics
  • honeypot sources
  • deep & dark net search engines
  • other data mining tools 
 
MSI’s passive assessment gives you current and historical information about the security posture of the target, such as:
  • Current IOCs associated with them or their hosted applications/systems (perfect for cloud environments!)
  • Historic campaigns, breaches or outbreaks that have been identified or reported in public and in our proprietary intelligence sources
  • Leaked credentials, account information or intellectual property associated with the target
  • Underground and dark net data associated with the target
  • Misconfigurations or risky exposures of systems and services that could empower attackers
  • Public vulnerabilities
  • Other relevant intelligence about their risks, threats and vulnerabilities – new sources added weekly…
 
Best of all, it gathers and correlates that data without touching the target’s network or systems directly in any way. That means you do not need the organization’s permission or knowledge of your research, so you can keep your interest private!
 
In the supply chain security use case, the tool can be run against organizations as a replacement for full risk assessment processes and used as an initial layer to identify and focus on vendors with identified security issues. You can find more information about it used in the following posts about creating a process for supply chain security initiatives:
 
Clients are currently using this service for M&A, vendor supply chain security management, risk assessment and to get an attacker’s eye view of their own networks or cloud deployments/hosted solutions.
 
To learn more about MSI’s passive assessment, please talk with your MSI account executive today!
 
 
 

An Example Control Matrix for Supply Chain Security

Per the examples in the last post, here is what the Control Matrix for Vendor Supply Chain Security might look like.
 
In the beginning of the document, you can define the audience, the authors, the update process and the process for handling exceptions. I usually also add a footer that has relevant reference links to products/services/vendors and key terms used in the document.
 
The main content, of course, is the matrix itself, which usually looks something like this:
 
 
Name of Tier Tier Criteria Required Diligence Required Controls
Critical Risk Vendors Shared IIP that allows duplication of products or differentiator features or R&D; ANY outage of the vendor’s IT operations would harm JIT delivery or line manufacturing Any required regulatory document gathering (SAS70, PCI DSS, HIPAA, etc.); Monthly MSI passive assessment – MEDIUM or HIGH risk issues trigger FULL risk assessment & review of their security audits; MSI monitors vendor list for Targeted Threat Intelligence and if triggered, formal incident response process is required from the vendor
As determined by your firm…
All controls required – NO VARIANCE ALLOWED
High Risk Vendors Shared non-critical IIP that allows feature replication, long term damage to product/brand strategy or R&D; Protracted outage of the vendor’s IT operations could impact production Any required regulatory document gathering (SAS70, PCI DSS, HIPAA, etc.); Quarterly MSI passive assessment – HIGH risk issues trigger FULL risk assessment & review of their security audits
As determined by your firm…
All controls required – NO VARIANCE ALLOWED
Routine Risk Vendors IIP shared at this level represents a potential for reputational or regulatory impacts; Normal vendor level where data sharing occurs Any required regulatory document gathering (SAS70, PCI DSS, HIPAA, etc.); Yearly MSI passive assessment – HIGH risk issues trigger deeper risk assessment
As determined by your firm…
Variance allowed by signed acceptance from steering committee or executive team
Low Risk Vendors Data is not shared with this vendor and compromise of the vendor’s IT operations is unlikely to have any impact Peer review to validate tier eligibility; Contract language review; Financial fraud team validation Only contractual controls and/or SLA required
 
As you can see, the matrix makes the entire program easy to discuss and demonstrate. The more clearly you can define the tiers, their required due diligence, their required controls and other data elements – the easier the process gets. 
 
We hope this helps you put together your own vendor tiering program and easily demonstrate it. If you would like more information about our passive assessment platform or Targeted Threat Intelligence (passive monitoring of vendor-related IOCs and security issues), please touch base with your account executive. Many of our clients are actively using and recommending these offerings for their supply chain security initiatives. We’d love to tell you more about it, so just let us know! 
 

Mapping Control Requirements to Vendor Tiers

Now that you have a proper tier structure set up for your vendors, we will discuss how to map controls to each of those tiers to create a control matrix that you can work from. This control matrix will serve as the basis for the vendor supply chain security effort – essentially providing a skeleton of the due diligence that you will perform for each vendor. Once this matrix is complete, you can use it to clearly and easily demonstrate the work that your organization does on supply chain security to any auditor or regulator who may ask to review it. In our experience, walking them through the matrix, along with providing them a documented process that you follow to enforce the matrix will suffice to meet most regulatory requirements – assuming of course, that you actually perform the work detailed in the matrix.
 
So – at a high level, how do we assign the controls? I usually start at the bottom of the stack of tiers and define the minimum controls first. Thus (referring back to the tier structure defined last time around):
  • Low Risk Vendors– What are the minimum steps we should perform for each vendor in this tier?
    • Controls Required: Scoping peer review to ensure that the criteria for this tier are met; contract and, when applicable, SLA review by the security team against established guidance & regulatory requirements, approval of financial due diligence team to avert fraud, etc. 
      • Comments: Since there are only isolated potentials for digital risk in this tier, we don’t need to perform cyber-security reviews and the like, or accumulate data we don’t need (which wastes time & resources, etc.). If, for example, this is a commodity or non-impactful application provider, we might review their contract for language around malware free deliverables, code security, patch/fix turnaround times, etc., as appropriate for each vendor and the service or good they provide.
  • Routine Risk Vendors – At this level, I try and think of the controls that I would want for just about any vendor that can impact us or our operations, but that aren’t capable of doing much beyond reputational or regulatory damage.
    • Controls Required: All of the controls of the lower level apply and are required. Any control reviews that are required for regulatory compliance over PII that we share (SAS70, PCI-DSS compliance statements, etc.). Plus, at this stage, I would really like some form of cyber-security assessment, which in this case is MSI’s passive assessment tool (that can be run without the vendor’s knowledge or permission) run against them on a yearly basis with NO HIGH RISK issues identified. If a HIGH RISK issue is found, then they would be flagged and would need to have a formal technical review of their security controls performed or even our traditional risk assessment process. Any deviance from the accepted controls would require a signed risk acceptance variance from a management team or steering committee, as an example.
      • Comments: Here, we are defining the basics. What do we need for most vendors that could hurt us? We try to keep the process as simple as possible, so that we can focus on the vendors that have higher risk of actually hurting us and our business. The use of passive assessments here is a powerful new approach to reduce the number of full fledged risk assessments that we need to perform, and the overhead created by dealing with the paperwork and interactions to complete the traditional risk assessment process.
  • High Risk Vendors – Here we build on the controls below for normal vendors to try and achieve a balance between work load and information security needs. We define a level that exceeds best practices and serves to give us more confidence in the vendors that could hurt us at a significant level.
    • Controls Required: All of the controls of the lower levels apply and are now definitely required(no variances accepted at this level for the basic controls defined for lower risk levels). In addition, we need to provide ongoing assessment of the vendor’s security controls, so a passive run is now required without any HIGH RISK findings on a quarterly basis. This is to help us combat control drift and control entropy in the vendor’s security posture. If at any time, a HIGH RISK issue is identified, then a FULL and COMPREHENSIVE risk assessment is required as soon as possible. This risk assessment should include the review of the vendor’s third party risk assessments, vulnerability assessments & penetration tests (these should be provided to us by the vendor, within 3 business days of the request). Failure to pass this risk assessment, respond properly or any significant issues identified that are not mitigated in a timely manner should result in financial and legal consequences for the vendor and their contract with our organization.
      • Comments: Again, we are trying to reduce the incidence of full risk assessments, so that we can focus our attention and limited resources on the vendors that can hurt us significantly and are in the worst security postures. Further, we create an incentive at this level for them to comply and respond rapidly.
  • Critical Risk Vendors – These are the vendors that can REALLY hurt us, so we spend a majority of our attention and resources here. 
    • Controls Required:  All of the controls of the lower levels apply and are now definitely required(no variances accepted at this level for the basic controls defined for lower risk levels). Additionally, passive assessments are now monthly in frequency (or maybe even weekly, depending on your paranoia/risk tolerance). Ongoing monitoring of target threat intelligence data is also required – so we are having MSI monitor social media/public web/deep web/dark web for any events or indicators of compromise that might emerge and be related to our vendors in this tier. At this level, we are performing the full comprehensive risk assessment process on a yearly basis, in addition to the passive work of MSI. While this is tedious, we want to ensure that we have provided the utmost effort on these vendors that can truly hurt us at the most damaging of levels. We can now do this easily without taxing our resources, thanks to the tiering architecture and the use of the focus points provided by MSI through our passive assessment and other services. Any identified MEDIUM or HIGH RISK issue flagged by MSI results in the immediate triggering of an update to the risk assessment process, notification of the vendor for the required response of their security team leadership, and the potential requirement for a formal incident response process for the vendor – which we manage by requiring the delivery of an incident response report and/or attestation by a third party security firm that the situation was mitigated and that our IIP was protected. Failure to pass this risk assessment, respond properly or any significant issues identified that are not mitigated in a timely manner should result in SIGNIFICANT financial and legal consequences for the vendor and their contract with our organization.
      • Comments: Here we leverage ongoing monitoring and take the lead on watching for potential compromises for ourselves and our vendors. Given the large percentage of breaches reported by third parties, we no longer believe that the detection and response capabilities of any partner organization are strong enough, alone, to protect our IIP. Thus the increased due diligence and oversight for the vendors that can hurt us the worst.

As you can see, building from the ground up makes leveraging the tiering process easy and logical. In the next post we will show you an example controls matrix we use to demonstrate and discuss our vendor supply chain security process. Over the years, we have found the matrix to be a powerful, auditor/regulator friendly tool to show clearly and concisely the due diligence process for vendor supply chain security. We hope you find it useful as well. Stay tuned! 

Sorting Vendors into Tiers

Previously, we reviewed some ideas around vendor discovery and laid out an example workflow and process. We also defined some tools and approaches to use for the task.
 
Once you have the vendors in your supply chain identified, and have obtained and cataloged the relevant data, the next step we suggest is to tier the vendors into levels to make it easier to classify vendors into “object groups”. Once we have the vendors sorted into tiers, we will discuss how to assign required controls to each tier in an easy to manage manner. This greatly simplifies the processing of future vendors that are added to the supply chain, since you need only identify the tier they fit into and then use the control requirements for that tier as your basis for evaluation and risk assessment. 
 
Vendor tiering, done properly, also makes assigning vendors to a given tier trivial in the long term. Our approach, as you will see, provides very clear criteria for the levels, making it easy to add new vendors and simple to manage vendors who change status as the supply chain and product lines evolve.
 
In our suggested model, we have four tiers, comprised as follows (using a product manufacturer as an example, obviously, other types of firms may require alternate specific criteria, but this should serve to lay out the model for you use as a baseline):
 
  • Critical Risk Vendors
    • Criteria: Mission critical “information intellectual property” (IIP) assets are shared with this vendor, where the assets represent a significant portion of the market differentiator or research and development of a product line OR the vendor’s IT operations are critical to our just in time manufacturing or delivery model – that is – ANY outage of the vendor’s IT operations would cause an outage for us that would impact our capability to deliver our products to our customers
      • Examples: Compromise of the IIP data would allow duplication of our product(s) or significant replication of our research; Outages or tampering with the vendor IT operations would impact manufacturing line operations, etc.
  • High Risk Vendors
    • Criteria: Non-critical IIP assets are shared with this vendor such that if said assets were compromised, they would represent damage to our long term product & brand strategies or research and development. Actual product replication would not be enabled, but feature replication might be possible. Outages of vendor’s IT operations at this level, if protracted, could impact our research and development or ability to deliver our products to our customers.
      • Examples: Breach of this vendors network could expose the design specs for a specific part of the product. Compromise of the vendor could expose our future marketing plan for a product and some of the differentiating features that we plan to leverage. If the vendor’s IT operations were disabled for a protracted time, (greater than /48, 72 or 96/ hours), our capability to deliver products could be impacted.
  • Routine Risk Vendors
    • Criteria: Non-critical IIP assets may be shared with this vendor tier, and compromise of that IIP may be damaging to our reputation. The IIP, if compromised, would not allow duplication of our product lines, research or differentiators of our products. In addition to reputational impacts, share of data that could impact our sales pipeline/process and/or other secondary systems or processes may be expected if breaches occur at this level. Regulatory or legally protected IIP also resides at this level.
      • Examples: Organizations where customer data, sales & marketing data, employee identification information, etc. are shared (outsourced payment, outsourced HR, etc.) are good examples here. This is the level of risk for any vendor that you share IIP with, in any form, that does NOT immediately empower delivery of your products or impact your longer term R&D efforts or market differentiators… 
  • Low Risk Vendors
    • Criteria: This tier is for vendors that we share NO IIPwith, in any form, and vendors that could not directly impact our product delivery via an IT operations outage in any way. These vendors, should they experience a breach, would result in little to no impact on the reputation or capabilities of our firm to operate.
      • Examples: Caterers, business supply companies, temporary employment agencies, hardware and software vendors for not manufacturing systems, commodity product or component dealers, packaging material suppliers, transport companies, etc.
 
Building such a tiered approach for your vendors creates an easy to manage way to prioritize them. The tiered approach will also be greatly useful in mapping groups of controls to the requirements for each tier. We will cover that in a future post, shortly. 

Ideas for Vendor Discovery

One of the most common issues in supply chain security is in identifying vendors initially and then in maintaining their status over the long term. To answer that challenge, here are some ideas around creating initiatives to answer those needs that we have seen work over the years. This post will focus on identifying vendors and refreshing vendor lists. Another post will discuss suggestions for creating vendor tiers and sorting vendors based upon various criteria and mapping that to controls for each tier.

 
Getting Started:
 
The first step in identifying your vendors and beginning the supply chain security process is to establish responsible parties. Who in the organization will be responsible for establishing the program and who will be responsible for oversight of the program. Who will the program report to, and what data is expected as a part of the report. This is often assigned to the company’s risk or security department, where available and flows upwards through their management chain to a steering committee or chief executive. In some cases, where security or risk functions don’t formally exist, we have seen supply chain security tasking as a part of either legal or operational teams. Rarest of all, and the least successful in our experience, is when it is assigned to members of the accounting team – mostly because they often lack sufficient technical and risk assessment skills to perform the work optimally.
 
Creating Data Boundaries:
 
Once you know who will do the work, the next step is to establish boundaries and the underlying mechanisms you will use to manage the data. In small companies, this might be as simple as a spreadsheet. Mid-size companies often build a small database or Sharepoint repository to hold the data. Large firms often use modules in their enterprise data platforms to manage the data. How you will manage the data though, irregardless of your chosen platform, is much less important than setting boundaries about how far back in the vendor supply chain you will go. In our experience, this is an area where organizations often damage their success early by trying to target too large a portion of the vendor population or using too much history. Our suggestion is to use only vendors that are currently serving the company, and then to pick a criteria such as “criticality to just in time delivery”, “line operations criticality”, gross spend or criteria that reflect the potential for large impacts to your operations or central valued assets. For example, if you have vendors that provide raw materials to your factories, and downtime of the line is a significant threat – then focus on those critical suppliers to start. If you are a bank or credit union and you outsource item processing or marketing to your clients/members to a third party – then these vendors could impact the core value of your business – the trust of your clients, so start there. To begin, start by identifying the top 10 or 20 vendors in this group. That becomes the working list to begin the process. 
 
Gathering the Data: 
 
Now that you know what vendor data you need and what the boundaries are, how do you actually gather the data? In most cases – the process begins by working with accounts payable to obtain their ranked and sorted list of vendor payees. A quick hint here is to check with your disaster recovery and/or business continuity team to see if they already have the data and have vetted it. In many cases the DR/BC folks have done the basic footwork – so you may be able to leverage thier processes, data and systems. Either way, once you get the list, it is advisable to do a rationality check with the various lines of business using the vendors. In many cases, their feedback can help you make sure that what accounting says is critical agrees with their operational sense of the world.
 
Once you have the data, and get it processed it into your systems – you will next want to establish a workflow on how you will use the data, what baselines you will use, etc. We will cover that shortly. 
 
Be sure to the document the collection processes you used, and create a periodic refresh process for the data based upon it. Optimize that process over time to expand scope, reduce time between updates, etc. Eventually, most organizations settle on monthly or quarterly updates vendor data, and then sort their vendor assessment efforts based upon tiers. Using and refining such a process will go a long way toward reducing your supply chain risks over time.