"I've been in the security business for 25-years. The industry spent the first 20 of those developing perimeter security products. Then five years ago, we simply let everybody in, building an ecosystem of third-party vendors and service providers that are now part of our federated enterprise," says Mo Rosen, COO, Xceedium.
Once attackers enter these small organizations, they access the large enterprises those small companies serve. The trust relationship that big enterprise shares with these small vendors manifests itself in networking and communications technologies that bridge the organizations and pass data between them with a degree of acceptance and approval. The large enterprise network errantly trusts the manipulations of the hackers as though these are approved behaviors of the small business.
The enterprise saw how a lack of emphasis on security on the part of third-party POS and HVAC vendors placed them as vulnerabilities for the large retailers that used their services. CSO reveals how any of these small enterprises share their vulnerabilities with large customers and how those big companies can push back.
A case of the malware measles
It is not uncommon for small vendors to let the robber in the back door (yes, a Trojan Horse, or figuratively), out the front door, and into larger concerns. Such is the case with the Managed Service Provider (MSP).
"The MSP installs computer updates and manages and fixes software, typically manually, from their office," says Kevin Jones, senior information security architect, Thycotic. When an attacker infects the MSP's network, that infection is communicable to the large enterprise customer through the Remote Access Connection, which is a common bridge between big business and small vendors.
Without a great deal of preparation and care, it is hard for the large organization to differentiate between an attacker and the MSP. "The MSP becomes the weak link in the large enterprise's security chain," says Jones.
How small companies make infection easy
Small companies open the door to attackers through a variety of unsecure practices. Small businesses delay security updates and patches due to a continuing concern over the purity and reliability of updates, particularly updates for Microsoft Windows and Office products. "A lot of the updates break Windows and Office, and that impedes the business, which affects the bottom line," says Jones.
Businesses will often wait a month to hear what happened to other companies who applied the latest updates before they risk using them. In the meantime, the companies that wait become infected by attacks that leverage those unpatched vulnerabilities. Deciding whether to apply the updates or wait is a 'damned if you don't, damned if you do' scenario. The large enterprise that trusts traffic from bedeviled businesses that delay patching is damned along with them.