It comes as no surprise to read of an ‘Advanced Chinese hacking campaign infiltrates IT service providers across the globe’ following the announcement a few days earlier from the UK National Cyber Security Centre ‘Global targeting of enterprises via managed service providers’.
Whilst the UK National Cyber Security Centre confidently states ‘We have no evidence to suggest these actors are targeting the general public or SMEs’ they go on to expose the weakness of any conviction in those words by then stating, ‘We assess the ultimate targets are customers of these MSPs’. The truth is those customers comprise probably more SME’s (Small Medium Enterprises) than larger companies. As I have written about before (‘Cyber Security & EU GDPR implications for SME’s‘) SMEs are the soft underbelly of national economies, increasingly dependent on technology for efficiencies and competitiveness and woefully attuned to the necessity for Cybersecurity.
The point of this missive is not the targets/victims of these crimes but the silent unwitting accomplices who are questionably unaccountable. Those accomplices are the Software and hardware IT companies and their technology overlords who, in ignorance, or more likely economic priorities, turn a blind eye to security for commercial expedience. All bar a handful, hiding behind a mash up of standards, models, frameworks amongst other heavily caveated self-certifying distractions from the truth that ends in a thicket of legal jargon. The truth being that their practices, products, services or certified partners and resellers are NOT as secure as they would wish the customer to believe but are happy to allow customers to believe so in ignorance.
What prevails is the contract law principle that controls the sale of assets ‘Caveat Emptor’ (Latin for “Let the buyer beware”) which has never been more poignant as a disclaimer of warranties than in this scenario. ‘Caveat Emptor’ arises from the fact that buyers typically have less information about the goods or services they are purchasing, while the seller has more information. A situation also known as ‘information asymmetry’ whereby defects in the goods or services may be hidden from the buyer and only known to the seller.
In our hyper-connected world where the defect scenarios get magnified exponentially as soon as you hook something up to a network, the only way anything gets to market today is through such conservative truths. Just reflect on how immature Internet of Things (IoT) devices are flooding the market (‘Internet of Things’ (IoT), Convenience or Calamity?). The perverse thing is that this accepted norm in the increasing complexity of modern commerce is fundamentally flawed placing the buyer at an unfair disadvantage. Buyers are now forced to rely more and more upon the skill, judgment and honesty of the seller and manufacturer. A reliance that the IT Industry can no longer take advantage of and retain credibility. It is only possible to build on sand for so long, as the market works frantically at keeping ahead of the game. He who survives the bear is the one who can run faster than the person next to him. This means everyone has to get faster at fixing problems, few seem to be getting smarter. Unfortunately, we have the equivalent of a lot of very unfit customers (thinking they are getting fitter) leaning on obese IT vendors in a mutual forlorn hope. All compliant cannon fodder to the supreme athletes in the digital arms race, the hackers.
“Do or Not Do, Do not Try”
…… as the suitably digital fictional character Yoda might say!
Vendors may be trying but they are failing as they do not accept that they don’t even know the full extent of the vulnerabilities they are selling. Much of the technology being sold today is built on the principles of ‘abstraction’ and with features dependent on 3rd party system or service ‘interactions’. For example, the firmware in a security device may be:
- Built using a cut down version of an operating system from Windows, Apple Mac OSX, LINUX, Android or Cisco
- Programmed in a language written by another such as .NET (Microsoft), SWIFT (Apple) or JAVA (Oracle) amongst a multitude of others languages that lack any definitive ownership
- Using code libraries that may be sourced from yet further removed entities or open source resources
- Providing API’s (Application programming interfaces) to allow third party systems to interact with it
- All put together in a development environment that lacks some of the most basic Cyber hygiene practices
As these resources become further removed from the discipline of mainstream vendors and with little control over the unexpected consequences of 3rd party systems that could interface with it, quality control is questionable and accountability contracted out through the thickets of end user legal consent agreements. A veritable Frankenstein architecture of building blocks that to cap it all often lack any automated update or end user ready maintenance mechanisms. The parade of security patches that appear to accompany every product launch, staring us in the face, should be evidence all is not quite right.
Now add to the complexity of this underlying technology soup ‘SoftPower’; whereby the preferences of others are shaped through appeal and attraction by Big Brands. This Big Brand impetus ‘lends’ values and resources to Partner organisations to establish technology platform ecosystems and customer dependencies. In so doing the waters of accountability get murkier for buyers. Is it any wonder then that customers only see the big brand names, when in fact the reality can be very different? It is only a matter of time before that tactic starts to turn bad if those big vendors do not start to drive a behavioural change down into their ecosystems.
The product from these vendors is just one side to this story. The UK National Cyber Security Centre’s announcement starts to scratch the surface of the truth as to why technology companies are such attractive targets for hackers. IT software companies are in their majority SME’s and themselves challenged in the economics and mindshare departments when it comes to Cybersecurity, their practices often prioritising expedience over prudence. The production environments of the software and firmware that makes up our digital world is poorly policed:
- User workstation accounts set at full administrative privileges
- Networks that have limited internal traffic monitoring and protocol controls
- Firewalls with only inbound constraints
- System patch management that is not up to date because of the risk of impact to development environments and build states
- Malware prevention disabled on workstation because it prevents developers emailing active components to each other
- Prolific use of unregulated cloud services in the name of expediting software production and testing
- Limited background checks on contractors
This is a list of basic Cyber hygiene best practices that are some of the simplest measures to implement and basic controls that all organisations, should implement to mitigate the risk from common Cyber threats. Imagine drugs being produced in unsanitary laboratory environments and you start to get the idea, because these are the production environments for software and firmware that ends up in larger companies and with shared access to the associated data resources and systems.
Is it any wonder that organised crime applying their prudent economics to the challenge of hacking see a rich surface area for attack that not only simplifies their task of compromising an organisation but increasing the efficiency? As they contaminate one software house they gain access to the software code and firmware of many companies. Slipping in, undetected and injecting into trusted code their malicious code as backdoors or call home command and control features, just like a Digital HIV (D-HIV). Helped of course by the trending for DevOps practices that aim to accelerate the building, testing, and releasing of software more rapidly, frequently, and more reliably. Reliably should not be misinterpreted as secure. This new operating model is often employed in conjunction with Agile software development methods that leverage the scalability of cloud computing in the interest of making companies more nimble and competitive. However the approach as it is typically practiced today does not implement security effectively. This is because it is more of a people and process problem not a technical one, demanding that everyone thinks about security in a more granular and integrated way and needs to reach across the silos of common development process. A subject for another blog.
“Quis custodiet ipsos custodes”
Relying on regulation to turn this state of affairs around is perhaps more hope than reality. Regulation has been heralded in the past as the catalysts for change and foundation for new business opportunities, only for such aspirations to wither in time. Whether the EU GDPR (General Data Protection Regulations) coming into force on 25th May 2018 follows this course, time will tell. Its unique nature has the prospect of a different outcome. An indicator of this is the UK Governments announcement they will use GDPR across ALL Cyber data security activities NOT just those relating to Data Subjects (living individuals about which data is held, ie everyone), which would be a game changer. For example, its mandatory data Breach notification obligations backed by eye watering fines means breaches will have to be reported which will turn a spotlight on the subject. As these breach incidents become more visible the causes of these breaches will be open to greater analysis and the inevitable retribution that tends to follow when causation can be identified.
Welcome to the Supply Chain horror that is coming to a Big Co. near you under the guise of Certified Partners to the big IT Vendors Microsoft, IBM, Apple, Amazon etc. A horror that has the makings of a Blockbuster as many of these IT software and managed service organisations live off the backs of their bigger masters. It comes as no surprise then that a customer’s perception and expectation is managed by this Big Brand association when they make a purchasing decision. Just look at a few tender documents and you will see statements to the effect – Certified [INSERT BIG BRAND NAME] Partner required.
The question is can large brand IT companies with established partner ecosystem risk not taking matters into their own hands to some degree and start applying their own expectations to the practices of those they accredit? Especially those Certified with titles such as ‘Security Partner’, when all that means in practice is that the Partner organisation has passed a test on a discrete piece of vendor technology and the Partner organisations security and data privacy practices are not taken into account. I suspect that’s not how the end customers read the accreditation.
I wonder how many IT vendors with large partner ecosystems have extended their risk impact assessments into this dimension of their supply chain further than the sloping of shoulders of any accountability baked into their Partnership agreements. Agreements that customers simply don’t have on radar. Time perhaps for ‘Security Partners’ to become really Secure Partners.