Though Depeche Mode was singing about personal relationships – those of you who know your music will know that my title is a lyric, not the title of their song – this is the core of information security for good and/or bad.
As with all of my post-mortem writings, I’m not here to blame. I’m here to learn from what happened with the Kaseya VSA attack, and hopefully find some lessons we can all take away from the situation.
Kaseya and their Downstream Customers
Kaseya was targeted, like Solar Winds before it, in part because companies trust their product, because they’ve built a business on providing useful software products to the marketplace. Much the same way Ford and Honda did with vehicles, or the way that Heinz and Kraft have with food products. Whatever mix of desirable product and agreeable price, they’ve all found their way in the market.
Managed Service Providers (MSP) TRUST Kaseya’s products to help them manage the IT infrastructure for their clients. Their clients, in turn, trust their MSPs to keep their IT systems running smoothly and safely. Coop, the Swedish grocer mentioned as one of the far-end victims of this tragedy, didn’t likely perform due-diligence against Kaseya before choosing their MSP, and why would they? Why SHOULD they have to? When I purchased a Honda product years ago I didn’t do any research into their airbag supplier before buying the car – why would I have? For that matter, how would I have possibly discovered that the airbags had a flaw in them, it isn’t like I’ve got a crash-test lab in my basement or anything. I trusted Honda, and by association, I trusted their airbag manufacturer.
I’m stuck trusting them, just like I’m stuck trusting that Kraft properly sanitized that tasty block of cheddar I just purchased from my local grocer. It isn’t like I have a biology lab in my attic to test samples before I eat that cheese. I’ll still trust Honda, even after 2 recalls to get my airbag replaced/fixed.
Trust and Security – Why It Matters Now More than Ever
But it seems like we may need to rethink the meaning of Trust when it comes to information security. Oh sure, I’m willing to bet that those MSPs have some punitive recourse they may exercise against Kaseya, and I’m sure their customers also have some punitive recourse they can exercise against the MSPs. But those are about recovery.
Those recourse pathways won’t help right now when the grocery store is closed because the cash register system is compromised. They don’t help when the customers shift to another grocery chain, perhaps never to come back. The reality is that a company like Coop can’t just up and change MSP’s by Friday this week; that’s the equivalent of having a marriage go bad over a weekend, getting a divorce started by Monday, and being remarried by Friday. You’d be lucky to get the divorce filed by Friday, let alone all those other not-so-trivial bits. And let’s not kid ourselves: ending the relationship with any significant service provider – Saas, Paas, Iaas, MSP, etc. – is akin to a divorce as there will probably be lawyers, maybe judges, an awkward dating period, division of property, moving all your stuff (data) out of the proverbial house… and that’s if you can even take your data to the next provider.
And of course, what company has the resources to fully vet not only their service provider but that provider’s supply chain? Virtually none, just like the everyday consumer.
That leads to another important fact: those examples I shared earlier about Honda and Kraft? It turns out we have governmental bodies who set standards and define penalties and recourse on the industries both of those companies are a part of. Honda has to answer to all manner of state and federal laws about their products, many of those focused on the safety of the people in the cars. There is a government defined recall process in order to take care of the really egregious stuff, like faulty airbags. Food manufacturers operate under strict rules as well. At least, in comparison with software companies and IT service providers. And, frankly, that government oversight provides a basis for at least a measure of trust.
Airbags Shmairbags, What Can We Do Right Now?
Here are a few things you can do right now to begin demanding more accountability – and generating more trust – from your suppliers and partners where possible:
1. Who is testing and auditing your technology partners?
We all know that not all testers are created equal. Some are more skillful, some are more stringent. Some are more “accommodating,” and I think you know what I mean by that. So when you require that PCI AOC and certified proof of penetration testing, have a look at who did it, and what THEIR reputation is.
2. What account privileges and recommended permissions does that software package really need?
Read-only is relatively benign. Local administrator is a concern. Domain administrators should cause lots of warning bells to go off in your head, and so-on. And if a modern piece of software tells you to “whitelist” it in your AV and other systems, you want to think about doing the whole endoscopy before agreeing to that.
3. Are they enabling you to segment your network so that their server/container is separated from the rest of your environment?
Port- and protocol-based controls may be out of vogue these days, but they’re still the foundational basics for any effective security program.
4. If they write software, what type of security governance do they have in place for both the SDLC and software publishing controls?
From 3rd party testing, key management, code promotion, the approval process, and any security credentials, like SOC 2 Type II — you need to investigate all of it.
5. What customers are you in the supply chain of that may be affected by a security event in your network?
Realize that if you’re going to demand your suppliers be ready to address these things, you need to be ready to do the same for your customers and partners. After all, it’s a question of trust.
6. What are you hearing from your own InfoSec Team?
Has your team been warning you about fundamental issues that you’ve deemed too costly and too low risk to address? While I appreciate that security teams can often act like some of the most frustrated people in your workforce, this is a great time to check back in with them and encourage them to help you reevaluate and reprioritize your security shortcomings to protect your own brand reputation as well as your customers.
Establishing Trust in Supply Chain Security
No, these suggestions won’t magically make everything better. But the questions are relevant, and we owe it to ourselves, and our customers, to spend more time and energy on these things, especially now. With that part addressed, maybe these catastrophic, avoidable security breaches will start to wane, and we InfoSec professionals can spend holiday weekends focused on anything BUT trying to dig out of a major supply chain related InfoSec crater, like the 2021 Fourth of July weekend dealing with Kaseya VSA.
By the way, if your team is still working weekends and holidays, deepwatch can help. With Managed Detection and Response, you get an assigned Squad who works with your team to manage security alerts and investigations 24/7/365, relieving you and your team to focus on overall security initiatives.
- Takata Airbag Inflator Recall Information – https://hondanews.com/en-US/takata-airbag-inflator-recall-information
- Kaseya Failed to Address Security Before Hack, Ex-Employees Say – https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say