Third Party Risk Management in Light of Hezbollah and Twilio Attacks
I know I sound like a broken record, but as businesses start to improve their internal security, attackers focus on compromising businesses’ supply chains.
In the case of the Hezbollah attack, the attackers must have, some how, known (a) that they were buying new walkie-talkies and pagers, (b) who they were buying them from, (c) when they were buying them, (d) if the supplier was compromiseable, (e) when they were being shipped, (f) how they were being shipped and (g) how the shipment could be highjacked, undetected, at least by the recipient.
Also, they needed to understand how to boobytrap the devices.
All of that took some time to do – maybe a year. This was likely not a spur of the moment attack.
Obviously, the attacker didn’t need to know all of the above, but some combination allowed them to insert explosives and malware into a very small device and detonate them in sync with each other.
In the case of the Twilio leak, it was a much more classic attack. A company outsources call recordings and interpretation of a third party. Some of you probably do that with vendors like Google (Meet), Zoom (Meetings), Webex, Microsoft (Teams) and dozens of others. If we do record calls, they are encrypted and stored with strong access control permissions.
You hope that your call recordings are secure. We do record many calls, but for the most part, we do it locally so there is no third, fourth or fifth party risk. We do this in leu of using a notetaking plugin which does have third, fourth and more risk.
In part, the risk is amplified because these companies outsource the transcription, or at least the part of it that can’t be handled by automation, to third world countries where this very labor intensive task is handled by low wage, and even contracted, labor.
So you have THIRD PARTY risk, say for example Google Meet recordings/transcriptions; they outsource it to a contractor in, say, India, which represents FOURTH PARTY risk who then may hire contractors to them to do the work, representing, again potentially, FIFTH PARTY risk. For some companies, they have employees in these third world countries, but augment those employees with contractors. It is all a black hole to you.
All of this for you to get a recording or a transcription of a Zoom-like call – which is very useful to you.
I am sure that all companies understand this risk and consider it when they are speaking on a call. Maybe not. And even if executive management does understand this, I am also sure that every employee understands the risk and manages it according to all contract requires and acceptable business risk.
In the case of Twilio, who does this at scale, a hacker claims to have the data from 12,000 customer calls. This includes a massive amount of metadata as well as, in many cases, a recording of the audio of the call itself. Credit: Hackread
At this point we don’t know who the customers are or what the content of the call audio is, but I suspect we will be hearing about breach reports to Attorneys General soon. If the calls include customers calling health care providers, we may also see a new record on HHS’s “wall of shame”.
While you may be able to sue somebody, that really doesn’t help you much and it won’t stop your customers from suing you.
Even more difficult, in many cases, you really don’t know if a company like Google or Microsoft is outsourcing the transcribing work and whether there are fourth or fifth parties involved.
If you don’t have a corporate policy about this, you should consider creating one. If you need help with that, please contact us.