Third Party (Vendor) Cyber Risk Management Rears its Ugly Head AGAIN!
This seems to be a recurring topic, but it doesn’t seem to be getting any better, so I will leap back into the fray.
Last month Ticketmaster announced they had a breach and they led people to believe that it was isolated and that it had something to do with their software.
According to RiskIQ, the breach at Ticketmaster is due to a third party vendor named Inbenda, but that is just one vendor affected – the one that Ticketmaster uses.
Tools that may be affected or infected include Magento, Powerfront and Opencart. Payment services including Braintree and Verisign may be being targeted.
The attack has been refined over time since 2016.
RiskIQ has identified 800 infected websites including some from very big companies.
Magecart, which is what they are calling the attack itself, continues to expand and some of the infected tools could capture 10,000 victims at a time.
So what do YOU do?
First of all, you need to identify all of the third party software that you use and that your contract developers use. This includes software that is integrated into the various software products and tools that are installed on the servers where the products run. It doesn’t matter if the software is commercial or open source.
Then you need to create a vendor cyber risk management program. That will measure the overall cyber security awareness and preparedness of each vendor.
YOU need to make sure that these vendors are on top of bugs in their systems and then you need to make sure that your IT and development teams have created a way to be alerted BOTH when bugs are found and then when patches are released.
Finally, you need to make sure that ALL patches are installed on all machines. Depending on the piece of software affected, it may require a completely new build from the vendor and then a reinstall of the product. Make sure that you understand what is required because it may not be obvious.
Then, of course, you need to test the patch to make sure that it really fixed the bug. They don’t always!
If this seems like a pain in the &^%$#, it is. Sorry.
And, you need to do this for each software product from each vendor. On each computer on which it is installed.
That is why many companies don’t have a vendor cyber risk management program and why many companies get caught in breaches like this. Sometimes they don’t even know that they are vulnerable or that they have been compromised.
Information for this post came from RiskIQ.
This is a great article! Information I can use with my Stakeholders to stress the importance and support our Vendor Management efforts. Thank you!