BSidesYXE 2024 - TJ Obugesan - The Unavoidable Risk of Third-Party Partnerships

um I remember when I moved to saskat 7 years ago you know uh with my security uh mindset I was looking for um a community like this to connect with but I couldn't find one I had to go all the way to Manitoba which is the closest that's what I believe um but I'm happy today we are establishing the ground and I'm very very happy that we are moving you know to the greater height all right um we want to talk about you know risk management you know uh as it as it relies on third party supply chain and all that you know we have all been hearing a lot of things happening these days lot of organizations uh businesses

are disrupted whether through malfunctioning it system just like we had for crowd strike or through attackers you know leveraging vulnerability in people in process or in technology and using that to impact our organization so um I like the fact that the first Adam talked about impact you know which is a form of um it is a the key word when we talk about risk management um I love the way he defined it but I'm going to Define it differently but very very similar right I I consider risk as you know the probability that a threat actor is going to exploit vulnerability in our systems and the impact on our organization so we're going to be

talking about third party risk management and what businesses should do yeah who am I I need to set my time here well um if you're going to take anything away here I embrace diversity I love equity and I also encourage inclusion um so please help us uh to push this Mantra forward um I'm one of the Cyber Security leaders you know I pride myself to say that um because I've invested a lot of time in this profession and um I will be sharing my expertise and experience so this I also encourage people who are joining cyber security who wants to develop their career in cyber security at least I would say in a week I spend 6 hours with people

mentoring them every week six hours mentoring them on how we can have a better cyber security profession so let's talk about third party who are your third parties today you know there is literally no organization you know that that might be wrong um there is literally no organization that can exist on their own right it's either they use one software they use a computer you know uh but your third party are consultants if you use consultant in your organization if you use any vendor if you Outsource anything to any partner if you use contractor if you work with any agencies uh if you use manage service provider or manage security service providers those are your third parties if you have anything

that you don't use you have to buy or people have to provide for you you've got suppliers those are your third party or I'm I'm going to be using supply chain third party vendor interchangeably throughout this conversation uh please uh bear with me all these third party are entry point for our organization the reason is that attackers don't just attack us they find if you look at the attack chain you will see that the first point is the entry point initial asset then it goes all the way to compromising your system so every third party you add to your organization you are introducing another entry point for the bad guys to get access into your environment and

probably infiltrate them so did you remember this you know for the guys that couldn't see nishia sitting on the back this in 2021 Microsoft was bridged and they are bridged by these guys if any organization any organization using Microsoft Exchange uh they suffer an attack sometime 2021 um if their if their system is relying on Exchange if your email communication relying on Exchange another one there has been so many news out there you know when I started to count I lost counts I just said I'm just going to pick a few ones and discuss in this conversation today Toyota had to suspend 14 of their manufacturing plants back then in 2022 because they suffered third party

Bridge not only that we all know Ransom we are we all know solar wind attack you know about 18,000 customers they were impacted including government agencies so these are things that the attackers are leveraging on if the attacker sees that you have built a very strong wall around your organization but you have not done well in third party risk management they will look look for that weakness in the supply chain and take advantage of it solar wind you know is uh it is a monitoring tool of course we want to monitor our critical asset because they are very very critical to our business operations for us to manage our risk properly in the organization we look at

our critical business processes we look at our critical systems and we look at our critical data for attacka to look at how do I get get to into this organization one of the entry point is oh maybe the attacker said let's Bridge solar wind we are not just going to have access to one organization we have access to so many organization and these organizations are monitoring their sensitive systems that have access to maybe sensitive data through this system if you're are able to bridge it we have access to the kingdom and guess what happened 18,000 customer were impacted during this bridge um you remember octar Bridge as well was also in the news where all data in their

customer service support were stolen by attacka there are so many news and I got tired and I'm like okay what case study can we discuss today and what assets will the attacker have that will be of interest to us today I looked at oh huba was also bridged back in 2022 Huber Bridge again again how are we going to do it what do they have access to let's look at what happened in huab Bridge first of all there is a gang called L labsource labsource gangs the compromise uh hub's contractor's account so for many of us that use contractor Uber does the same thing because it could not exist on their own so they have their contractors and the

third I mean the attacka comp compromised the third part third parties credential and what happened after that it was not so easy to compromise the third party credential because they have put some level of control in place there is MFA that is in place even though you still username and password then you have to find a way to break the MFA unfortunately for the uh contractor they suffered what we called MFA fatigue how many of you here used or have used MFA before that you have to click on approve right so what did the attacker do they were constantly bombarding they were bombarding the contractor haven't gotten the username and password they needed to still get a way to bypass the

MFA they bombarded and contractor mistakenly just click approve boom and and the threat actor gained access into the into uh Uber's system and the system they gain access to is another very sensitive system that is controlling all their privilege credentials which is their Palm solution privilege identity management system so you rely on another third party to keep your credential somewhere and you have several controls that's why zero trust I agree with zero trust 247 you know is not just looking at a condition being met is looking at the context oh where is this computer coming from as this computer come from this location in the past I don't trust it I need to reauthenticate this guy assuming

they have implemented maybe zero trust maybe the system could have you know um could have challenged the assets the attacker will have to use MFA fatigue to gain access the second time the third time as they move around you know within the um within the premises of uber I said game over because if you have gain if you have gained access to privileged systems guess what the bad guy had access to he had access to Uber's Google workspace this is a screenshot that was shared you know online by the trat actor he also had access to their AWS instance you know just imagine this is where all your um workloads are kept you know in your

workload there are so many applications so many data that are in one system or the other they gain access to that they share the screenshot not only that the endpoint security solution that could have prevented the bad guy you know from moving further they also had assets and share the screenshot online they didn't stop there they had access to the VM environment of uber it's just like having access to the core infrastructure what else why because the key component the Key Systems in the process has been com rise which is the pal solution um similar to um the pal solution that was compromised maybe many of us use last pass I also use last pass

you know and by the time it was compromized they sent me an email uh fortunately for me I used last last pass for some sensitive information that I want to give access to some of the people that I mentor to say okay you want to have access to to uh my lab environment okay you can connect through VPN if you want to have access to the VMware I mean to my EXs and all that okay you can use last pass to connect so worst case scenario they were not they were going to have access to my lab environment so um Uber did not just have his system exposed to threat actor they have their slack they have their Communication

channel taken over by uh this thre actor you can see that slack was taken over and those guys have assess and they were communicating to the entire ub's Workforce what about financial data that they have access to there are whole lot so what we are trying to say here is that trusted relationship with third party introduces our organization to risk and if you look at the statistics on the screen here starting from 2021 I don't know why it dropped in 2021 I was thinking oh maybe it was because of covid maybe K heits the bad guys to maybe many of them fell sick and they couldn't do what they were supposed to be doing so it went down in 2021 and in

2022 and you know why this is you can guess why this is so much last year move it how many of us heard about the move it uh compromise when Move It software many organization including the big many of the Big Falls use moveie to share sensitive information they don't just want to share sensitive information through emails maybe through maybe you could have used a better way of you know sharing it but they use move it attackers also leverage move to have access to sensitive information in 2023 alone we've got over 2700 attack that is as a result of supply chain and some of these statistics can be very very concerning this this one this this that we have on

that side is is just a study conducted by Crow Strike last year is in their report in 2024 studying just two Asian threat actor the China nazos and the North Korea advisory and they discovered that 250 of the customer of the customer they study they have servers that are compromised 62 customer use trojanized software and 10% of the customer had uh their server having malicious software updated all right so how are these guys getting access is true third party as an attack Vector supply chain as an attack vector and we are saying that it is one of the most common attack Vector out there apart from fishing why is it common now because attacker feels that if they fish you

they they might only gain access to your system so why would they uh spend so much effort gaining access to just one organization system why can't they concentrate their effort in gaining access to a vendor that other people depend on so if they gain access to that person's uh system they can have access to every other system alongside so is this a problem yes how do we deal with it we say it's an unavoidable uh risk because we rely on partnership to do our business organization cannot function on their own they need third parties and their third parties also need an another third party which is now fourth party to us third parties introduce significant risk

to many organization and it is one of the means which uh thought uh organization can be bridged so we said if you use supplier if you use vendor if you use consultant you are also at risk so let's look at you know let's just create a mental picture on how um the more we we have suppliers in our environment the more third party that work with us that all that that we depend on to to achieve our business go how they affect our tax office organization exist whether you are a software development company or you a platform owner or whichever organization you are there is an inherent risk you know my colleague Adam talk about you know risk management a

lot here and talks about you know risk elimination um yeah that's is something I'm usually very careful you know the word to use because I I I believe that you there will always be residual risk even as we are sitting down here there there are risk for us sitting down here right I I I try to work so hard to reduce the risk for my organization you know based on impact as much as possible and for organization to exist they have their own risk they have to deal with now if you introduce thir party your attack surface begin to increase you had another third party your attack surface begin to increase you had another one another contractor

your attack the more you had the more your attack surface continued to increase and guess what it did not stop there you have subcontractors that are working for your own contractor and as soon as you re as soon as you introduce that you need you need not to deal with just third party risk alone you are going to be dealing with fourth party risk right so this makes it so difficult and complex for us and if we need to deal with it we must have a solid third party uh risk management program in place how do we deal with this third party risk management the first thing we want to talk about is inventory in cyber

security we talk about inventory a lot you can hear Adam talk about inventory right inventory of your asset inventory of your data inventory of your third party providers right so if you do not know your third party providers and also know the fourth party provider but not everything because we need to take a risk based approach um I'm a risk person if you uh if you in cyber security and you don't use you know the um if you don't use the risk based approach methodology you might be standing in the um in the way of the business so I want to encourage as many of us especially some of us that are very technical oh we've got this

vulnerability we have to fix it now the qu the question is have you uh have you looked at the vulnerability and apply risk approach to it what is the priority why how why are you fixing it now what is the probability that a threat actor is going to exploit that vulnerability and if exploited what is going to be the impact is he impacting our critical system you know so let's ensure that we have in and we classify our third party providers the people that are providing services for us we classify them based on how critical they are in our delivery process in delivering our business objectives we have a list of all of them and say okay these guys have access to

my sensitive information these guys have access to my critical systems they have access to my critical data you classify them so oh these are highrisk third party or highrisk vendor then you use that approach to classify them to maybe critical high medium low you have that inventory and you maintain it for those that are critical to you you also you know charge them to provide you educate them on to party risk management you charge them to provide the suppliers or the third parties that are also critical to them which is now your own fa party that you have to manage so not only just compiling the list and classifying them for software companies you know um or organizations that have

developers another thing you need to put in mind is your developers leverage a whole lot of third party component in their software development process because of the push the drive devops devops devops you know we want to do things very quickly The Leverage functions in libraries in external components The Leverage functions even in plugins they use plugin embedded in their stuff so all of these things needs to be inventor properly ensure that the secure software development life cycle all the external codes all the external components are being inventory there are tools you can use like SCA software composition analysis too that gives you inventory and not only just inventorying them you need to understand the ones

that they are calling function for there are they might be using some and they may be calling a particular function in that library or in that in that third party component and the function is not um is not exposed to vulnerability so you need to have the list of those third party codes that your developers are using and and not only that um we also need to do an assessment for our third party at least assessment you know there are many ways of doing the assessment we can have oh questionnaire provided you can use automated to we want to before we unbought them we want to do our due diligence and do third party assessment

for them understand their security practices do they do develop if they software if you using their software you should pay attention to their secure software development life cycle and be sure that they are following the best practice they they ensure that security is not just bolted on is built in from the scratch where they are doing the requirements Gathering then the design where you have to do threat modeling you have to look at the wireframe you have to look at the data flow diagram you know you have to do necessary assessment ensure that they are doing that not only that in the um development phase they are using tools like S tools uh static application security testing tool you

ensure that they are using Dynamic application security testing tool to test they are using software composition analysis they are monitoring all the software that they use I was looking at my phone and I saw um I I use what's the name of this application again I use um yeah one of the applications BNB application and I got to a point and I saw and I saw that if you look at if you have ABNB application on your phone there is a part there that they list all the external software that they use now maybe as a result of the sbor bill that was passed in the United States and in EU but there is nothing I look for that

in Canada the only thing I saw was recommendation you know there was no law but in the US and the EU you actually compelled you have to be compliant with that law but here in Canada I saw just recommendation maybe I didn't find well so it is very important for us to follow through and make sure that all our all our vendor they are following through the secure software development life cycle and they are doing what they are supposed to do not only just doing inventory and also assessing them and making your decision you also need to monitor them monitoring is one of the one I consider very important because um most organization they we do third party risk

assessments today and we just forget about them no we are supposed to do from the unboarding we unboard them we assess them and based on their criticality to our business environment we need to continually assess them I have done uh maybe uh third party security program for organization but when I see some organization that are classified as critical and the level of access they've got to sensitive business information and sensitive business system I categorize them as critical and we do an assessment for them on a yearly basis and we monitor them around the year using uh particular tool to monitor how they are doing you know on the external attacks office so we need to monitor

them and also plan for respon action when they are breached it is a matter of when they are going to be breached when the incident is going to happen it is not if it's going to happen you must always prepare for the when it's going to happen so that you have a better chance you know of stopping the incident at incident level if you don't stop the attack at incident level it's going to gravitate to a bridge and if you are not fast enough to stop it at the bridge it can lead to data Bridge incident is manageable but when it comes to a bridge and data Bridge it is very very stressful all right so um monitoring

your third party is crucial you can monitor whether you use manual way of monitoring but if you are a big organization it might be very very difficult for you to monitor your third party manually you have to use tools that will help you or you use another third party to monitor it to monitor your third party you can use third party to monitor your third party or you can use third party too to monitor your third party you just need to be monitoring the monitor so it is we we are in a serious situation right very very serious situation third party attack surface is very important there are companies like maybe bat sites you know that does third party

monitoring there are so many um companies um I am fortunate to also be monitoring third party attacks office for some organizations not only that we also check the d dark web we monitor the dark web for conversation for anything that pertains to those critical third party and their own and the third party's critical third party that's their fourth party we monitor them on the dark web and we ensure that we use automated tool to compare what is happening we understand their Digital Risk score and we are able to project something you know to clients like this to see oh you've got your third party you understand their criticality if you look at the heat map here you will see

that on the red portion this clients does not have any eye critical um third party that has eye risk so we plot the criticality of the third party against the Digital Risk score if there if any of the Digital Risk score is at is at risk is at a higher score we will put them at the at that uh red portion of the heat map so it is very very important for organization to use a monitoring a monitoring tool or a monitoring service to continuously monitor the digital tax surface of their third party or of their fourth party or and of their fourth party whether you want to monitor either one or you want to monitor both it is very very

important so one takeaway the first takeway I want us to go with here is to ensure that we have good security awareness and training for our employees that manage third party and yeah I missed something when I was talking about inventory when you invent entry your third party you should assigned owner for that third party in your organization there should not be any third party in your organization that is critical should not be missing owner so the owner of those talk party should be properly trained to ensure that the contractors the third party they understand the risk that is associated to third party and also to contractor um I talked about you know uh training your

developers on secure software development life cycle so that they understand the risk associated to using um third party component of course they will need to use the third party component because it makes their job busy they don't have to reinvent the way they don't have to record the old process the the whole system again it makes their job very easy but educates them on secure software development life cycle expose them uh Empower them with a tool to monitor vulnerabilities on those secure soft I mean on those third party uh um components another thing is we need to do our due diligence when we are on boarding we need to support the assessment for some of us we are in

security the security folks many of us are you know we we are open to that but maybe we are not doing enough job in educating our Workforce I have seen projects happened and the project sponsor who is an executive was like we need to get this done I say yes our Pro this is what our process says um our process says we need to perform the third party risk so what we now did eventually is to educate our project management office on the importance of third party because they start the project so when they are doing their project planning you need to cover out time for third party risk assessment privacy impact assessment you know doing

all of this will help the organization and for every time you spend on third party risk management you would have to it is a time that is well invested um also trying your best to ensure that your third party are complying to regulations they are complying to regulations in the US just like I said about um just like I said about the application that I saw that they are complying to US Government s bomb regulation like I said in Canada it is what we have here it is recommendation maybe our Canadian government needs to do more just like Adam say that we might need to shame some of them so that they can see well but I I won't be in the

Forefront Adam all right I said I talked about incident response is also very key takeaway for us um it's a matter of when we are going to be bridged through our third party and when we are bridged how do we respond there are playbooks for third party attack you know if you have a good incident response plan in your organization I will expect that you have playbooks for maybe fishing attack for denial of service attack for incident respon I mean for um credential compromise for ransom wear for malware outbreak and all that don't leave out supply chain attack create one playbook for it is a matter of when it's going to happen look at your your value chain and

consider system that are very sensitive consider data that are very sensitive to your organization look at your processes and ensure that you have a response plan think about it just like Adam said you know a work through a tabletop exercise if this goes wrong what is going to happen how are we going to respond what is it going to be the impact on our organization what is it going to be the impact on our bottom line and lastly Canadian I'm in Canada I'm a Canadian Canadian digital supply chain is a collective responsibility of all of us as we go back to our various organizations as we meet with our different clients we should put all of

this in mind and be responsible for ensuring that all our third parties are manag appropriately educate our work Force our third party our vendor our supplier and position our organizations and Canadian economy in a very good spot so that we can withstand the attack of the future thank you so much for your time today [Applause]