Suppliers: Trust, But Verify - Todd Gifford

about that I'm sure uh well good afternoon everybody um thank you for coming for this uh particular talk on um suppliers trust verify I was just saying to somebody wasn't the one that said it this is going to be massively informable move all banks around trying to stay in the box which is going to be a challenge um any questions ask at Point you think about don't worry about C if you've got any questions essentially this is just a little bit of a meander through some of the things that we've seen as business and me as an individual throughout a few years of doing Supply Chain management essentially so this is us going out to

other people suppliers doing bit old work essentially inms whe they St up against certain standards be it Ser or essential for a combination of or compan own kind of rule especially in the FCA follow anybody seen organization here organization organization final conduct auor Jason sadly all right um so some of the stuff we find there and some other stuff we find a bit more recently which is reques a little bit of interpretation all through that so who's got suppliers anybody got suppliers in the organization bit Dodge hey yeah right inite you out on Saturday that sort of stuff cool um so essentially this is just talking about risk is risk right jobs yeah this is essentially what we

talking about supply chain risk so a little bit um it's a little bit of just Preamble here so familiar with the Al's risk barometer com once a year um if you're not it's worth to read it's a bit like reading a lot of kind of industry Publications gives you a bit of a hint about Focus your efforts this is a bit more business level as well um so for the apart from 2020 their number one Global risk business has been cyber security for as long as I've been reading this report um C there going yeah cyber crime cyber incident biggest threat to business um the world over the number two risk this year which same was

last year and previous years is business Interruption including supply chain Interruption so anybody use crash all right um so that's kind of supply chain that's C massive issues to the C suppliers issues as well actually some relatively kind of update some challenges um but actually this they see this is a major issue they go fine but suppli have cyber incidents as well which makes them really really risky so maybe they should be number one on this list potentially not number two something to think about not that from supply chain Point have you know what's going on in your supplies like right now in real time nobody does nobody does you kind of have to um take that with a a

little bit was trust in terms of that they're doing right things and behaving the way that you would expect them to all time do it on Tuesday might not back a year or 5 years never depending on the size and shape um of supply and what the level of risk is potentially to what there is to do so some considerations essentially what we're talking about we're just going to drill in a little bit and talk about some of the things we found in other people's Supply Chains No names no years um but some of them are quite interesting some of them are actually really basic as well so uh suppliers they basically dodging right that's that's my kind of viewpoint on

suppliers he says being a supplier um so what's that but essentially you watch what your supplies them because you don't control them right they've got their own business agendas they're trying to make money that's their primary especially in space actually they doing the right thing with access to your data your systems kind of question how do you manage that um so a couple I'll just put these on on board actually um I'll put these on as examples of things I might feel slightly dodgy so don't cast your mind back so things got breached by maybe a nation state a few years back um and that deployed to lots of organizations where they put a back door

into a monitoring tool CA same thing that distributed ransomware so it's an MSP we use CA to manage all customers end point about couple of months also somewh one day which is a bad idea kerski now interestedly reading the ncsc guidance here is is fine as long as you're not in public sector right what was the difference between public sector and corporate world who pays the bills essentially is it taxpaying money or private money but actually why is it less dodgy if you're in the OS organizations no you do what sort of organization you work private private sector yeah um is it or not [Music]

no yeah you know but that's that so that was a bit of question mark is that not part of the the the supposed risk appetite of the fact that they are Russian based something like that I think they've got Origins so there's this idea that they're going to be terrible and they're going to just blow a back door into every government end point which I mean I'd be here for the popcorn that what happened here exactly solar winds big us company actually got breached yeah yeah ages and ages and ages um just know it's really interesting so you could put Tik Tok in the same space couldn't you yeah was allegedly filmed by dut intelligence searching

keyw allegedly allegedly but Tik Tok all the DAT is actually hosted in China dancece interesting is that a security risk is it privacy risk yeah probably does the person who runs Tik Tok in China actually let kid use it no he lives in Hong Kong or Singapore or something so read into that what you might I would suggest anyway basically you got be really careful with suppliers because something might change they might be doing something in the fairis under the hood what the T and SE look like read T version Dropbox it's interesting Google you ever see the the video of some the audio pings in Google Chrome so set the Ping off every time um

some data went back to Google it sounded like Spectrum loading tape from the 80s and the '90s it's basically all your data to Google um what that sort stuff that's little backside of what I'm talking about here but case in point um you to really really careful what we're doing with suppliers especially those that um profer service might really really cost effective how much time spending on the Range security which might have an impact on yours as an organization that's essentally we going um so good luck managing suppliers so um Supply anybody in supply chain sh is that a day job for anybody oh lucky lucky it was fun um how effective is supply chain Insurance terrible building

it building it yeah it's a bit of Dy so actually had you categorizing suppliers who's got access to what you break that down based on size of impact if there is an incident you do that with to um you know one of our customers in the report every week about what they think our report is go look at that thing there and going like actually that's a website completely fine don't care is anything to do with your service they it it is but there's some challenges around that sort stuff in terms of you got anybody got 27 in the room that right great awesome you'll love one of the cas studies we're going to talk

about that's going be good so um we're talk about some Cas studies essenti walk through some things I've seen doing supply chain on other people um and just about what consequences of some of those you any questions do so along session

generally here we go right um where we go okay all right so anybody got C classes oranization yeah we've got a three unfortunately and they're also talking about getting talk to as well just for you know extra depression that sounds like paperwork to any actual tangible security value it's literally because we're an organization that operates across the globe so is so nobody recognizes it I everyone in EM EMA wants it no one no one else cares and then in America it suck too or go to hell yeah which is bizarre um but that's you know is the nature of the Beast so contract terms and business life agreements who's got contract terms that say you must do certain things with

their supply chain as a supplier there we go here we go you got suppliers where you've enforced this stuff contract need to do certain things I've SE scary emails but been have they signed in blood that they're going to conform to do with one thing um we did a we looked at big ones for customer that wanted to transfer all cyber risk to us as part of this particular challenge if there was an incident be on the on the on hook for it in terms of fixing it and paying out any FES so yeah we're not buing we're not doing that that's insane um are you mad let just got more yeah but you know possibly accept that that's your

business risk not my business risk potential

supp yeah seriously seriously and you're like yeah I know it's just just insane so some of the commercial aspects of that when you try to weigh out um risk cost you go actually there comes a point something to accept race basis actually just to do something different that point of what actually they trying to do with their their money there um stal regulation so have anybody got any kind of these things anybody Tak any noce of gdpr sadly yeah yeah there lots of stuff in there there little stuff very very little kind of really prescriptive stuff in gdpr about what you shouldn't shouldn't do it just references State ofthe art or relatest and great stuff

and then if you ever reading the iso enforcement action it then talks about ISO Essentials the Electoral commission would Essentials du to running Windows XP or something stuff like that so they they kind of reference out whatever the latest and greatest kind of security standard is which is interesting Supply management oh that sounds exciting doesn't it um be interesting a few people in the room which just two which is good um but yeah Supply management can can be an interesting thing so um I was going to talk about some case of this and then ask questions all right put some good points on board here so this is uh this is interesting so I did

an audit let's say seven years ago um for a print suppli to the audit for um and actually one of their customers was a was a bank so they would send this company Sprint like for example um and they' never done any audit stuff this particular J through a program auditing all of their stream suppliers um and I went to this place uh down in the Southeast and um the internal it Department in this organization sourc quite a lot of work to an external kind of MSP if you like as well help with things that they didn't have skills for in as it's not unusual in in a print organization production light um one in place proper uast as wellbody

come look to that we got people with proper uast versus on you can buy for 12b next day why are you looking at me like that no no no no I'm aware of some organizations that may or may not have done that um anyway we go through this AIT we have a particular framework we were working through which is driven by this uh Financial Services organization got some tech dets ask questions like you lock in as an admin for your data duties no they didn't accounts okay great no problems I you reasonably their desktops and all that sort stuff um actually that's not too bad you know they're doing reasonable things it's quite small business

relatively speak in terms of people um why they did the work for this particular Financial Services organization they had a separate room so a room probably about four times the size of their separate Swip card access to get in if you were on that contract you could get in the room if you weren't you could their own printing machines and their own inserting machines and all this stuff you go well you know look like they're doing a reasonable job here great and there's a couple of things about the audience we agress and like so we spent all that money on door locks Network in there that's one flatwork AC the entire business right it's not

really is it so if you were General sh Flor you see the jobs pressive machines just physically different going okay any who's looking around that might look really secure and impressive a lot nice and decorated um but in reality just left in the general building which already had card access wasn't really any more different room why less money to spend on proper security any we got towards um you did a bit great so uh abouts business not in this instance there it is I'm looking thisis R this is R is it running the firewall software what was well I don't know say this thiswork engineer the it manager said okay who looks after the it compy looks after

great to see the IT company got this BR is that running the F software well it's not you know um now no no is it is it State insruction can I filter Bas rules no it's just a rout so there this printing company is being sent tens of thousands of credit card and bank statements from a financial servic organization every day with no network protection whatever but they've got ISO 271 on the proper as well so they've gone through an AIT process repeatedly over a period of 10 years got through the AIT who the hell would that interesting interesting so it turns out actually um the Auditors they had transferred into from other disciplines so they would originally from an IT Ork

security background or anything El like that they get Sher yeah they don't have enough knowledge to a tell the difference can't shot too much equally from Max one point view anybody feel free to point out in the requirements where it says You must it's not in there risk register that down ex period that looks expensive cost Point View oh so your million pound printing press that's expensive by comp to yes check don't know what it is or what it does you might need so um what happened here is then I to go back to my client telephone going bit of a challenge bit red flag on this particular thing because of these reason it's great what do you think I should do

like it's not my business it's not my risk if it was me probably would send any more dates until we fix this that's really really badad I didn't say it's bad it's a really bad situation so they didn't keep stops have to stop risk uh stuff they to di their print some per time anyway six weeks later uh as they were kind of working this they agreed to fix it agreed they knew it was a problem they were just trying to spend money they sent a screenshot of their new fir War having been implemented a bunch of traffic from right that wasn't the interesting part the interesting part was that 92% of their traffic was

Netflix the staff were all sat there during the day watching TV because they could it wasn't restricted I'm going okay probably make a bit more money now if you could make your team maybe a bit more efficient because the ones watching TV probably be that home pay um security was a really interesting thing to look at in terms of actually how you can get so which looked really quite good on the so when you go digging in actually there's lots of holes in that and they weren't actually really complicated technical holes and you know lot ofes code about really basic stuff the number one thing inside s is have follow it's the first thing on the list so they

wouldn't [Music] passal so it sound shocking but this is a real case how did you do that number one thing we see when we go some we've got is follow given the rout MSP or the ISP and they just use the networks you can run DP rout EAS enough organization back stairs actually who knows an office any physical location buiness just dress offici [Music] that anybody seen anything like this in the travels yeah may8 yeah and didn't what [Music] discuss people got yeah we comply with statement and policy then move on with their lives what most people do but yeah Li yeah should we accept health and safety law might be another question at that

point um yeah slightly mad but so yeah yeah kind of interested Mak sorry yeah Sur yeah look I used to work at [Music] PR yeah so I don't even know I don't know where my work is brilliant awesome cool right uh next one then what's this what's this one about oh medical records yeah um so this this this was say more of a knowledge thing rather than anything else that particular organization it's part of the same kind of audit stream like this organization in the Midland some I forget exactly where it was um and they dealt with medical records they would do things like medical tests take blood pressure cholesterol whatever it might be keep

records um and you know there was small business 30 people one office actually some pretty reason Basics good um what they were doing there however we saw more the data in the free version of Dropbox and who's read the and C version so at the time I did this when I went through that um you won't dwell too much on this onear supp drop they actually read all the data you stick in there they they target based on the data they find so they would find reading everyone's medical information that they uploaded into Dropbox to Target one as business start moving the data around you

realize complicated um so be care put data gu supp supp bit of a niche Case Case want to speak to somebody today who was dealing with medical records um so lots of organizations out there that do that yeah certainly something to watch out for in terms of actually tracing your dat to go somebody else that hurt you as business yourself responsibility from righty what's this oh physical security right so back in the day um we may did some work where might trying to gain access to pemis right um so this particular incident uh I was doing some work for a most dealership group if you car dealership traditional car dealership typically there a bunch of stuff going

on cars in showroom stuff kiing about reception desk that sort of stuff right at the back there typically a door that says staff only something like that's mention so I walked into this car dealership carrying PC with the r back had a suit on kind of marching through not been there before saw this door at the back going right well I know I need to go upstairs I can see some stairs through the door wanded up to this St family door open door through the door upstairs walked in turn out pass the finance department said good morning to them so true pass we pass ce's office which is also on the same floor true past them all the way down to the end of

this Corridor um say computer room got this PC that I needed to get into the computer room with door's locked no great shapes keys in the door unlock that not kidding unlock that go in this room shut the door lock it from the inside I'm in there an hour before I come out anyway so come back at this thing uh I kind of sidled up past I see office the fds in there as well buy CH away doing this through the window looked at me going who are you it keeps going get back to where the Main Finance area was and I just stopped the side of like a barrier on the side of the desk

just stopped CH away oh how you doing today you know kind of Che over weather's pretty nice and then it was June whatever time of you it was yeah oh I said um just quick question said yes didn't ask who I was or what I was doing here and they yeah yeah you look confident so we just let you carry off so man to get into the computer room and this um this a 30 Cy motor dealership group without anybody asking me any questions and they big you know some of the stuff don't put sign on the computering don't leave the key in the door what why was the key in the door oh we kept losing it so we just left it in

the L easy to find some really really basic stuff no SW car access to me I what's the value in that we don't have people going out here very often clearly um you know and um you know I was supposed to be there equally if I was not supposed to be there that still would have been fine because nobody would have asked any questions really really bizarre so actually in the whole kind of notion physical security want my own secr data no no stick it with everybody else's cuz you're going to spend a lot more time looking after a big pop things than you are lots of little stuff kicking around everywhere um but quite interesting anybody

recognize this film as well catch can yeah one my favorite films stick this on a lot of stuff but actually this is the scene pretending to be a doctor he's not really a doctor but he works cuz he looks like he's dressed like a doctor he sounds nice and confident it's all good no idea what he's doing at all whatsoever he just gets everybody else to run around for him but it works classic bit of social engineering but that's essentially what security is you tailgating or whatever it is bit more difficult these days trying to get into a proper office actually places like universities with a nightmare to secure cuz they open access think have to pay for parking here at

the weekend so you can be fairly Anonymous wandering in here just come to get coffee how long could you poke around in this building before security wandered up to you and asked you any questions about what you're doing here we wandered around in the building that's not just immediately here and see how fire you can get it's really interesting thing to do terms of just oh actually this room's open some Network ports here on the floor where do they connect I haven't done that by the way but um you could and nobody would notice on a day like today so there's lots of events and stuff like that doing here so the the better contained you can keep

your office environment more difficult for somebody to get in there so interesting piece in that bit uh what's this one about all right this is a recent one so um anybody do any sort of Open Source Intelligence on your organization yeah yeah yeah yeah so we use prac scam um so we've taken a habit of going um any any new customers we might deal with we take a habit of just running this tools it gives us a bunch of output back where their email is actually are they interested gives you kind of bit of a notional idea um put this up here right so um this is one of the things we found we recognize this login page yeah right

okay so if you look at this we got no critical things found got nine highs though High might be things like you're missing some patch updates or you run an out ofate version of a patch whatever it might be um those sorts offf we poken through one of the highs is was actually this so this is the admin interface with generally these things should not be accessible from the internet this is accessible from the internet was two weeks AG the last checked it um doesn't appear to be anything protecting any go logging into this organization's perimeter firewall um interesting how I got here was actually we're looking at where the MX records pointed ended up here great

um that all seems quite innocuous really you go okay well that's probably poor practice if you find a lot with Dre teex and stuff like that in their businesses they're generally open so people can get to them easy for admin purposes and that sort of stuff couple of um things that are really shocking about this that we had thing number one um this is actually a competitive we took some business off off three months ago so this is actually an MSP in the UK they offer Security Services and pent testing people read to that what you will the reason I came across this is um didn't find anything particularly wrong at the firewall level didn't kind of highlight any issues the

main thing it flagged here is this is accessible over hdp oh there's no no encryption on this not only is it accessible to the world it's also not encrypted um as an interface I go how can you not have your file interface at least encrypted and even better just don't have it open why is that [Music] be seeing this yeah was actually compor I've removed any kind of um uh information that might be um there nobody local that up but really interesting thing to find and they actually post a lot of the services for their customers behind this device on their premises they're still doing on PR stuff for their customers as well we were kind of blowing away by this I

really really but actually if they're your supplier i' be mortified by this massive risk but that's sort of the things kind of look out for there um saw anything else like that' got no real uh day-to-day responsibility or person looking after that for them in their organization um because you do all over this like a rash you kind of jumping get we see this a lot customers people going talk to the first time find stuff like this and it's always the basic stuff that TS to get exploited any use AWS instances yeah uh we've come across a few people we've had to help where they've had their ec2 instances breached because they never reset the default admin passwords admin

create AWS create they left left Rd RDP open which is how you get into the things first of all so there's a few little things that you can tweak and even some very good you great environment that you can do to come a short St that actually a lot of organizations Miss it's always those simple things we come find it have been the result of the most horrendous kind of breaches were always things like IDP SV shares out off sofware F interfaces being open you can log into this create any VPN you like just get access to everything underneath P to a penny that if you can figure out what this password is it probably works in other platforms

as well I would suggest that's just but you know did you try the default credentials no should have you should no no no no no need to do that we were kind of just interested okay what you know what sort of interface and actually we had a pretty poor experience that other supplier in terms of doing the transition they weren't particularly forthcoming at all it's a good indicator you do have people behave you got to interact with them um and kind of where they are in terms of what they view is important firstly what their view is I once had a conversation with somebody um said what you got these open smv shares on the internet yeah so

people can access the file shares from home I was like yeah that's next version one yeah it's got username and password I know um that's actually insecure that's really readily breached whatever it is anybody um no no the it was adamant it was absolutely the best thing in the world ever because it made remote access nice and easy of a VPN yeah the users didn't like that was complicated click yeah or nothing the computer does yeah yeah you know it's really easy to do but yeah some of the reasons we've heard people not put in just really basic security measures in basic stuff these days um just amazing really of actually there's a lot of this

stuff out there it really is but we find it Supply CH other people's supplies that's that's the kind of the essence of this is actually go check go do some sort of verification um and um you know I some present with the iso so these days I go great let's going have a look what you've gotten is I don't necessarily trust you've actually done all this stuff or that you're doing it continuously or it's even relevant you know so people that have got yeah we got a bunch of um you know depend do this last night buy a product from you or consuming a web service i l interest in your your development CU not not doing

that what's relevant to your organizations on a day-to-day basis what what do you do with your suppliers how much access the wor how much access they have to your environment directly from supply chain was a target a big PCI breach from many many years back Sy yeah yeah but it was the same admin credit as we on there car readers for taking payments I think it's the FBI that's they've been breached something like that um and they they got breached because the people that looked after their AG fact got [Music] breached yeah you know um they access to the network they get on the network network segregation know where we go so some really basic stuff in there but yeah

just definitely watch that anyway just want to share some of the stuff that we find some of which is good that's it anybody got any questions we might even have some time left after that no questions early what's the biggest risk in terms of would you say a lack of assurance or a lack of trying to find the right word sorry no lack of assurance lack of evidence or lack of actual culture what would you say is the biggest risk in terms of if talking about um getting getting evidence of like a supplier having good security yeah because an ISO is fantastic evidence of good security I mean no it's not evidence of good security is a tiny list

of exceptions yeah so uh so if we if we look at some of the latest stuff that's coming from the ncsc they're talking very much more about security behaviors they're looking to see a certain set of behaviors from the organizations that they get involved with rather than I've got this or this set Tech control they want to know are you thinking Security First are you embedding that from the start of any project yeah basically yeah yeah is everybody thinking in those sorts of terms or um is it a tick boox exercise for your it's tick box exercise it's not going to work it's just you know forget that you know you need to think about

that you know in terms of actually people wake up go to work and go oh I really shouldn't be clicking all that email or scanning that QR code we see that one of the vendors that has got code you scan it to end competition with the Lego car that looks quite enticing he doesn't like Lego um but no one's scanning it on the basis that most people from the security background going I'm not scanning that barcode what's on the end of that got no idea so no one's gone anywhere near it um you know um so you kind of look at that stuff go actually people just distrustful those door the car park scan with ring oh yeah somebody going all the

car parks at the beach tourist season bang I mean somebody thought about that nice and clever lots of people not coming in you would be able to tell the difference necessarily just go measure the QR code one light I want to sticker in white that size there you go sign up for for for Ringo here um you know why might get a t a car how many people are in that car park in a day didn't they do track and Trace as well not I didn't read the article I got to be honest we just saw like snippet of it um whil I was away but yeah get some really interesting things like that you go

about to actually how somebody going to extract some money out of this situation fundamentally and that's anybody in defense or IP in their organization yeah that I could when we have a discussion you'll understand some of the organization understood understood so if you if you look at um you know most cyber attacks start with people trying to extract cash out of your description go with that it's where the opportunity for them to do that just focus on minimizing that rather than spending loads of money on lots and lots of fancy security tool in there actually going to make any like a tangible difference they spend money on things that make a tangent security difference is number one need to start

from the Top's who's in charge of their organizations challenging CH somebody going yeah nobody wants to spring for a pentest going really pentest how many people in your business 300 you can afford pentest that's fine just on basis of scale 10 people I can understand you want avoid trying to spend that level of money on on pesting your 300 people is not really a reasonable not to other than something top doesn't see the value so that cult needs to [Music] talk one things I used few years

ago contract yeah come back and ask you for advice you couldn't providing advice because you to come across the line yeah beginning to respons for secur I did um would would be your advis to what to do in that situation oh that's challenging so um interesting so the last person I spoke about that in FCA space actually did start offering people a few hints and tips so um report we've generally turned out some of these instances very much says right here's the area we're talking about let's call it f security here's what we find when we there here's what good looks like nothing specific best practice includes probably a f with these kinds of capabilities um and then I recommend you

go and do a thing at the bottom here so we did actually stick in there you actually should be go and do that we weren't specific about things like vendors or capacitors and things like that we're very general in terms of well say Far Side cenal doesn't care if it's software bit tin did you buy from Cisco or parto or something called it's not interested doesn't care do you you have a device that can need kind of requirements that might be the sort of thing to do is go you might want to go look at um whether you actually need PC DSS I quite like it from here's a good list of technical things you can do secure an

environment no matter what data is in there you might want to go read that and do some of those things but they need to be kind of uh contextualized for your business I tend to point people towards that sort of general advice rather than being really speciic buy things and com bit sales is that like just in case of liabil yeah that's a big part of it you told me to do this and it hasn't worked I've wasted loads of money on it um it can be a bit of an issue um unless someone specifically go and watching do buy that yeah just buy that you're can of good in that way yeah we we tend to

be very generic in those kind of feedback reports we always quite generic yeah because you're not our customer you're a customer be much less generic um but yeah you you might want to go talk to XYZ or somebody that you know might be able to help in that situation if we got a part of organization po towards um even if it's one of your other suppliers that helps those things in your business go talk to them they can help cool thank you everybody for coming