The global internet community has recently been rocked by startling news of the CrowdStrike epic fail and the National Security Agency (NSA) data leak. Numerous businesses globally have experienced significant disruptions to their Windows workstations due to a flawed update released by cybersecurity firm CrowdStrike on Friday afternoon 19 July 2024 (source: Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide (thehackernews.com) - 19 July 2024). The core issue was a faulty sensor configuration update within CrowdStrike's Falcon platform. This update, intended to enhance security, inadvertently triggered a logic error on millions of Windows systems. This error resulted in system crashes and the infamous Blue Screen of Death (BSOD), severely disrupting operations across various industries.

On the other story, the recent online exposure of 1.4GB of NSA data (source: cyberpress.org By Balaji - 8 July 2024), containing Personal Identifiable Information (PII) such as full name, phone numbers and email addresses, sent shockwaves through the cybersecurity world. The NSA is a United States government agency responsible for global monitoring, collection, and processing of information and data for foreign and domestic intelligence and counterintelligence purposes. Threat actors claim that the data was allegedly obtained from Acuity Inc data breach., a company that works closely with the United States government and its allies. But here's the chilling truth: this breach isn't just a headline - it's a wake-up call for every organization that relies on third-party vendors. And chances are, that's you.

THE HIDDEN THREAT LURKING IN YOUR SUPPLY CHAIN 

Think of your business as a fortress. You've got strong walls, vigilant guards, and top-notch security systems. But what about the back door? The one your trusted partners use. That's where the danger lies – in the intricate web of third-party relationships that keep your business running. The CrowdStrike fail story, and the NSA leak proves that even the most secure organizations are vulnerable when their partners aren't. A single weak link, a lax security practice, a compromised employee at a vendor – any of these can become the Achilles' heel of your entire operation. On the CrowdStrike story, as IT teams scrambled to restore services, cybercriminals exploited the chaos, distributing malware disguised as fixes or updates. Remcos RAT, a notorious remote access trojan, was among the malicious payloads spread during the crisis. 

This added another layer of complexity and risk to an already dire situation. On the other situations, it could be many scenarios affected your business as IT Third-Party risk shown on figure 1.1.

PICTURE THIS: YOUR BUSINESS OPERATION SUDDENLY STOPPED AND YOUR DATA EXPOSED

Imagine your business operations suddenly stopped and your customer data splashed across the dark web. Businesses, hospitals, schools, and government agencies across the world were impacted as critical systems went offline. Financial records, personal details, confidential information - all up for grabs by cybercriminals. It's a nightmare scenario, but it's happening every day. And if you're not actively managing your third-party risk, you're practically rolling out the red carpet for hackers.

SEEING INSIDE THE BLACK BOX: TECHNICAL MONITORING 

But how can you truly know what's happening behind the scenes at your third-party vendors? 

Rigorous Testing: Implement a comprehensive and multi-layered testing strategy that includes extensive simulations and real-world scenarios to catch potential logic errors before updates are released.

Phased Rollouts: Instead of pushing updates to all systems simultaneously, adopt a phased approach. Start with a small, controlled group and gradually expand the rollout, closely monitoring for any anomalies.

Rollback Mechanisms: Ensure the ability to quickly revert to a previous, stable version of the software if a critical issue is detected in a new update.

Vulnerability Scanning: Regularly scan your vendors' systems for known vulnerabilities using tools like Nessus, Qualys, or OpenVAS. This can reveal outdated software, misconfigurations, or other weaknesses that hackers could exploit.

Penetration Testing: Go a step further by simulating real-world attacks to test the resilience of your vendors' security controls. Ethical hackers can uncover vulnerabilities that automated scans might miss.

Security Configurations Assessment and Attack Surface Management: Platforms such as CIS Benchmark, BitSight, Security Scorecard, and Wazuh continuously assess your vendors' security posture based on publicly available data like leaked credentials, malware infections, or outdated software. They provide an easy-to-understand rating that reflects their overall security hygiene.

Cloud Security Posture Management (CSPM): If your vendors operate in the cloud, CSPM tools (e.g., Wiz, Orca Security) can monitor their cloud configurations for misconfigurations, compliance violations, and potential security gaps.

TAKE CONTROL: DON’T BE THE NEXT VICTIM 

Don't wait for disaster to strike. Take proactive steps to safeguard your business from the inside out:

Comprehensive Due Diligence: Before onboarding any third party, conduct thorough risk assessments. Scrutinize their security practices, data handling procedures, incident response capabilities, and compliance with relevant regulations (e.g., UU No 27 Tahun 2022 tentang Pelindungan Data Pribadi, PBI No 4 Tahun 2024 tentang Keamanan Sistem Informasi dan Ketahanan Siber Bagi Penyelenggara Sistem Pembayaran, Pelaku Pasar Uang dan Valuta Asing, serta Pihak Lain yang Diatur dan Diawasi Bank Indonesia, or other related regulation such as GDPR, and CCPA). Don't just rely on self-reported information; verify their claims through independent audits or security questionnaires.

Continuous Monitoring: Third-party risk isn't a "set it and forget it" proposition. The threat landscape is constantly evolving, and so are the risks posed by your vendors. Implement ongoing monitoring to track changes in their security posture, identify emerging vulnerabilities, and ensure they maintain compliance with your contractual requirements.

Clear Contractual Agreements: Establish clear and comprehensive contracts with your third parties that explicitly outline their security obligations, data protection responsibilities, and breach notification procedures. Include provisions for regular audits and the right to terminate the relationship if they fail to meet their security commitments.

Incident Response Planning: Develop and test incident response plans that specifically address third-party breaches. Ensure you have clear communication channels with your vendors and a well-defined process for coordinating response efforts in the event of an incident.

Leverage Industry Standards: Utilize established frameworks like NIST Cybersecurity Framework, ISO 27001/27002, or Shared Assessments SIG to guide your third-party risk management program. These provide best practices and standardized approaches for identifying, assessing, and mitigating third-party risks.

THE TIME TO ACT IS NOW 

The NSA data leak is a stark reminder that no one is immune to cyber threats. Don't become another statistic. Take charge of your third-party risk management today and protect your business from tomorrow's headlines. Remember, cybersecurity isn't just about technology - it's about vigilance, preparedness, and a commitment to safeguarding your most valuable assets.

By Satrio Bayu Pandowo, Technology Risk Consulting Practice