Select Page

Acquisition & Procurement Risk in the Cybersecurity Industry

by | Apr 3, 2018

Overview

Information security for an organization is an ongoing process of users interacting with technology through a combination of policies, procedures, software and hardware to provide data confidentiality, integrity, and availability. All users are part of the process, not just the IT staff, and the security process is integrated with the normal operational processes of the organization. Security isn’t a free-standing product to be purchased.

The cybersecurity industry is the sum total of security products and services offered by vendors to a wide-ranging customer base, from government to corporate to small business, and even to the home user. With massive data breaches and other nefarious activity by internet villains, the public and the business world alike is concerned for the safety of their private information. And rightly so. The Equifax data breach alone exposed 147 million private financial files to hackers, and there  are many more reported incidents(Verizon RISK Team, 2017).

Data is the lifeblood of modern commerce, and considering social media, often the center of our social lives as well. Data powers our industries, our militaries, and even our healthcare. Data is power. Cybersecurity protects the sensitive data that flows across the Internet and the data that resides on our machines, keeping it safe from the malicious elements lurking in cyberspace.

Cybersecurity controls for any organization will require procurement of third party products and services. However, in a recent study “60 percent of respondents stated that their companies do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information(CREATE.org, 2016).” There is significant risk in using third parties for security as they’re outside of organizational controls.

 

Operational Risk

Cybersecurity products are services, software, and hardware purchased from vendors who themselves will have acquired products from third parties, who will have acquired other products from further down the supply chain. Flaws, vulnerabilities, or malware can find their way into the finished products through the vulnerable supply chain, either by unintentional error or malfeasance. A vast majority of hardware is produced in Asia which poses a particularly serious concern due to state sponsored spying programs(Anthony, 2012).

Threat Actors

  1. Nation states have vast resources and often use them to commit economic or military espionage. China has been very active in this regard and are especially dangerous because they historically play the ‘long game’ which could mean unknown malware hidden for decades(Whittaker, 2017). The incentive for government spying is to gain political, economic, or military advantages.
  2. Criminal syndicates have creative and quality hackers and choose targets based on financial gain. Their incentive is monetary gain.
  3. Cyber terrorists are motivated by political or religious beliefs and focus on theft to fund their activities of disruption and terror. They seek to destroy and thus may target infrastructure such as power grids(Boyens, Paulsen, Moorthy, Bartol, & Shankles, 2015, p. 36).
  4. Hacktivists seek attention for their cause and may choose to cause damage or disruption.

Threat Vectors

Hardware

Hardware presents an ideal vector for vulnerabilities or malware because of the closed nature of the chip manufacturing process and the stacked logic layers that prohibit nondestructive testing. It’s also permanent and cannot be changed like a software flaw. Hardware level malware is below the kernel level and bypasses standard code protection mechanisms(Hund, Holz, & Freiling, 2009, p. 2). Backdoors can remain hidden for years until needed, and are virtually undetectable without exhaustive full machine code level review.

  • The NSA has been trying for decades to force legislation that would require backdoors in hardware security chips to allow the government to break all encryption(Meinrath & Vitka, 2014, pp. 123-124).
  • The NSA has also been working to create backdoors into the supply chain of large technology companies(Larson, Perlroth, & Shane, 2013, p. 4).
  • China has developed a firmware level backdoor named “Rakshasa“, defining it a “permanent backdoor” that’s hard to detect, and nearly impossible to remove(Anthony, 2012).”
  • China is attempting to modernize its military through cyber espionage using hardware and software backdoors(Fritz, 2008).
  • China is selling products with preinstalled hardware level spyware for corporate espionage using APT or Advanced Persistent Threats(Marko, 2014).
  • Chips in US military hardware have been infected with Chinese malware(Reed, 2012).
  • Counterfeit hardware of all types has made it all the way onto military bases and into government networks(Boyson, 2014).

Software

Software is can be exploited through unintended flaws in the development process or through secretly implanted malware hidden in the millions of lines of code. It’s an easily corrupted infection vector and can be infiltrated into the supply chain at any point prior to client implementation.

  • Application level exploits or malware is the easiest to produce and the easiest to detect and remediate.
  • Root kits are often multipart low-level exploits that are very difficult to detect or eradicate(Felt, Finifter, Chin, Hanna, & Wagner, 2011, p. 9).
  • Firmware based malware is very difficult to locate and eradicate as it can spread across the network, reinfecting sanitized machines. This is often nation state level malfeasance(Fritz, 2008).

Service Providers

Contractors, vendors and consultants provide required cybersecurity services. A consultant may help guide the authoring of governance and policy documents, or a vendor may be providing ongoing SOC capabilities including SEIM and incident response. Maintenance contracts on network hardware often allow outside service personal to roam your organization with tools and laptops. Software development lifecycle requires periodic code review and patches from outside vendors. All these examples are possible routes for insider or affiliate insiders to accidently or knowingly plant malware or backdoors into a system(Silowash et al., 2012, pp. 21-22).

Outsourcing security services is essentially transferring the risk of attack to a third party. This can simultaneously reduce cost and liability. However, the “trust is an attack surface” and attackers can bypass an organizations rigorous security and target a vendor thus exploiting the trust relationship(Harkins, 2016, p. 91).

Cybersecurity Liability

No data security is perfect, and there will be incidents and data theft is always a possibility, The question of responsibility and financial liability in a breach is an important question. In US tort law, the manufacturer of a product is responsible for economic loss sustained by the buyer if the manufacturer is negligent. Similarly, organizations that hold personally identifiable financial or healthcare data are required by law to safeguard it, and may be civilly liable if negligent in the security efforts(Wade, 1965).

The case law involving data breach liability is limited and still evolving, mostly because law has not kept pace with the rapid changes of technology. Currently, there is no liability strictly from the theft of data. It becomes liability when there is injury from misuse(Black, 2017).

Risk of financial liability can be transferred to a third party through cybersecurity insurance with “contracts  designed to  mitigate  liability  issues,  property loss and theft, data damage, loss of income  from  network  outage  and  computer  failures,  Web-site  defacement, and cyberextortion (Bandyopadhyay, Mookerjee, & Rao, 2009, p. 2).” This is the risk management technique of ‘risk transference’(Carl L. Pritchard, 2014, p. 49). This seems like an excellent idea considering the current frequency of data incidents, however, the insurance companies are pricing the policies on the high side due to the unpredictability of the losses and lack of experience in the market. This results in a situation where “even after more than  a  decade  of commercialization, cyber-insurance  products  remain  underutilized(Bandyopadhyay et al., 2009, p. 1).”

Another liability factor to consider is that some compliance laws such as HIPAA attach liability of third party vendors to the parent organization. This increases the importance of SLA agreements with financial penalties to ensure third party compliance(Boyens et al., 2015, p. 51).

 

 

Governance Frameworks in Cybersecurity Acquisition

A complete and mature organizational cybersecurity infrastructure requires the use of a governance framework such as COBIT 4.1 aligned with a security control framework such as ISO/IEC 27002:2005. This provides a process to manage the complex security control lifecycle for the organization(Wolden, Valverde, & Talla, 2015, p. 51). Risk management is a part of this framework and assists in developing plans to mitigate and transfer risk to a tolerable level. This includes the risk associated with utilizing third party vendors.

The COBIT 4.1 governance framework controls acquisition through domain AI5: Procure IT Resources with control objectives(ITGI, 2008, p. 40):

  • 1 Procurement control
  • 2 Supplier contract management
  • 3 Supplier selection
  • 4 IT resources acquisition

These map directly to the ISO/IEC 27002:2005 controls(ITGI, 2008, p. 40):

  • 1.5 Confidentiality agreements
  • 1.5 Confidentiality agreements
  • 2.3 Addressing security in third-party agreements
  • 8.2 Exchange agreements
  • 5.5 Outsourced software development

NIST has a very detailed publication entitled NIST SP 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations that offers excellent guidance for any organization to use in reducing supply chain risk. The processes are meant to be integrated into the existing SDLC lifecycle and risk management processes(Boyens et al., 2015, p. 13). There are several quality governance frameworks available an any suitable framework will enhance the risk management strategies and reduce cyber incidents.

 

Summary

Acquisition and procurement risk from utilizing third party vendors is an unavoidable part of the cybersecurity industry. Products, services providers, and consultants along with a sometime very distant supply chain offer routes for malfeasance and malware to be introduced unknowingly into the organizational security plan. Risk can be reduced by following a governance framework, and risk can be transferred to third parties through service contracts or insurance products. This can reduce financial risk.

However, it’s important to remember that while financial risk may be transferred, many risks such as loss of business reputation, loss of sales potential, and punitive fines from governing agencies cannot. The long-term financial impact of these risks may exceed the initial financial loss of a data breach. This may be another reason that cyber insurance is underutilized.

 

 

 

Reference

 

Anthony, S. (2012). Rakshasa: The hardware backdoor that China could embed in every computer.   Retrieved 4/21/2018, from https://www.extremetech.com/computing/133773-rakshasa-the-hardware-backdoor-that-china-could-embed-in-every-computer

Bandyopadhyay, T., Mookerjee, V. S., & Rao, R. C. (2009). Why IT managers don’t go for cyber-insurance products. Communications of the ACM, 52(11), 68-73.

Black, J. (2017). Developments in Data Security Breach Liability. Business Lawyer, 73(1), 215-226.

Boyens, J., Paulsen, C., Moorthy, R., Bartol, N., & Shankles, S. (2015). NIST special publication 800-161: Supply chain risk management practices for federal in-formation systems and organizations. Gaithersburg: National Institute of Standards and Technology.

Boyson, S. (2014). Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34(7), 342-353.

Carl L. Pritchard, P. M. P. P. M. I. R. M. P. E. V. P. (2014). Risk Management: Concepts and Guidance, Fifth Edition: CRC Press.

CREATE.org. (2016). NIST Cybersecurity Framework: the Supply Chain and Third Parties.   Retrieved 4/22/2018, from https://create.org/news/nist-cybersecurity-framework-supply-chain-third-parties/

Felt, A. P., Finifter, M., Chin, E., Hanna, S., & Wagner, D. (2011). A survey of mobile malware in the wild. Paper presented at the Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices.

Fritz, J. (2008). How China will use cyber warfare to leapfrog in military competitiveness. Culture Mandala: The Bulletin of the Centre for East-West Cultural and Economic Studies, 8(1), 2.

Harkins, M. W. (2016). Managing Risk And Information Security : protect to enable. New York: Springer Science+Business Media.

Hund, R., Holz, T., & Freiling, F. C. (2009). Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. Paper presented at the USENIX Security Symposium.

ITGI. (2008). Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit. 130.

Kohnke, A., Sigler, K., & Shoemaker, D. (2017). Implementing Cybersecurity : a guide to the National Institute of Standards and Technology Risk Management Framework. Boca Raton, FL: Taylor & Francis Group.

Larson, J., Perlroth, N., & Shane, S. (2013). Revealed: The NSA’s secret campaign to crack, undermine Internet security. Pro-Publica, September.

Marko, K. (2014). How a Scanner Infected Corporate Systems and Stole Data: Beware Trojan Peripherals.   Retrieved 4/21/2018, from https://www.forbes.com/sites/kurtmarko/2014/07/10/trojan-hardware-spreads-apts/#5b873af22536

Meinrath, S. D., & Vitka, S. (2014). Crypto war II. Critical Studies in Media Communication, 31(2), 123-128.

Reed, J. (2012, 30 May 2012 ). Proof That Military Chips From China Are Infected.   Retrieved 4/21/2018, from https://www.military.com/defensetech/2012/05/30/smoking-gun-proof-that-military-chips-from-china-are-infected

Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T. J., & Flynn, L. (2012). Common sense guide to mitigating insider threats 4th edition: CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST.

Verizon RISK Team. (2017). 2017 Data Breach Investigations Report. (10th Edition).

Wade, J. W. (1965). Strict Tort Liability of Manufacturers. Sw. LJ, 19, 5.

Whittaker, Z. (2017). Chinese backdoor malware resurfaces after more than a decade.   Retrieved 4/21/2018, from https://www.zdnet.com/article/chinese-backdoor-malware-resurfaces-after-more-than-a-decade/

Wolden, M., Valverde, R., & Talla, M. (2015). The effectiveness of COBIT 5 information security framework for reducing cyber attacks on supply chain management system. IFAC-PapersOnLine, 48(3), 1846-1852.