When it comes to cybersecurity incidents, 2023 has been, well, interesting. While we have seen some of the trends we expected – such as ransomware, more sophisticated malware, and nation-state/politically driven hacking – we have also witnessed an incredible number of fascinating and highly impactful third-party breaches. In this post, I will examine the top 5 worst third-party cybersecurity incidents of 2023 and review what lessons we can learn from them.
The widespread impact of the MOVEit vulnerability was the cybersecurity equivalent of a slow-moving train wreck in 2023. In May, a ransomware gang called Cl0p began abusing a zero-day exploit of Progress Software’s MOVEit Transfer enterprise file transfer solution. Progress Software has issued numerous patches, but as of this writing, more than 2,000 organizations have reported being attacked.
On the surface, this incident wasn’t particularly unique. Zero-day attacks happen frequently. Victim organizations issue “knee-jerk” vulnerability announcements and notifications. But in this case, those announcements just kept coming. Many organizations relied on a software vendor, and one after another, the vendor found itself scrambling due to critical flaws routinely exploited in the wild. This led to data exposure, compromised internal systems, and more.
This software supply chain attack is the perfect illustration of why it’s essential to achieve as much visibility into your software supply chain as possible – so you can more easily identify a potential vulnerability, assess the vendor’s practices accordingly, and get ahead of potential problems. Start by compiling a list of services and software in use.
Determine what you know about the provider’s software development lifecycle (SDLC) and components in their solution. Make sure to request evidence of secure software development, packaging, and shipping, often available in a software bill of materials (SBOM). Without the right quality assurance (QA) processes in place, your software vendor could be prone to exploit – and that means your organization is prone to exploit.
While ransomware attacks aren’t inherently new (I hesitate to say they’re “old news” at this point, because they are still hugely impactful), there are always some new and interesting angles to their root causes. In the high-profile ransomware attacks at MGM Resorts and Caesars Entertainment, those new and interesting angles decidedly included third-party vulnerabilities. Part of the incident was a result of social engineering focused on third parties with remote access into the casino environments, similar to how attackers targeted a third-party HVAC vendor in the famous 2013 Target breach.
As of this writing, Caesars paid $15 million, and MGM has potentially lost $100 million in this incident perpetrated by actors ALPHV and Scattered Spider. Compromised data included names, driver’s license numbers, dates of birth, and some social security numbers and passport numbers. Some employee data was also breached.
This incident represents one of the foundational tenets of an IT security program: training – especially training the help desk. Also, it should serve as a reminder of the importance of multi-factor authentication (MFA) and strong authentication policies, controls, and validation for privileged users.
One of the biggest cybersecurity stories of the year involves Okta. In addition to numerous major flaws and exposure announcements, the company recently revealed that a healthcare vendor exposed information for 5,000 Okta employees. In the first incident, attackers stole credentials to access its support case management system and steal customer-uploaded session tokens. This incident affected all Okta customers. This follows a similar attack in 2022 where Okta acknowledged that hackers stole source code linked to a third-party breach into their network.
Incidents like this highlight the vulnerability of single points of failure for organizations. In this case, identity and access management (IAM) solutions are central to most employee and system interactions, serving as gateways to the most sensitive systems and data. As with the Casino breaches noted above, organizations should take a concerted look at their third-party permissions and privileged access levels.
5 Lessons From the Worst Third-Party Cybersecurity Incidents of 2023
Join Dave Shackleford of Voodoo Security as he examines the most impactful third-party security incidents of 2023 and shares tips for prioritizing your 2024 TPRM program strategy.
It is never good news when law enforcement agencies experience data breaches and security incidents. The London Metropolitan Police experienced a breach this year from an apparent ransomware attack against an IT supplier, Digital ID. The compromised information included an array of sensitive data, including personnel names of officers and staff, photos, ranks, vetting levels, and identification numbers.
To be more proactive against similar attacks, you must first understand who has your personal data and track those providers carefully – including continuous threat monitoring and observation of cyber signals to identify evidence of compromised data being offered for sale on the dark web. Also, consider the sensitivity of the data and relationships with vendors. Any vendor involved in IAM should be a tier 1 risk category to monitor.
Medical device manufacturer and distributor Henry Schein experienced disrupted operations in October due to a ransomware attack orchestrated by ALPHV (BlackCat). In November, the company announced yet another attack. At the time of this writing, no confirmation of sensitive data access has been confirmed in this second scenario. The October incident impacted a wide variety of dental, medical, and animal healthcare practices in many different countries, and reduced their ability to conduct ecommerce by 75%.
If there is anything the top 5 breaches of 2023 have taught us, you must stay ahead of attackers. Aside from the more functional security improvements I noted in the breach examples above, ensure that your TPRM program focuses on the following activities in 2024.
Establish organizational governance and alignment. Start with a thorough review of your procurement team and/or processes. Establish the initiation process for vendor reviews, define and review contract terms, identify available resources in the event of a breach or vulnerability caused by a vendor product, determine the frequency of vendor reviews post-contract, and document third-party review procedures.
Review third parties regularly. Conduct third-party risk assessments at multiple points in the vendor lifecycle. First, decide on a list of controls against which third parties need to demonstrate compliance. Then, determine the frequency of security reviews for internal and regulatory compliance needs. Finally, define a remediation and arbitration process for handling third parties that are not currently meeting security requirements.
Require statements of software security (e.g., an SBOM, SOC 2 report or ISO certification) as a baseline. Be ready to assess the developer/provider's capability to address any future issues discovered and obtain access to "gold images" from manufacturers as evidence of secure software development, packaging, and shipping.
Leverage risk rankings. Use technology services that offer, supplier risk ratings or rankings compared to other industry organizations.
For more lessons from the year’s most impactful third-party cybersecurity incidents, watch my on-demand webinar, “Lessons from the 5 Worst Third-Party Cybersecurity Incidents of 2023.”
Be sure to contact Prevalent to schedule a demonstration on how they can help your organization strengthen your third-party risk program.