In case you haven’t heard, the use of 3rd parties to test the cyber hygiene of business partners and vendors has become increasingly common. It’s not talked about much. In fact, hardly at all. At Radware, though, we’ve taken notice of this growing trend, even giving it its own name — shadow compliance.
In short, shadow compliance comes down to trust. It’s like breaking into a bank to test their security prior to entrusting them with your money. Only in the case of shadow compliance, the testing isn’t illegal. What’s important to remember is that the results may not be a fair evaluation of the subject’s cyber hygiene.
“How could this have happened?”
Being concerned with the cybersecurity of partners and vendors is nothing new. For years, questionnaires and requested documents handled it. Once answers were satisfactorily supplied, boxes could be checked off, signaling it was OK to move forward. But this type of compliance was jettisoned two years ago when software company SolarWinds was attacked in December 2020.
The software supply chain attack, which was launched by Russian intelligence service SVR, affected a number of SolarWinds’ customers. It left them wondering how a longtime, trusted product could be responsible for a vulnerability that affected so many companies. And it was launched through a simple, garden variety software update to SolarWinds’ Orion product, which helps customers manage their systems and technology infrastructure. SVR stealthily inserted malicious code into the update through a backdoor it discovered. It was a large, scary — and successful — attack. Really, though, the vulnerability was ultimately about trust. It made millions wonder How could this have happened?
False Positives Don’t Tell the Real Story
Third-party security evaluations can come in the form of large, well-established companies all the way down to former hackers who advertise themselves as perfect for the job. A To catch a criminal, you have to think like one mindset may prove effective, but it may not. Even large, established security companies can deliver false positives, as well. A false positive without supporting context could mean losing customers, market share and revenue.
Consider this example. An established technology provider had millions of dollars at risk when its customer, a large bank, turned to a 3rd party security assessment firm to determine if its vendor could truly be trusted. The testing uncovered anomalies on the supplier’s network. Naturally, the bank wanted answers, and fast. After all, thousands of customers’ assets might be at risk.
It was determined, although it took two months to uncover, that the anomalies were the result of a security scan conducted by the technology company’s IT team. So, for two months the technology company spent untold time and expense investigating the cause of anomalies with which it had nothing to do. If an apology was issued isn’t the point. What was definitely harmed was the trust that had been established between vendor and customer. And who knows how many people heard about the test results without learning they were false. Its good name may have been sullied in the marketplace. A false positive may have cost them millions in revenue, hundreds of customers and bad press that probably took them considerable time and expense from which to recover.
Preparing for Shadow Compliance — 4 Musts to Consider
To help ensure your company will pass a stealth cybersecurity test that’s happening without your knowledge, here are things that will help prep your organization.
Definitely sweat the small stuff
No question, there are many tasks that will keep up your defenses that aren’t anything to write home about. They’re not exciting. There’re mundane, even boring. But ignoring any of them can easily leave your organization open to attacks. And if any aren’t buttoned up, they can easily be exposed in a cybersecurity audit. If the simplest, most mundane tasks aren’t addressed, that will say a lot about your organization. Nobody wants to entrust their valuable data to a partner or vendor that overlooks details.
Limit system access to a select few
It sounds like a simple, intuitive thing to keep top of mind, but it’s amazing how this gets away from organizations. Access granted here and there eventually leads to many having it. Ask a member of IT how many people have access to systems and applications, and rest assured their guess will be well below the actual number. Over time, it really adds up. Not keeping track of it can increase your attack surface one individual at a time.
Take careful stock of your inventory
Like access, assets, including applications, databases, hardware and software, can get out of hand over time. if it hasn’t been monitored, a comprehensive inventory audit can produce shocking results. It’s like looking in your attic after years in a house; you can’t believe how much stuff you’ve accumulated.
Also, inventories must include configuration management. This helps ensure that your organization is using the latest supported versions and security features. Double-check your work with each vendor. They’ll let you know if you’re taking advantage of the latest of everything, security-wise, related to their products and services.
Monitor, manage and maintain constantly
A set-it-and-forget-it mindset is a great way to fail a cybersecurity audit. Remember, bad actors aren’t thinking like that. Threats constantly evolve. They create new ones by the minute. That’s not going to change. The last word you could use to describe cybersecurity is static. So, diligence better be one of the words that describe and defines your cybersecurity strategy.
Monitoring and maintaining your cyber hygiene needs to include regular testing, including vulnerability scans and pen tests. It’s a good idea to use a 3rd party to get this done. They’ll look at your infrastructure objectively. Conducting them in-house is too subjective, which makes it easy to overlook issues your team takes for granted.
Questions About How to Get a Passing Grade in Shadow Compliance?
If you have questions about your organization’s cyber hygiene and how to ace an upcoming, and unknown, shadow compliance exam, please reach out to our tenured and talented cybersecurity professionals here at Radware. We’ve been providing security and peace of mind to thousands of enterprises and the public sector for years. You can contact them here; we’d love to hear from you.