Cybersecurity and Third-Party Risk. Gregory C. Rasner
network. At the time of this backdoor announcement, Zyxel offered patches for all of the products except for the NXC series; it is not producing a patch for another four months.
Zyxel Patch Release
The expected patch release is April 2021. Until then, the only option for organizations is to unplug and replace the devices to ensure security posture.
The hardcoded user account “zyfwp” and password “PrOw!N_fXp” were stored in visible plaintext (i.e., unencrypted or obfuscated). Dutch researchers reported that the password was clearly visible in the code binaries. Apparently the account had the root‐level access to install firmware updates. In the previous 2016 incident, a hacker would've needed to already have a user account on the device to exploit it and to become a super user. In that instance, the root account is directly accessible on HTTPS (port 443) connection to the device.
According to Zyxel's website, “A hardcoded credential vulnerability was identified in the ‘zyfwp’ user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.” A search on Shodan (a search engine that can find computers and devices connected to the internet) shows nearly 30,000 of these devices deployed in Russia; 5,000 in Taiwan, Germany, and Finland; with nearly 3,000 in the United States.
Other Supply‐Chain Attacks
Starting in early December 2020 and into early 2021 ( January 2), there were four major third‐party (supply‐chain) attacks and vulnerabilities announced in the span of 20 days. These attacks or vulnerabilities went on for months or longer. Evidence in the SolarWinds and Vietnam attacks pointed to advanced persistent threats launching into the weaponization of the supply chain. In two of the cases, the attacks were directed at nearly a whole country (Vietnam through the VGCA, and Mongolia through the Able Desktop). In three of the instances, the attackers were all APTs and were stealthy enough to remain undetected for months or longer. These attackers have seen what they can do with the weakest links—vendors—to get to a wide range of targets.
Chief Information Security Officers (CISOs) at Fortune 500 companies have spent billions of dollars in the last decade securing their networks from such breaches. Some great tools have been implemented, like Intrusion Detection/Prevention Systems (IDS, IPS), Cloud Access Security Broker (CASB), Privileged Access Manager (PAM), Security Information and Event Management (SIEM), and Security Operations Centers (also referred to as Cyber Fusion Centers) have been built to track and eliminate threats. However, the level of breaches in 2020 continued to increase exponentially. The number of third‐party breach instances grew because every company is some other company's vendor. As the number of these breaches increased, it meant another vendor with hundreds, thousands, or millions of customers became a victim as well.
Public law enforcement is also sounding the alarm. On December 8, 2020, at the American Bankers Association (ABA) Financial Crimes Enforcement Conference, FBI Director Christopher Wray stated, “The financial sector has the most robust cybersecurity of any industry,” which is why cybercriminals try third‐party channels. Banks can also be affected by ransomware targeting third parties, a threat that Wray said “may be somewhat underestimated by a lot of people.” While he specifically called out financial firms, the same could be said of many other sectors, including aerospace, energy, technology, biotech, and others, which generally have excellent security on their own company's assets. Most of the victims of the SolarWinds attack have been in the technology and government sectors, which typically have had good‐to‐excellent security. In those cases, hackers will target the weakest link, attacking vendors who take security less seriously.
Hundreds of examples like this have occurred over the last decade, across the world, and in every industry: Ticketmaster, Capital One, Tesla, Under Armor, Boeing, PayPal, Chubb, nearly every major worldwide automaker, Sears, Best Buy, Entercom, and T‐Mobile. In the case of FireEye or a customer of Zyxel, these companies lost protected data as a result of a third (or fourth) party. No one in the public realm remembers that third party; they simply remember the company they trusted with their data who let them down. Such breaches cost these companies large amounts of money, which directly affected consumers, and extensively damaged the companies' reputations. In areas where there was a heavy regulatory presence, the breached firms were often left holding fines as well. In August 2020, the Office of the Comptroller of the Currency (OCC) assessed an $80 million civil penalty against Capital One for failure to establish effective risk assessment processes prior to migrating significant information technology operations to its public cloud environment. It is expected to cost Capital One up to $150 million, and it cost the company's CISO his job at the firm.
Problem Scope
The secret is out: If you want to attain protected data as a hacker, you do not attack a big company or organization that likely has good security. You go after a third party that more likely does not. Companies have created the equivalent of how to deter car thieves: Ensure that your car looks difficult enough to break into so that thieves move onto the automobile with its doors unlocked and keys in the ignition. When a burglar sees a car with a car alarm, they know that they can look and eventually find a target that isn't so well protected. Exploiting the weakest link is not new. A bank robber could go to the bank to steal money, but a softer target would likely be the courier service as it brings the money into and out of the bank.
To date, cybersecurity and third‐party risk teams have not often collaborated or understood the common threat, instead focusing their security on their own silos. In most regulated industries, this has led to the typical rush to the bottom to meet the regulatory requirements; meaning, rather than create a security program that secures their data and network, they do just enough to keep the regulators happy. Regulators are never considered to be on the leading edge. Whether it is in financial fraud or cybercrime, they simply do not lead in best practices for any field. However, it is not their responsibility. Regulations are typically designed to limit the behavior of a company that may cause financial or bodily harm. The most highly regulated industries, such as energy, biotechnology, finance, telecommunications, aerospace, and many others, have robust Third‐Party Risk Management and cybersecurity teams. However, if these industries rely on doing what the regulators require of them, they are not going to be performing their best practices.
The most successful companies at preventing their systems from being compromised go beyond what a regulator or regulation mandates them to do for compliance. The regulations and their enforcers get involved after something bad has already occurred. Sarbanes‐Oxley (SOX) was a financial regulation designed to lower the risk of financial fraud by publicly traded companies after the damage done by the tech bubble crash in the early 2000s. The Dodd‐Frank Wall Street Reform and Consumer Protection Act was passed in 2010 after the financial meltdown leading to the Great Recession. These widespread changes in regulation occurred as a reaction to the excesses and missteps that lawmakers felt led to the meltdown. Nearly every regulation passed is due to a previous misstep, not in anticipation of the next misstep or mistake
Being reliant on the government to set the standard for what to do and how to do it is a recipe for disaster. This is not to say, however, that regulations are without their merit when enforced correctly. The argument here is not about whether there should be regulations, but more about if organizations should be advised to view those regulations as the bare minimum to perform. In the case of cybersecurity and third‐party risk, regulations provide some excellent guidance on what is important for organizations. However, if a cybersecurity or third‐party risk team only relies on regulators for the best practical procedures to follow, there's a high likelihood their companies will be hacked. In fact, the likelihood is that they will be hacked quite a bit faster than those companies that view regulatory requirements as their starting point.
To illustrate the point, we can look at the Payment Card Industry Security Standard (PCI‐DSS), which is the payment card standard (using credit and debit cards), to guarantee consumer financial data protection. PCI‐DSS has very specific recommendations and is regularly updated for how to secure