This week, MARRIOTT surfaced with one of the largest breaches of the year exposing everything from passports to room service preferences. At first light it seems like a full compromise of just about everything.
https://www.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11
This is a large multinational corporation with resources. The breach appears to have gone on for years. In the next few weeks we will see the same list of errors that have been made time and time again by all these corporations that get hit hard. I will take any bets on the presence of some basic fondamental issues being a large contributing factor. They had some great security in place, but a lot of it was tuned down because they don't understand the technology they bought. They have a great big security team, so they feel so great about their security posture yet senior management didn't listen to them. Some of their partners may even have mentioned some significant issues, but the messenger was shot and the message died a slow death. You name it, they fit the profile.
In parallel to this, in my role as CSO for one of my clients, I am evaluating two potential vendors for a sensitive data processing service.
I use a single one pager security questionnaire to get the ball going.
I like to give a potential vendor the chance to either lie to me or provide clarity at their lack of competence.
Something I observe overtime is that everyone claims these basic characteristics:
1) They claim to have been doing whatever they are doing.... for ages.....
2) They have the words security dropped on their websites and in their presentations
3) If you ask, they provide secure software, or secure services, or secure anything
4) Of course they test things
5) Of course their developers are qualified and have security experience.
This week, I had the chance to challenge two potential vendors and the delta between the two was shocking, which led to me writing this blog entry.
Generally vendors (especially the ones offering SAAS or cloud based crap) all fit that previous list above and their TRUE reality is that they have negligible security in place since they completely lack cybersecurity competence.
1) Who cares if you have been doing this a long time, who cares if you are a large organization.... have you evolved ?
2) Dropping the word security everywhere does not ensure anything is secure
3) How can you prove you are delivering secure xyz ?
4) They are not testing much if anything
5) Their developers are perhaps great, old, experienced developers, but they do not have security training and no secure SDLC is in place.
So I wanted to talk about TESTING today, because I frequently am faced with evaluating the tests that vendors claim they do with the real world requirement to do a reasonable amount of testing.
THE #1 OBJECTIVE: When doing security testing, the first objective is not to find bugs, but to find root causes and fix the behaviour that leads to exploitable vulnerabilities. This way when you come back and test down the road, everything hasn't regressed.
Doing a full set of tests on a web application may require 10 to 15 days of well orchestrated testing. When management comes back with a comment along the lines that this is expensive, this means they seriously lack comprehension on what delivering a quality service entails.
Performing quality testing pays large dividends. The things you identify lead to your operational staff and your development staff learning from their mistakes, they add to their knowledge and start producing better quality systems and code.
ILLUSION OF SECURITY
So if you are doing business with someone who is providing you with a report that something was tested.... you need to know if this is provided as an illusion of security or was something really truly tested with an adequate testing initiative.
That is why I always ask to see the work order, the bill, the number of hours invested. I especially love asking after a vendor has navigated their ship into the lies that are so typical of incompetence. We have big clients, look at my client list. And they never asked us all these questions.
Well guess what buttercup, the let you assume a level of responsibility based on your bold statements that someone with more maturity and experience (little old me) is not going to let you do. I do not adhere to the transfer of responsibility trend that traded companies so enjoy. When something gets violated, I know that my client will look bad, and I will look bad if everyone did not do their job with quality in mind.
So ask your vendors if they deliver quality service, than ask them if they perform quality tests. Once you have had your bullshit answers for both those questions, ask for the test report and make sure that includes the man hours to perform the tests, or the bill if done externally.
But brace yourself, you will see a lot of $2500 and $5000 full blown application security tests.
Don't be too insulted when you realize that this quality service that is being presented to you has only invested a few days of security oversight across their entire product line.
Do remember this however, when something goes terribly wrong and a real expert looks under the hood.... that couple days of security is going to make you look like the biggest idiot this side of the white house.
Remember Equiflop. I mean Equifax. After they got violated they actually reported that in order to bring their security up to the expected level that it should be... they invested $170 million if I recall.
SOME BASICS
Simply running an automated VA (vulnerability Assessment scan) across a system does not test the application.
Simply running a web application testing tool across an unauthenticated web page does not test the application.
Investing a couple days of security on a system is NOT SECURITY TESTING
If your vendor is telling you that they do great secure work and this is the types of tests they are providing you, than you are being provided a false sense of security, they are not learning from their mistakes, and the application provided has not been tested.
Enterprises frequently try to stay competitive by not increasing their level of service or the quality of the service they provide. This is extremely dangerous in IT. Things have changed dramatically in the last decade, and companies who use the word SECURE are starting to get sued when it turns out to have been a gross exaggeration amounting to negligence.
I love my job. I love being the acting CSO for my clients because I get to ask these really good questions. And as an added perk, when I walk into a room with a vendor and they have done their homework I can hear their butt cheeks tighten up. That means I'm doing a great job and they are not.
You should always work with vendors who have relaxed butt cheeks.
So back to my two vendors. The first one was a disaster of lies and lack of competency. The second one had stunning responses, had hired a full time security person with adequate credentials and they do real testing using methodologies that actually exist and wasn't simply made up.
Moral of the story is that some vendors are providing quality services and do invest to ensure that this is the case.
Ask questions, don't be the type that assumes that everything is ok just because someone said they test things or that they deliver secure services.
Figure out if your vendor LIES or is INCOMPETENT.
Huge difference between the two really. Very hard to work with lies. Lack of competency however you may be able to work with. If the vendor is willing to learn and work transparently and continuously getting better.
So it is really your call. Do you want to be willfully blind, work with liars, work with negligent incompetence or take the time to find the vendor that will actually deliver on their promises of security.
As for Marriott, you can bet that every level of management is pointing the finger at each other, you can also bet that several third parties are in the loop and probably contributed to this failure. And you can bet that the vetting process was terribly weak, mostly based on inbreed decisions.
What you can also bet on is that you won't hear about them. All you will remember this time next year is how Marriott got the shit kicked of the them in an embarrassing breach.
Remember that next time you deal with weak vendors that if you fail to vet them adequately it is your reputation that will pay the price.
Ask questions folks, and choose to work with quality staying far away from illusions of quality.
For now, I'm going to get myself a nice Cognac, throw some wood in the fireplace and watch the Marriott story unfold. They won't admit it, but they will lie through their teeth for the next month.
Always a great way to end a week for me.
And yes, I still refuse to participate in the illusion of security. I don't do 2 day intrusion tests so that some jackass has a report to hand in that says that "something" has been done.
_______________________________________________
Eric Parent is a senior security expert, specialized in coaching senior executives. He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.
Follow Eric on:
Twitter @ericparent
LinkedIn : EVA-Technologies
www.eva-technologies.com