Howard Taylor, CISO Radware, LTD.
Do your closest customers scan your network for security vulnerabilities? For most CISOs, this question may sound crazy. Scanning the net is what the bad guys do, definitely not your friends and business partners.
However, it is now occurring with increasing frequency, and is evidence of what could be the most intriguing cybersecurity trend that no one is discussing at the moment – shadow compatibility.
In the old days – before 2020, for anyone who could remember that far away – compliance meant sending out lengthy questionnaires and requests for documentation to supply chain partners. The more sensitive the sector (for example, military, government or banking), the more complex and time-consuming the compliance checks.
This all still happens of course, but a lot is going on behind the scenes these days. The truth is that there isn’t much trust at the moment, and that doesn’t just apply to wicked hackers and malicious nation-states.
The number one concern is cyber security. As far as your potential partners are concerned, your network may be full of responsibilities that may eventually expose them. Gone are the days of organizations making assumptions about other organizations, and nothing is taken for granted.
They know that not only are you unlikely to admit cybersecurity vulnerabilities but that you probably didn’t know they existed in the first place. Given the frequency of major cyber attacks over the past decade, this suspicion makes perfect sense. The game-changer was A hack involving SolarWinds In December 2020, thousands of customers were hacked by hijacking software updates. What shocked people most was the settlement of a long-trusted product that caused a loophole that bypassed the carefully built security of thousands of customers.
The weak point that was revealed was confidence itself. This has led to an increasing number of companies taking matters into their own hands and hiring specialized firms to conduct pen tests of their partners’ Internet-facing resources. This can include searching for IP addresses or ports within a network communicating with a suspicious host, and may also include a dark web scan for leaked data.
The best illustration of what this means for CISO is the tale of a technology company that wanted to sell its products to a European bank. Everything seemed to be going well with the relationship in its early stages until one day, suddenly, the tech company got a call telling it that the bank had detected some “anomalies” on its network. The bank wanted an immediate explanation.
Over the course of two months of the exchange, it turned out that the problem the pen testers discovered was caused by a forensic security check conducted by the tech company’s internal threat detection system. In other words, the anomaly was a false positive–a small compensation given weeks of efforts to reassure the bank. The tech company was guilty until proven innocent.
Is all this subtle due diligence so important?
I would argue that it matters a lot, in part because it points to a future of compliance that few organizations have reached. Compliance with this mistrust spreads like wildfire from one sector to another. In fact, these types of checks may soon become a 24/7 continuous process that requires constant vigilance by CISOs.
How does an organization succeed in this new reality of shadow compliance? The secret is good “cyber” housekeeping. Just like regular housekeeping, an organization has to maintain a system to keep its IT system in good shape. This system is based on boring routine things that are usually forgotten. Hunting for state-backed cyber attackers may not be as exciting as big data analytics, but it is highly effective in combating cybercrime and bypassing customer audits.
The pillars of this system are asset and configuration management, software and hardware updates, limiting access to IT resources and applications and continuous monitoring.
Proper asset and configuration management lays the foundation for dealing with shadow compatibility. All hardware, software, application, database, and network components must be inventoried to ensure that only current supported versions are in use and that all appropriate security features are activated. End-of-life software or devices may lose important security updates, leaving them vulnerable to cyber attacks. It is also important to configure these components according to the vendor’s recommendations to ensure that all security settings and functionality meet business requirements.
Once your infrastructure basics are updated and installed correctly, don’t think you can sit back and focus on running your business. Effective security measures are never fixed. New vulnerabilities appear daily. Left unchecked, it can easily become the subject of the next customer scrutiny. You must perform an ongoing maintenance process to identify, prioritize, and install hardware and software updates. These updates protect your infrastructure from known attack scenarios, making them an immediate necessity, and they will help prepare you when your customers come to explore your network.
Next, it’s time to lock and install Your Home. However, if everyone has a set of keys, there is no security. This also applies to your IT environment. Restrict access to the system to those who need it for the functionality of their job. Access should be removed when it is no longer needed, especially when an employee is out of work.
Last, but not least, is monitoring. This includes collecting logs of activities such as system and application access, viruses, malicious code, and suspicious network traffic. Your monitoring strategy may include periodic testing (penetration tests and vulnerability scans) performed by a third party to proactively identify security issues. This can give you a list of repair requirements that need to be corrected.
Taking these actions should significantly improve your security profile and help keep your customers happy.
If you’re not part of today’s shadow compatibility trend, you soon will be. This will not go back to his chest. My advice is to prepare for a deeper questioning rather than resisting it. Experts say building structures of mistrust will have an effect Long term effectsAnd they were right.