Last month, over the holidays, we witnessed multiple vendors experience security breaches of varying levels of severity. From LastPass and Okta to Slack and CircleCI, the news has been filled with headlines reporting on the aftermath of these incidents. We wanted to briefly cover these stories and discuss their implications for you in the current year.
A timeline of vendor security incidents Dec 2022-Jan 2023
This past month, we've seen four major vendors notify customers of security incidents, three of which involved access to GitHub repositories. Both Slack and Okta note that customer data or sensitive data that can impact their services were not accessed in these incidents.
What can these incidents teach us about third party risk?
All of the security breach notifications where somewhat vague in describing the scope of each incident, though we now know just how extensive the CircleCI and LastPass breaches were due to the exposure of secrets they caused. When evaluated collectively, these incidents give us a lot to reflect on, below we cover some critical takeaways.
1. The true impacts of incidents can remain unknown & undisclosed for a long time
As the LastPass security incident illustrates, what may at first seem like a security incident with minimal impact can evolve into a more complicated situation with a much broader impact. It's critical to take every vendor disclosure as a serious opportunity to review your security policies and look at what types of systems and data might be at risk given your relationship to any third-party issuing a disclosure.
2. Conduct your own due diligence to understand the personal impacts of any disclosure
As alluded to above, it's critical that you take a proactive stance to evaluate your risk after exposure to a vendor incident. This will allow you to get ahead of any threat actors, in the instance there are downstream effects and provide peace of mind. For example, Dividend Finance leveraged Nightfall to determine if there were any indicators of compromise after last year's Hiroku token theft. Doing this reassured the org that they had done enough to mitigate their risk.
3. Multiple incidents may affect your organization simultaneously
The pace at which these incidents occurred (essentially all in the last two weeks of December) helps drive home the point that third-party risk can happen at any time and you can be susceptible to multiple types of third party risk simultaneously. This makes deploying tools that give you visibility into your environments extremely critical, as well as developing review and auditing processes to regularly assess the state of these environments.
4. The consequences from these incidents can cascade
Because information (secrets, customer data, etc) from one incident can be leveraged to initiate other incidents, the consequences of third-party risk can cascade if they're allow to propagate. As Ars Technica's Dan Goodin notes, the internet is an interconnected mesh of services and content delivery networks. This makes it very important to keep aware of incidents as they happen so you can better appreciate their implications.
How should you respond to third party risk and supply chain attacks?
Incidents like these highlight the importance of ensuring your environments are free of sensitive data that can escalate the severity of an intrusion, should the worse happen. This is a lesson we highlighted last year as it became apparent that third party risk, especially from supply chain attacks, was growing. One key means of cleaning your environments is by nuding employees to develop better data sharing and handling practices, in order to prevent (for example) the proliferation of customer data or the sharing of passwords in systems like Slack, GitHub, etc. Investing in tools that can both provide the visibility to see where this data is, while nudging employees towards more secure behavior has become increasingly important. Nightfall is one such tool that provides these capabilities. The Nightfall platform allows users to continuously scan cloud environments for inappropriate disclosures of PII, PHI, PCI, credentials, secrets, and more. Any time there is a disclosure or sharing of this information that violates a users policies about when and where such information can be shared.
To learn more you can watch our on-demand webinar Build Continuous Security & Compliance into Your SaaS Environments.