Last week FBI Director Christopher Wray warned financial institutions at the ABA Financial Crimes Enforcement Conference that third-party vendor vulnerabilities are an increasingly appealing target for cybercriminals. Just a few days later, we were reminded just how insidious these attacks can be when it was discovered that Russian hackers infiltrated the email system of the Treasury and Commerce Departments—and potentially others.
Hackers acting on behalf of Russia inserted malicious code into software updates to SolarWinds’ Orion software, The Financial Times reports. The code opened a backdoor into the software, which allows organizations to monitor their systems, and allowed the hackers to spy on internal emails—going as far back as potentially March.
SolarWinds is not a small, inexperienced company. Over 300,000 companies and U.S. government agencies are customers, including the U.S. military, the State Department, the NSA, and the Office of the President, among others. CitiFinancial, Credit Suisse, the Federal Reserve Bank, MasterCard, and NCR are also listed as customers. The full size of the breach is not known yet, and it’s likely that more than the Treasury and Commerce departments are impacted by this vulnerability.
It’s possible the vendor’s own policies may have made the breach harder to detect, according to KrebsonSecurity, because the company warned that its products might not work properly if its file directories weren’t exempt from antivirus scans.
What the FBI Has to Say About Third-Party Vendors and Financial Institutions
Going back to FBI Director Wray’s comments, he noted that, “Cybercriminals are targeting the vulnerabilities in third-party services for initial infections as a way to present new risks and challenges to the FIs.”
He also warned that financial institution's strong cyber controls can give a false sense of security. “In many ways, the financial services sector has some most robust cybersecurity of any industry, but I think there is perhaps an underestimated, in fact, I’m confident, an underestimated risk of compromise to an otherwise secure network of bad guys essentially coming in through third-party services which might not have the same level of cybersecurity but, in turn, are incredibly impactful in terms of disruption on any number of client institutions,” he said.
“Looking at third-party risk is something I would urge your audience to make sure they are paying attention to,” Wray said.
Previously, the FBI released a warning of increased attacks via mobile banking channels in June.
Related: How to Manage Cyber Risk Like a Boss
Are You Monitoring Your Vendors for Cyber Risk?
When the U.S. government discovered the breach, it sent an emergency directive and ordered all agencies to immediately disconnect Orion software from its networks—not just the ones with known breaches. It’s operating under the assumption that if one or more agencies are impacted, it’s likely others are too.
It’s similar to how third-party vendor cyber monitoring works. Vendor cybersecurity monitoring provides real-time data on vendors’ cybersecurity by collecting and assessing publicly available information. It detects threats and vendor vulnerabilities before they are exploited so that action can be taken to prevent breaches. Good cyber monitoring can also let you know about a problem or incident before a vendor discloses it to your organization. That’s important because the quicker you can act, the better chance you have at taking quick corrective action.
Third-party vendor due diligence is also essential so that you know how strong your vendors’ controls are. While a vendor may not want to share all the details of its controls for security reasons, audits like an SSAE 18 and the accompanying SOC 2 reports can give you peace of mind that independent auditors have conducted a months-long review to authenticate the effectiveness of policies and controls.
Earlier this year, Ncontracts successfully completed another SSAE 18 audit to objectively assess our internal operations to assure clients the company can safely and consistently deliver effective risk management services and software. We have the right controls are in place to secure data, maintain availability, protect processes, and ensure compliance and confidentiality.
Further, Ncontracts does not use Solarwinds Orion and has never used it in the past and is unaffected by this recent event. Our Information Security and Technology Operations team are constantly assessing new and evolving threats and taking steps to mitigate them.
Are you confident that your third-party vendors are protecting your institution and its data from cyberthreats? Our on-demand webinar Not One & Done: Making the Case for Continuing Cyber Monitoring for Third-Party Cyber Risk, will answer give you insights into cyber monitoring and third-party vulnerabilities to help position you for vendor cyber risk management success.