The weakest link in your supply chain

Opinion Davey Winder Nov 5, 2013

You're secure, your providers are secure ... but what about their partners?

There is no doubt that cloud-shaped toys have been a real boon for developers, with the de-coupling of resources allowing the separation of web servers from storage and databases. The freedom to scale these independently, in both directions as traffic dictates, has meant that developers have discovered a whole new world of cloud-driven opportunity.

Unfortunately, as the MongoHQ database breach last week reminds us, with this freedom to create comes an additional security challenge -  the risk to your data and reputation inflicted by bad decisions your business partners make.

In the case of MongoHQ, a company offering cloud-based MongoDB NoSQL database hosting services, which claims to process more than 6 billion MongoDB operations every day, the bad decisions were multiple. A user had the same password for personal and work accounts - and the internal support application was directly accessible over the Internet. Then, the personal password got hacked,  giving the malefactors access to the MongoHQ internal support application without having to authenticate via a VPN first. With no two factor authentication for the internal support app, this not only gave immediate access to customer account data, but let the hackers  impersonate a customer -  they were laughing all the way to the root server.

The fact that MongoHQ had hashed the passwords for customer accounts using bcrypt was something of a saving grace, severely limiting the usefulness of the data to the attackers. However, this will be of cold comfort to the clients whose own apps had been impacted by the breach and who have had to send emails to their customers asking them to change passwords. The average user of any application will simply see a security problem with that app, not with something further along the technology food chain.

We then discover the real problem - and it most often remains hidden until the damage is done - your security measures are only as strong as the weakest link in the supply chain. For example, you could outsource any part of your operation to a third party, or partner with another provider, or bring in a contractor; all well and good, but if any of these has a security vulnerability waiting to be exploited, it could be your business credibility that suffers more than theirs does.

We then discover the real problem - and it most often remains hidden until the damage is done - your security measures are only as strong as the weakest link in the supply chain

 I have personal experience of this with the MongoHQ breach, as I was a previous user of an app that got caught up in it. The Sunrise calendar app for iOS used MongoHQ as a database provider;  a week after the initial breach was disclosed (and I doff my cap to MongoHQ CEO Jason McCay for being quick to announce preventative measures being put in place to prevent a reoccurrence) it sent me and all other users an email explaining that most of my data was safe but advising me to change my iCloud password.

If I, as someone who has worked in the security field for a couple of decades, am left with the feeling that using a middleman to enable the syncing of data rather than communicating direct with Apple or Google or whoever was a big mistake, then I doubt the man on the street is going to feel any different.

After all, when you sign up to use such apps you generally don't investigate all the services and platforms that the app developers have got into bed with in order to deliver the best functionality at the most realistic cost to them. Indeed, how many developers would declare all their partnerships to end users, and why should they? I had, eerily enough, already changed my iOS calendaring to another app called Fantastical which takes the direct communication route. If I hadn't, I think the MongoHQ breach would have persuaded me so to do.

Which leads me to the moral of this story.  When was the last time your business asked the people that you do business with about their security procedures and processes?

Outside of certain highly regulated industries, ones that are well aware that supply chain security needs to be locked down,  this question may well be regarded as weird.

Is security given enough focus in those discussions or will it take a back seat to more pressing matters of compatibility and cost?

After all, before entering into a contractual agreement with your cloud provider you will almost certainly have made just such an enquiry. You may even have established that said provider has attained a certain level of industry certification which satisfies your curiosity. I'd like to think that the same due diligence with regards to security took place throughout every partnership negotiation, including those cloud-shaped tools I spoke of earlier.

I'm sure that they do, to a degree, but is security given enough focus in those discussions or will it take a back seat to more pressing matters of compatibility and cost? Even if the question is asked, and answered to your satisfaction, how many enterprises (of whatever size on the scale) really bother investigating beyond it?

Do you audit the security processes of those you do business with, for example? OK,  you can get back up off the floor after you have finished laughing. Obviously you can’t expect your partners to open their doors for your auditing process, that would lead to costs spiralling for everyone - with many of those businesses struggling to exist under the weight of the extra administrative and investigative work. What I do mean, and what I seriously suggest you start thinking about, is ensuring that the people you partner with are audited for their security processes and access to the results made part of your contractual arrangements.

Combine this level of due diligence all the way along the supply chain with the kind of behavioural analysis systems at your end of the equation which can spot potential breach behaviour (valid passwords being used from non-standard locations for example) and your business will be a long way down the road of protecting itself from the reputational damage that can occur when the cloud-shaped toys of others are thrown out of the security pram.






Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.