Common Entry Points #5 – External Vendors
Tag, you’re it! That infamous saying may remind you of your childhood, but it’s also applicable to the never-ending game threat actors play. They hunt around looking for unsuspecting victims who simply haven’t paid attention to their security gaps and left their organization’s vulnerabilities unaddressed.
With just a tap, hackers can deliver the same deadly blows to company after company, making it more critical than ever for CTOs and IT professionals to stay on top of the latest attack trends and learn how to harden their security posture based on past attack patterns.
In this final post in our five-part Common Entry Points series, we’ll discuss another real-world attack that the CYREBRO team investigated. In this instance, we discovered that an OEM provider unknowingly compromised a client’s network.
What is an OEM device?
Running a business and staying ‘in the black’ is a delicate balancing act, particularly in today’s climate. Rising costs can make turning a profit challenging, often spurring leaders to look for affordable alternatives to expensive hardware and software. One choice that many companies make is to purchase OEM devices.
OEM (original equipment manufacturer) devices come directly from the manufacturer of the product as opposed to being marketed through a retailer or manufactured by the end user. OEM devices come preinstalled with some services and functionalities and are meant for a single purpose.
For example, instead of a bank building and developing its own ATMs, it will purchase them from an OEM company that specializes in producing the machines. While the bank will deploy the ATMs, the OEM will connect them to the bank and manage, update and maintain the devices, as well as fix any machine-related issues.
The cost-saving nature of the machines does come with some caveats. Many times, OEM devices continue to run on older operating systems with known vulnerabilities that remain unpatched because no one bothers to update them, making them an easy target for threat actors.
An OEM delivers the WannaCry virus to a CYREBRO client
A few years ago, CYREBO investigated a real-world case when one of our clients was hit with the WannaCry virus, a ransomware cryptoworm that targeted Microsoft Windows operating systems. The virus worked by encrypting the target’s data and demanding a ransom. Following a mass infection, the malware could be used as a trojan, infecting other hosts in the network, gathering credentials, and eventually taking over the domain and gaining full access to assets.
The investigation revealed that the attack occurred when an OEM technician plugged into the OEM network using his WannaCry-infected laptop. As was typical with this virus, WannaCry spread using the EternalBlue exploit and managed to spread to all of the OEM devices connected to the network.
Use OEMs but take the necessary precautions
Whether you opt for OEM devices or engage with any external vendors, you need to understand the potential risks and how to reduce them. Fortunately, that often comes down to properly vetting these third-parties and following some security best practices.
You need to know who you are working with, and you have every right to ask your OEM questions that pertain to maintaining security. After all, in 2021, manufacturing was the most attacked industry, and 47% of those attacks were against victim organizations that hadn’t or couldn’t patch vulnerabilities. As with many cybersecurity threats, being informed is the best way to protect your organization.
Ask the right security questions
Ask every external vendor about their security policies. Specifically talk to OEMs about the policies they have for technician laptops and other devices. Ensure that no technician has permission to use their own device and that even technology like USB drives, which have no external connection capabilities, are securely managed. It is in your best interest to require that OEMs are as up-to-date as possible when installed and ask them to provide you with a regular update routine if possible.
Question them about the proactive steps they take to maintain security and how often they conduct internal cybersecurity audits. You should also inquire about their incident response plan and whether or not they have a cyber insurance policy. If you sense any gaps in the OEM’s security, threat actors will as well, seeing them as a prime attack point to reach more connected, possibly higher valued targets.
Just as you train your staff about security, inquire about the security training their employees undergo. Again, as you’ve probably experienced at your company, employees tend to use basic or repeated passwords, which is high-risk behavior. Question the OEM about password policies to ensure technicians use fresh passwords, not default ones. Reputable OEMs should have no problem detailing these answers if they take their security and business seriously.
Separation is critical
You want to trust your OEM and should be able to after doing your due diligence. Still, sometimes that isn’t enough to offer you rock-solid protection. Lower your risk by placing OEMs in a network that is separate from your organizational network. Take additional steps to harden the OEM network by denying unnecessary ports and internet access. Do not use domain users on the OEMs or put them inside the organization’s domain; never log in with Administrative Domain accounts.
Scan as often as possible
Run scheduled malware scans as regularly as possible. For some businesses, that could mean only once a quarter, but a better practice would be running the scan monthly. Without these periodic scans, security flaws can go unidentified for weeks, months, or longer, putting your organization at significant risk. If possible, scan for malware and malicious traffic with a traffic analyzer, intrusion detection system (IDS) or intrusion prevention system (IPS).
Maintaining security is a 24/7 job
As we’ve pointed out in this post and throughout this series, cyber threats come from every direction. In general, staying on top of your infrastructure and network is an always-on task that mustn’t be neglected. If you can validate your OEM’s security practices (and, of course, those of any other vendors), you’ll at least lower your threat risk. Don’t ever be afraid to ask questions or pry a little deeper if you don’t get the response you were looking for. Due diligence is your responsibility and is a step that cannot be ignored.
As we always suggest, having solutions such as a SOC in place to monitor all of your access points and detect suspicious activity in real-time will go a long way and provide you with peace of mind.
If you missed any other articles in this series, check them out. They are packed with actionable tips and cover ITaaS, VPNs, unpatched operating systems, and Remote Desktop Service Hosting (RDSH).