Can you trust your penetration testing company with your results, or are they inadvertently performing the initial reconnaissance for cyber criminals, with you picking up the bill to boot? Whether from an insider threat or remote access trojan, penetration testing (pen test) companies are an ideal target for cyber criminals. Their customers are a ready made list of organisations with valuable enough data to justify a paying for a pen test, or some regulatory compliance requirement.
Pen test results are available for purchase on the dark web, so this is not just theory, but a reality. If you know there are major shortcomings with your IT security, there is no point paying for an expensive pen test when the money could first be put to use to actually address some of the gaps and shortcomings. A report listing all the issues and vulnerabilities in your IT infrastructure is the perfect Christmas gift for a cyber criminal, especially if leaked internally via an insider threat. As a result, third party risk is taken to a new level when it comes to choosing a pen testing company, which means that risk assessments need to reflect this, rather than treat them as any other supplier. The same can be said for IT support companies, who not only have detailed network information on their customers, they also have full remote access and admin privileges to internal systems, as well credentials for any cloud services they administer on behalf of their customers.
A compromised IT support company is a nightmare scenario for their customers, as the majority (or all) of their cyber defenses are not geared up towards blocking authorised remote users with admin privileges. Even if they have advanced monitoring systems, the irony is that often these are provided by the IT support company themselves, so the cyber criminals can easily cover their tracks. Also, if the compromised company manages data backups for their customers, data theft can be carried out on a massive scale without anyone being aware of anything untoward. Stealing data from an offsite backup is the ideal scenario for a criminal, as there is very little to alert anyone, even the logs may only show that the IT support company logged in, if there is any logging in the first place.
Choosing an IT support company that actually takes security seriously (rather than just says they do) is no easy task. A checklist of your requirements or expectations is a good starting point. Questions such as:
- Do they need to be ISO27001 certified, or is Cyber Essentials Plus enough?
- Do they use contractors or outsourced staff to provide 24/7 cover?
- Which countries are they based in and operate from?
- Where is their data stored? Do all users have 2FA or MFA?
- What system do they use for remote access?
- What email filtering service do they use?
- Do they use a SIEM or an EDR platform and so on?
Other less technical questions can be around their insurance, finances and standard due diligence. If your own cyber security systems seem to be more advanced than your IT support company, alarm bells need to be ringing. Ask to speak to some of their customers and if you know anyone there from your social media network, maybe a quick informal chat could make all the difference.
The UK National Cyber Security Centre (NCSC) has some useful free guidance on assessing supply chain security broken down into 12 principles (www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security) as well as some examples of good and bad supply chain security, to help you get started (www.ncsc.gov.uk/collection/supply-chain-security/assessing-supply-chain-security).
Even once third party suppliers are on board there is still more to do. Lines of communication need to be established as well as any processes that need to be followed to prevent scenarios like Business Email Compromise (BEC) fraud. Any reporting and logging systems need to be able to identify and distinguish between an authorised third party and an authorised internal user. Tracking permissions to which of your systems you have given third party access to, as well as what information they have access is an important ongoing process. If a third party supplier is compromised, access to a multitude of systems may need to be revoked or passwords reset at least. A good starting point is my Excel based GDPR Data Classification & Cyber Security template at www.boolean.co.uk which helps access the risks as well as document the Who, What, Where answers and any mitigation solutions in place.
Just make sure your own house is in order cyber security wise, because many smaller suppliers may ask for examples of what you have in place yourself and how you achieved them.