Outsourcing is the new normal
Carmakers usually don’t produce the tires that go on their vehicles. Computer manufacturers often won’t even build their own microprocessors. Instead, both rely on other companies to provide those components so they can focus on the aspects of their business that drive their own success. Similarly, traditional retailers moving online are increasingly outsourcing aspects of their digital operations so they can concentrate on what they know best.
But there are risks
Retailers turned “e-tailers” face new cyber risks that result from outsourcing to third parties for everything from chat-bots to business analytics, intelligence processes, and even shopping carts. When companies skimp on vetting their third party partners and doing things “the right way” in favor of increasing upfront cost-savings, they can also increase their risk.
Consider the recent spate of attacks against retailers with a large online presence. These aren’t obscure, boutique shops. A brief search will reveal large, and too numerous to name, companies falling victim to hackers.
The seemingly common factor of these attacks is that the retailer hosted code on or associated with their website which, when executed on their customers’ devices connecting to the retailer, caused a small stream of data (largely payment information) to be skimmed and sent elsewhere, while still sending the data to its intended website. It’s like the internet’s version of ATM skimmers. For more details and additional background about one of the main culprits behind these attacks, simply search for “Magecart.”
Typically, the code that is attacked isn’t written by the retailer, but by a third party. Likely, it was easier and less time-consuming for the retailer to purchase the new service (i.e. code), load it on their web servers (or code for the appropriate call-outs and iframes), and voila. What would have taken the retailer weeks, if not months, to develop, was accomplished for less money and in far less time.
The problem is, companies are sometimes so eager to deliver new functionality to the market that they cut out important steps such as: code reviews, performing due-diligence against the third party providing the service, checking that the code hasn’t been tampered with once it is put in place, or continuously monitoring the code even after it has been implemented instead of reading about it on Krebs or RiskIQ’s website.
Steps you can take
All the controls and processes your company typically follows should be applied equally, regardless of whether the new code (service or application) is written in-house or provided by a third party. This means that, at a bare minimum, you should be performing the following:
1.) Prior to going into production, run the code through a Static Code Analysis process and if possible, a Dynamic Code Analysis process
2.) Once in Production, run the code through Dynamic Code Analysis to see how it behaves in the real world
3.) Protect the hosts and network that surround the code, both inside and out, with firewalls, NIDS/NIPS, least-privilege-access, weekly patching (at a minimum), etc.
4.) Ensure common sense controls like AV/Endpoint Protection, FIM (File Integrity Monitoring), and regular patching are in place
5.) Go the extra step of ensuring more advanced controls like an EDR (Endpoint Detection & Response) sensor are installed; if this isn’t possible, take comfort in knowing that today’s “advanced” controls will most assuredly become tomorrow’s “required” controls
6.) Implement domain-name registrar monitoring, which detects when someone registers a hostname with your trademarks, and can be accomplished with freeware or acquired from a third party provider
7.) Don’t get caught asleep behind the wheel; monitoring is only effective if a human is actually catching alerts and responding
8.) Lastly, stay up to date on the latest methods of protecting your code, process, etc.
If you’re seeking to augment your company’s daily operations with outsourced services, whether it’s website code or something else, it’s imperative that you do so in a way that effectively addresses your risk. Third-party risk management via a dedicated team or a proven process, cyber security sensors, people, and processes, and all other applicable internal monitoring processes must not be overlooked.
Worldpay is continually working to stay ahead of current threats and protect our customers’ data. This includes implementing the above-mentioned controls, and much more. At Worldpay, we treat production-bound source-code with the same care, attention, and diligence as we do with our most critical assets.