Contributed by Ashwin Ram, Office of the CTO, Check Point Software
July 21–Reuters reported on a successful cyber attack against Northern Trains, a UK state-owned rail operator. The report stated that in order to stop the spread of the ransomware attack, Northern Trains have had to resort to disconnecting infected servers and ticketing machines.
It is unclear at the moment exactly how the threat entered the Northern Trains network as investigations are still ongoing; the most common delivery method for these types of attacks is through weaponized documents or malicious links.
Interestingly, The Register has reported that a representative for Northern Trains referred further questions to Flowbird Transport, which provides the ticketing system in question, telling us “it’s their system that’s been affected.” Does this mean Northern Trains are passing the blame onto their supplier?
Based on IBMs ‘Cost of a Data Breach Report 2020’, it takes organizations in the UK on average 181 days to identify breaches, and a further 75 days to contain them. It’s very plausible that threat actors have spent their time understanding their victims so that they can monetize their activities as much as possible. This is why a full compromise assessment must be the first step after key systems are restored.
The reality is that most organizations don’t have a great understanding of the risks that they take on when they enter into a relationship with a 3rd party business partner. It is imperative organizations have a strategy to reduce the risk that leverage 3rd party supply chain attacks.
Some key questions that CISOs need to address in my opinion are:
- Do I have a clear understanding of the importance of each of the 3rd party business partners, to my organizations strategic goals?
- Do I have a cyber-strategy to mitigate 3rd party risks?
- Am I prioritizing cyber strategy for 3rd parties that are strategic to our business goals?
- Do we have a process for validating the cyber maturity of our suppliers and vendors?
- Do we have a ‘right to audit’ clause for 3rd party suppliers and vendors?
- Are we utilizing risk-management frameworks and do we have a Vendor Management Program?
Suffice it to say, organizations will do well to ensure their 3rd party business partners have the same level of cyber maturity as them, or better.