Yehuda Lindell on Third-Party Risks: “Do they really understand and care about security?”
Are business executives doing enough to mitigate supply chain risks? That’s the question for senior leaders in a year defined by the surge in malicious attacks such as those involving SolarWinds and Kaseya.
SecureDisruptions content director Jeremy Seth Davis spoke with Unbound Security CEO Yehuda Lindell about supply chain risks, the role of senior leadership in preventing attacks, and questions that must be posed to third-party vendors. Unbound Security provides cryptographic solutions to enterprises that work better in modern environments. Lindell has spent 20 years in computer science academia and cryptography research.
This transcript has been edited slightly for length and clarity.
As CEO of a fast-growing company, when evaluating vendors or entering into any contract with a third party, supply chain risk is something that I’m sure you look at. For those who are less aware, can you talk about what the risks really are? What does this look like if decision makers don't get it right?
Often in the security domain, we talk about theoretical attacks, things that attackers could do in certain circumstances. But there have been a number of very high-profile supply channel attacks that we all know about and obviously many more that we don’t, and this goes back to 2012. A huge one was when all of the secrets inside the RSA Security one-time password tokens were stolen from RSA. This was downplayed initially but it turned out that attackers then used that to impersonate employees and break into Lockheed Martin. This isn't confirmed, but the belief is they used that to steal the plans for the F-35. It's a supply channel attack because you're breaking into one organization in order to get into another organization.
In 2019, there was malicious firmware that was distributed to ASUS computers. Again, there was a specific target in mind, but they broke into ASUS in order to get a valid signature on malicious firmware for the computer and then used that to break in. More recently, there was SolarWinds which you all know about, and Mimecast which maybe is connected but we’re not sure.
All of these are real supply chain attacks that are out there. Organizations that aren't aware of this really have a huge problem. We do have to understand, however, that this a problem that we can’t completely solve. The systems that are under our control are under our control, but that's not enough. As soon as we interact with other organizations—as soon as we're buying software that we install or even just using a SaaS offering— that exposes our information, our IP, or whatever else we need to protect. It exposes us externally if they happen to be broken.
As CEO, you want to make sure your vendors do not end up becoming the next SolarWinds or any of these examples. In most cases, an executive is generally not closely involved in procurement decisions. What are the takeaways and specific initial steps that an executive should take to avoid ending up in that situation?
I can give you a specific example when at Unbound when we purchased a SaaS HR solution. I wasn't involved in the procurement. Whether it had one feature or another wasn't something that I had to be involved in. We have people who have that responsibility. But I asked some very simple questions. First, I made sure that they had done penetration testing and we received their pen testing report. By the way, not all companies even wanted to give that to us. That's already strange. Why shouldn't you be providing that information?
It’s a basic step to verify that the vendor has hired a third party to try to attack their system and find flaws. The third party always issues a report, and the report always contains problems that need to be fixed. There are some high-severity problems, medium, and low — you don't expect a company not to have any problems, but you do expect them to fix them. We had one specific example with one vendor who was our favorite vendor for the HR solution. They sent us the report but said that they only fixed the one severe bug and left the rest of them because they were worried that they'd introduce other problems if they fix them. This meant that they left a number of significant security flaws in the product and decided they weren't going to fix them. Up to that point, they were our favorite. By the way, they're a very fast-growing company, which is very scary because other companies seem to just not be asking these questions. My instructions to the HR team were, “We're not buying from that vendor.” We're going to buy from another vendor that might be more expensive. Maybe the UI isn't as great. But obviously there are other good solutions out there.
Security has to be a priority. The biggest concern with that vendor wasn't a matter of the specific problem that wasn’t fixed. Rather, their approach showed that they were not serious about security. I don't want to buy from anyone who's not serious about security. And that's the message that executives need to get across to their teams: Before we buy any product—whether it's SaaS or software that we install—are we asking the questions to make sure that they care about security? Do they have a CISO? Do they have someone who's responsible for security and also understands security. If you have someone who understands security on your team, get them to have a conversation with the vendor—they will understand very quickly whether the vendor understands what they're talking about and whether they take security seriously. Do they have secure software processes in place? Do their software engineers have yearly refresher courses about secure coding practices? There are many things that organizations have to do and when we purchase software for our organization, we need to make sure that they take security seriously.
It's important to note: Even if they take security seriously, it doesn't mean that a really sophisticated Russian or Chinese agency will not be able to breach their systems. Nation-state attackers are very powerful. But if they don't take security seriously, it's almost always the case that there are going to be serious flaws in their product.
This generally is referred to as third-party risk. But of course, there's also fourth-party risk, etc., and so this process of evaluating your vendors is not necessarily a simple process, but executives can understand what the protocols are and what steps needs to be taken. When looking at your vendors’ vendors and their vendors, that of course becomes far more complicated. What would you suggest to others when evaluating those second-hand risks?
A lot of organizations do have evaluation procedures for vendors. The problem is that they are checklist evaluations: here's a 50-page document, now go and fill in all of these answers. Do you use open source? Which open source? It’s a list of questions which although can be valuable, is often far from enough. The fact is that the vendors themselves are filling it in by themselves. Are they always honest? We can assume that they are, but unfortunately, that's not always the case. But even if they are honest, it doesn't mean they really understand what they're doing.
That's why I think the most important thing is to have someone in your security team speak to them and understand whether they really understand and care about security. That's something that, in a one-hour call or even a half-hour call, you can really understand. There are certain things that I can ask you when I'm speaking to you face-to-face and I can very quickly judge whether you really understand what you're talking about and whether you care about this topic, or if it's something that’s sort of “I have this checklist and I need to make sure these things are done. As long as this is done, then I'm covered in case anything bad happens.”
I'm not necessarily interested in whether you're covered and whether I can sue you or not. I'm interested in whether I am going to be breached because of you or not. It’s a different question. I have this feeling that the world is split into two types. There are those who care about security, and those who just care so that they can say, “I did all the best practices that I need to do.” We want to buy from those who really care about security. Again, not necessarily because they won't be breached, but because there's a much better chance that they'll be safer. That means that they’ll spend money on it.
What size is your company before you hire a security expert whose entire responsibility is to make sure that your software is secure? You shouldn't be a 1000-person company when you need to do that. You should be doing that very early on, but that's an expensive investment. What tools do you buy?
I can tell you, not only do I not want to be breached by a third-party. At Unbound, we provide enterprise security software. I don't want to be the vessel for someone else being breached. So, I want to make sure that my software is secure.
We take it seriously. It doesn't mean we're perfect. But that is really what the main message is. Yes, it's fine to have policies and to have forms, but make sure that there's real awareness, real understanding, and that they really care. Once you get to that point with everybody, that helps a lot.