Last Updated on April 1, 2019
Editor’s Note: This post was originally published in May 2017. It has been updated to reflect the name change from AUP to SCA.
As hacker monikers go, TheDarkOverlord (TDO) picked a pretty catchy one. Not much is known about this hacker yet (not even whether it’s an individual or a group, but I’m guessing the latter), but we do know a few things. They know what they’re doing. They’re an enormous thorn in Netflix’s side. And they absolutely, positively love vendor data breaches.
As you may well have heard by now, TDO made headlines recently when they posted most of the new, unreleased episodes of the hit Netflix original “Orange is the New Black” online when Netflix refused to pay a ransom.
And according to DataBreaches.net:
As TDO has often commented to this blogger, they love going after third-party vendors. On December 26 , in an encrypted chat, TheDarkOverlord (TDO) informed DataBreaches.net they had recently come across what they described as hundreds of GBs of unreleased and non-public media from a studio located in Hollywood.
TDO apparently found this treasure trove on the systems of a third-party post-production studio that is utilized as a supplier not only by Netflix, but also by many other major studios.
Unlike many other economically-driven attacks, this hack was not designed to obtain data for sale, but rather for extortion. When Netflix didn’t pay up, their intellectual property was released to the world. While the mechanism by which Netflix was harmed is less common, the bottom line is the same: Netflix will certainly be out millions of dollars in lost opportunities.
While we don’t yet know the details of how this attack was executed, we know with certainty who it was conducted against: a vendor. I expect the number of attacks against vendors to increase substantially over the next few years. Why?
- Vendors serve many customers. Instead of attacking the systems of a company that holds 25,000 records of personally-identifiable information (PII), why not instead attack a vendor to 20 such companies and grab half a million records?
- Vendors are plentiful. The proliferation of easy-to-stand-up, cloud-based services means there are many more companies out there than there were 10 years ago, offering many more kinds of information services. Many of these offerings are made by companies that do not have deep security expertise. For many of these companies, the emphasis is on “fast” and “cheap” rather than “secure.” Cloud-based services are no more inherently insecure than any other type of architecture, but they do bring with them certain inherent risks that must be addressed.
- Most companies improperly manage their vendor risk. Many companies have a surprisingly big problem with “shadow IT,” or IT-related services being utilized outside of the normal set of controls and processes put in place by a company to control information security risk. When a Director of Marketing needs access to data analytics services, will she necessarily go through the proper IT process to determine whether a potential supplier is secure and appropriate? In many cases, the answer is “no.” This leads to even more data being stored and processed by suppliers who may not have the proper security controls in place.
So, what can you and your company do about it?
I’ve blogged many times about the value of a good third-party risk management (TPRM) program. While events like this underscore the importance of those recommendations, one of the key takeaways for me is this: while document reviews and self-assessment questionnaires are extremely helpful, and can often suffice for many suppliers, there are some suppliers who are so critical to your company, who handle such existentially vital data, it pays to put “boots on the ground” for a thorough, in-depth on-site review by a competent professional auditor. The Shared Assessments Organization provides a very thorough template for an on-site supplier review called the “Standardized Control Assessment” or SCA (formerly known as “Agreed Upon Procedures” or AUP).
This kind of review can offer you a great deal of information, and can help your organization—and the vendor—gain a far better understanding of what kind of risks and concerns really exist. Most importantly, an SCA offers guidance on the kinds of controls that can be put in place to risks it identifies. I’ve been doing vendor reviews for many years, and I can state with absolute certainty there are important things that can be discovered by an on-site audit that cannot be found any other way.
We will certainly find out more about the Netflix breach over the next few months. But regardless of what is found, a fundamental fact remains: TheDarkOverlord loves third-party vendors. Netflix? Maybe not so much right now.
Talk to Third-Party Risk Management Experts
To discuss your company’s TPRM strategy, contact Pivot Point Security.