Vendors are often asked by clients to supply some sort of proof they will protect the client’s sensitive data. While this may seem like a reasonable request, knowing how much information to share and the best way to do that is important.
As a vendor, you may receive multiple requests from clients for compliance reports or third party validated security reports, such as a SOC 2. If you don’t have a third-party validated report, the client may ask you to complete a security questionnaire. (Something we discussed in a recent blog, here.) That process can be very time consuming, especially with multiple questionnaires asking for different information.
We’ve created five guidelines to help vendors meet their clients’ needs, without risking their own security:
Sometimes clients will send out questionnaires to every vendor they use, without really looking at what that vendor has access to. If you are a vendor, but do not deal with the client’s sensitive data or systems, you may not need to fill out tedious questionnaires. That client could be following their own company protocol without considering each request being made.
We typically don’t advise vendors to share Policies, Standards, and Procedures with a client. This sort of information could put you, the vendor, at risk. Be cautious and make sure you’re not sharing more information than what is required and the information you’re sharing doesn’t risk your own companies’ security to comply with a client’s wishes. It is always recommended to have the client execute a non-disclosure agreement (NDA) prior to sending over any information and reports.
If a client asks for more information than you’re comfortable with, you have the right to object. Oftentimes this will be a conversation, rather than a finite “no”. Ask for your client’s reasoning for the information they’re requesting. If it is still too much, explain why you are uncomfortable with the situation.
If you’ve turned down the client’s questionnaire or request for your Policies, Standards, and Procedures, they may still need some proof that you are ready to protect their security interests.
Completing compliance reports, filling out dozens of questionnaires, and sharing sensitive data can come at a cost to you. You need to decide if the client in question is worth the time and resources their requests will take. Sometimes it’s more cost-effective to let that client go than to jump through more hoops.
Hopefully this helps you know how to handle the inevitable security requests vendors face! If you need more assistance with responding to client requests or knowing which information may be too sensitive to share, be sure to reach out to a cybersecurity expert.
In 2015, a single rail system suffered 2.7 million hacking attempts in less than two months…in a simulation.
Project Honeytrain, a massive cybersecurity experiment conducted by two prominent security companies, Britain’s Sophos and Koramis of Germany, tried to name risks to industrial transportation infrastructure by creating a fake railroad system online and watching the attacks against it. Although the simulation was conducted 7 years ago, there were a number of findings that stay relevant today:
What this experiment uncovered is that a sizable portion of railway hackers don’t just have cybersecurity knowledge, but also have a deep understanding of the complexities and intricacies of the rail industry and operations.
“An unlooked-for consequence of the railroad, is the increased acquaintance it has given the American people with the boundless resources of their own soil…Railroad iron is a magician's rod, in its power to evoke the sleeping energies of land and water.” – Ralph Waldo Emerson
As deep as our country’s “rail roots” run, America’s relationship with rail is more than poetic romance. In a typical year, continental U.S. freight railroads move around 1.7 billion tons over (just under) 140,000-miles of track and accounts for 40% of all American freight. Passengers travel about 17 billion miles a year on rail. American rail composes a major part of the national economic circulatory system. Spiritually, emotionally and physically, rail built the modern US economy and is a critical component of the transportation industry. In conjunction with the trucking industry, transportation can account for 40-60% of the overall costs of supporting a supply chain.
The interchange between trucking and rail has made new innovations. The new Des Moines Transload Facility provides one of the few places in the country where multiple Class 1 (national) and Class 2 trains can seamlessly, openly and competitively exchange freight with trucking companies or even other rail companies. This increased efficiency is critical to lowering shipping costs and making the entire transportation infrastructure more robust, but it also demands an innovative approach to transportation cybersecurity risk management.
Since Honeytrain, the cybersecurity threat landscape for real rail companies has only grown. Last month, many trains in Denmark ground to a halt for several hours. It was the result of a third party vendor falling victim to ransomware.
Rail is very big business and is therefore also a very big target. Cybersecurity in the rail industry is only one part of supporting a safe supply chain, but it is critical.
In the old days of rail there was only operational technology. When information technology was first introduced, it was thought of as an add-on to the infrastructure. The CIO was in charge of Information Security, and the COO took care of everything that wasn’t a workstation, server or network, such as locomotives, cranes, signaling and switching, rail cars, and anything that causes that equipment to run. With the growth in IoT technology digitally interconnecting once fully autonomous, individually controlled machines, everything from GPS-connected freight locators to internet-accessible locomotive controls, is now under the purview of information technology. The CIO and COO have a lot of overlapping responsibilities.
Traditionally operational equipment becomes more digital. Telematics and other information is readily available. This is great for operations, but provides more challenges for cybersecurity in transportation. This includes ransomware. Rail is uniquely vulnerable to paying high ransoms, just because of the high value of the freight that could be stalled in transit. The value of planning, detection and response in rail cybersecurity can’t be overstated. Project Honeytrain demonstrates the value of rail companies regularly scheduling red team exercises and penetration testing in anticipation of thwarting future attacks.
Rail systems now have more and clearer guidance than ever before when it comes to cybersecurity. In October, the U.S. Transportation Security Administration released the Rail Cybersecurity Mitigation Actions and Testing Directive. With the growing sophistication of attack technology and bad actors and organizations and even governments, and with the growing importance of rail as critical infrastructure in the supply chain, the TSA has directed U.S. rail owners and operators to do the following:
Safety and security of the rail network is paramount, and requires having good technology, good information and good people in place with the power to act. If safety and security fails, freight fails.
For transportation cybersecurity planning and execution, contact the experts at Pratum today.
Among the many threats to employee internet security is “SMiShing,” in which bad actors try to steal personal or company data or set up a scam via text.
Imagine if one of your employees got this message an hour ago:
Jeff, this is HR. ACME’s corporate VISA card requires that you verify your PIN for verification that you are an authorized user. Please protect yourself and ACME’s account at once by simply replying to this message with your PIN.
How confident are you that Jeff did not dutifully and swiftly reply to the urgent message from “your” company with her corporate PIN? How confident are you that the attacker – posing as ACME HR -- didn’t ask for more personal or corporate information from Jeff before she caught on to the scam?
Welcome to one of the fastest-growing innovations in phishing: Short Message Service (SMS), text-based phishing…or SMiSHing, for short.
By now, you have likely been SMiShed multiple times, possibly even multiple times this week! Social engineering criminals have found that the ease and convenience of texting for legitimate purposes has created a target-rich environment for victimizing unsuspecting people.
A few years ago, I received a text message from an unknown number containing my full name and asking the simple question of “how are you?”
As a cybersecurity professional, I decided to – with caution – investigate the obvious attempt SMiSHing. It was quite an interesting text message to receive, especially since it contained my full legal name. Already a little suspicious, I responded with “Hello, who is this?” to validate that it wasn’t someone I recently met. The conversation that ensued between me and “Mr. A Morgan” was very clearly an engagement with a social engineer – not a bot – but a real human. I knew and understood immediately that this text message was not legitimate, but I proceeded with the conversation to accomplish a few objectives: consume this person’s time from targeting other individuals and learn how social engineers were trying to steal money/information in 2018 via this avenue of communication.
Social engineers will use many tactics to try and coerce information out of us, attempting to catch our eye through tempting offers or the use of fear. The following points are a series of tactics that social engineers may employ to obtain such information.
Four years later, these principles remain in effect, but the attacks have become more sophisticated and targeted. Employees who once believed themselves socially immune to the grammar-challenged texts of the late 2010s are now succumbing to the deceptive requests in droves. In 2021 they were a problem to the tune of $44 billion in losses, just in the USThe US alone lost $44 billion from them in 2021. According to the FBI, the situation is only getting worse. CNET reports that smishing attempts increased 24% in the United States alone and 69% globally. The average consumer now receives 19.5 spam texts per month, double the rate three years ago.
Let’s play out the scenario with Jeff just a little further:
Jeff: Sorry, wrong number.
Attacker: This is the number we have listed as the account. If it is a wrong number, ACME’s corporate VISA card will be suspended for all users indefinitely. Please enter your PIN at the following secure link: securelink.visa@ACME
Jeff: Can you verify that this is ACME?
Attacker: ACME, Inc. FEIN: 123456789. This is Amy in HR. We talked at the company event this summer.
Jeff: Oh, hi Amy! So sorry. I’ll get you the PIN right away.
Much like some of the more gifted mentalists and psychics on television, SMiShers have perfected the art of “cold reading” in their attempts to socially engineer others, which means that if they guess vague events correctly, they confirm to the target that they might be trustworthy. If they guess incorrectly (perhaps there is no Amy who works in HR – perhaps there were no company events last summer), Jeff will likely (at least briefly) doubt her memory of things or be embarrassed that she doesn’t remember ever meeting friendly, helpful “Dave from ACME.” The truth is that, even though Jeff may not initially have given away any useful information to “Amy”, even her initial “wrong number” response confirmed to “Amy” that the number had a live target on the other end. And that left Jeff open to further and more harmful social engineering techniques.
So, what can ACME – or you – do for employees?
Social engineering is nothing new, and yet it continues to be one of the most attempted and successful ways attackers obtain information. It is important to stay alert to these attacks and their evolution in an ever-increasing digital age. Knowing the risks associated with personal forms of communication can help you stay ahead of the curve and avoid leakage of proprietary business intelligence. It is very important to take a proactive, risk-based approach to social engineering and the various phishing attack vectors. Pratum offers a suite of services ranging from security awareness training to the actual execution of ethical social engineering campaigns to address these concerns and help your organization mitigate its overall risk.
Get our blog articles delivered
to your inbox: