By now, you have probably heard about one, maybe two massive Distributed Denial of Service (DDoS) attacks that occurred near the end of 2016. The first was Brian Krebs being subjected to a 620 Gbps DDoS. The second, and more noticeable, attack targeted DNS provider Dyn and took down parts of Twitter, Amazon, and other Dyn clients’ infrastructure on the East Coast in the process.
Read the statement from Dyn here.
Upon closer research and critical thinking, I found that from the outside, Porn Hub (I am not linking to them; but I did write a blog about the Security of Porn, which compares PornHub to a few major websites in terms of their DNS infrastructure.) seems to be doing information security better than some ‘security’ companies. The purpose of this blog is to analyze what they are doing and how it fares in the technology industry as a whole.
WHAT IS SUPPLY CHAIN SECURITY?
In the most conventional sense, when we think of Supply Chain Security, we immediately equate it to Target and the HVAC vendor that was used to pivot into Target’s network and perform the attack on the Point of Sale (POS) systems that exfiltrated 40 million card numbers and 70 million shopper records (Krebs, 2014). This is not entirely correct in scope.
It does deal with business that we do business with, but it often times considers the threat to be to the bigger business with the smaller business being the threat. This is not always incorrect. I would (without statistic evidence) surmise that the smaller businesses threatening the bigger ones is typically correct.
Supply Chain Security from a broad sense is the aspect of information security that deals with threats posed to organizations through the supply chain: vendors, suppliers, and partners/providers. For the purpose of this post, I am examining the threat that bigger businesses pose to smaller businesses and the threat that companies of the same size pose to each other through supply chain security.
SUPPLY CHAIN SECURITY AS IT RELATES TO THE DYN DDOS
Many businesses went down or experienced service interruptions when Dyn’s DNS infrastructure was interrupted by the DDoS. This cost Dyn’s customers money via lost business, possible loss of uptime (loss of availability), troubleshooting, and/or activating their BCP/DRP (Business Continuity and Disaster Recovery Plans).
Some of these businesses’ partners didn’t even use Dyn, and some of the partners’ partners did not use Dyn. This is problematic for all parties. The issue is that the affected businesses had a near exponential impact on downstream businesses and services. Only the first degree from the affected were able to levy any financial effects to those affected (if at all; depending on the contracts and Service Level Agreements or SLAs).
Should these businesses be responsible for downstream interruption to customers of their customers and beyond? In short, I believe the answer is yes. While the larger businesses, like Amazon, have little oversight of the downstream consumption of their products and services, they should understand that smaller businesses rely on their customers to several degrees.
I am not saying that Amazon should reimburse every smaller customer. What I am saying is that if the shoe were on the other foot, the outcome would be distinctly different. I think that there should be some means of the larger organization helping smaller companies to the xth degree. This seems to be the only responsible thing to do.
I think the Dyn DDoS was a wake-up call for many. It has already changed the threat scape and architecture of many organizations affected such as Amazon and Twitter. I discussed this very issue in my Security of Porn blog post. Since the DDoS attack, major sites have diversified their DNS providers across multiple vendors. They have also covered vast geographic areas with regards to servers, which seems to be a step in the right direction. It is unfortunate that it required a near terabyte DDoS attack to make it happen.
In conclusion, I hope to see better implementation of supply chain security. It is the responsibility of all organizations to be good stewards of information security and “cyber citizens” per se. I hope this opens the eyes to all organizations in terms of how they can improve business. This could also be a means to better provide for their customers.
As time goes on and the threat environment evolves, the information security landscape must be agile enough to evolve with it. As businesses do more business in the cloud, special attention must be paid to the providers, the contracts, and the service-level agreements that businesses enter when dealing with cloud providers.
About the Author: Joe Gray is a CISSP-ISSMP, GSNA, and GCIH who joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN. Joe also maintains his own Blog and Podcast called Advanced Persistent Security. He is also in the SANS Instructor Development pipeline, teaching SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone. You can connect with him on LinkedIn here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.