TR-69 - How to choose an ICT supplier from a security perspective

Summary

In the past we saw some IT suppliers not taking appropriate care on their customers IT security. So we decide to release a document which can help mall and medium-sized enterprises (SMEs) to evaluate the IT security services of their suppliers.

Overview

According to the European Commission, small and medium-sized enterprises (SMEs) represent 99% of all businesses in the EU [1].

SMEs often do not has resources to setup and maintain their IT infrastructure internally and on their own. The alternative to outsource this activities to ICT suppliers became a very popular and legit alternative. At least to the point where the ICT suppliers take their job serious especially with the point of view on IT security aspects.

Unfortunately CIRCL see more and more IT suppliers not fulfilling their contractual obligations. They do horrible security misbehavior like:

• Not informing their customers about security related events and incidents
• Not maintaining appropriate the customers IT systems
• Not applying security updates in a timely manner
• Not blocking public access to vulnerable services
• Don’t analyze or even read the logs
• Don’t providing working backups
• Missing a general security mindset

This could lead to security issues of all kinds for the client SMEs. This could start with compromised business email accounts which leads to malspam and phishing emails send to business contacts. Data ex-filtration including sensible data like personally identifiable information (PII). And finally to the lost of all business data incl. Deleted backups, what could finally lead to an end-of-business.

Due to the increasing amount of this kind of issues CIRCL like to support SMEs with their business of outsourcing IT services by providing some hints about how to choosei/evaluate an ICT supplier from a security perspective.

Minimum security measures for Digital Service Providers

In december 2016, ENISA published the document ‘Technical Guidelines for the implementation of minimum security measures for Digital Service Providers’ [2].

In this document Online marketplaces, online search engines and cloud computing services are considered as Digital Service Providers (DSPs).

The goal of this document is to define common baseline security objectives for DSPs and describe different levels of sophistication in the implementation of the objectives.

The document got developed, because the world is becomming more interconnected. Network and information systems and services are becoming highly crucial.

Even doe this document got developed with DSPs in mind, many if not most of the listed objectives are also valid and should be implemented by It-suppliers providing IT systems and services like fileserver, email, databases and alike. Especially the objectives which are valid for ‘Cloud Providers’.

Every employee in an organizaton, who is responsible for the outsourcing of IT systems or services, should review this document to get an overview of security meassures an IT-supplier should have in place.

Field experiences and conclusions

• Reasons to change your IT-supplier
  • Advices to disable 2 Factor Authenication to increase security
  • Install security patches only 4 times a year, because of heavy work load
  • Only keep backups on online servers, because it’s most easy to manage
  • You ask for a forensics report and receive a report from an AV scan
  • Your CERT inform you about a compromised server due to a missing patch and supplier answers “Now patched, all good”
  • Your CERT tell you that a compromised patched server is still a compromised server and receive a report from an AV scan
  • Your ask for a forensic report and receive a report from an AV scan
  • Your inform your supplier about web-shells on his compromised servers. Supplier ask you to send the information by post.

What to do after a security incident

This higly depends on the kind of the security incident. But in general there are some basically steps:

1. Do a memory dump
2. Shut down the affected computer
3. Do a disk image
4. Provide the data to CIRCL for a forensic analysis

What NOT to do after a security incident

The following activities should not be done, because they create a great amount of noise and effectivly blure evidences.

• Run a (full) AV scan with the installed scanner
• Download and run 3rd party AV scanner from random Internet sites
• Install updates and patches for the OS - operating system
• Install updates and patches for the affected applications.
• Harden the system on all kind of layers
• Start investigating the affected system on your own
• Re-install the system from scratch, before collecting the evidences
• Re-image the system from an image, before collecting the evidences

What to do after a breach of personal data

Personally Identifiable Information (PII) consists of information that, on its own or combined with a limited amount of other data, can be used to identify a person.

In case of a data leak with PII affected, this must be reported (within a few days) at the National Commission for Data Protection - CNDP: https://cnpd.public.lu/

Be prepared

How SMEs can deal with IT suppliers to better be prepared for a security incident:

• Review your contract and compare it with the proposals from the ENISA document
• Identify a point of contact for the case of an incident
• Test if your IT supplier is responsive and not only want to sell. Challenge him
• Use existing assessment methodologies to evaluate a supplier such as Fit4Contract
• Validate if backups are working. Regularly ask for recovering some files

References

• SME definition
• Minimum security measures for Digital Service Providers
• [CNPD] https://cnpd.public.lu/
• [Fit4Contract] https://contract.cases.lu/ `

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

• Version 1.0 - TLP:WHITE - First version - 13 June 2022