SEATTLE — JULY 31, 2019 — ExtraHop, the leader in cloud-first detection and response for the hybrid enterprise, today issued a security advisory exposing several cases of third-party vendors "phoning home" proprietary data without the knowledge of or authorization from their customers. The advisory serves as a warning to all enterprises to hold their vendors more accountable for how they use customer data.
The newly-issued advisory defines phoning home as a host connecting to a server for the purpose of sending data to the server, the "white hat" term for exfiltrating data. According to the report, phoning data home is a common practice that can be used for legitimate and useful reasons with the customer's consent. But when customers are unaware of this vendor exfiltration, it risks exposure of sensitive data, such as Personally Identifiable Information (PII), in violation of increasingly strict privacy regulations.
"We decided to issue this advisory after seeing a concerning uptick in this kind of undisclosed phoning home by vendors," said Jeff Costlow, ExtraHop CISO. "What was most alarming to us was that two of the four cases in the advisory were perpetrated by prominent cybersecurity vendors. These are vendors that enterprises rely on to safeguard their data. We're urging enterprises to establish better visibility of their networks and their vendors to make sure this kind of security malpractice doesn't go unchecked."
The advisory highlights four cases spanning the financial services, healthcare, and food service industries where ExtraHop documented vendors phoning home their customers' data without the customer's knowledge or authorization, including:
Foul-play in financial services. During a recent training session, ExtraHop noticed that domain controllers were shipping data to a public cloud instance. The customer had no idea that domain controllers were sending SSL traffic outbound to 50 different public cloud endpoints controlled by the vendor. The report documents how a prominent cybersecurity vendor had been doing this for at least two months.
Medical device malpractice. A U.S. hospital was piloting a medical device management product that was only to be used on designated hospital Wi-Fi to ensure patient data privacy and HIPAA compliance. ExtraHop noticed that traffic from the workstation that was managing the initial device rollout was opening encrypted SSL:443 connections to vendor-owned cloud storage, in strict violation of HIPAA regulations.
When shadow IT phones home to China. While ExtraHop was onsite with a large multinational food services customer, they discovered that approximately every 30 minutes, a network-connected device was sending UDP traffic out to a questionable IP address. The device in question was a Chinese manufactured security camera that was phoning home to an IP address known to be associated with malware downloads.
When "on-box analysis" isn't entirely "on box." During a proof-of-concept (POC) with a financial services institution, ExtraHop noticed a large volume of outbound traffic headed from the customer's U.S. datacenter to the United Kingdom. More than 400GB per day over two-and-a-half days (totaling more than 1TB of data) was exfiltrated by a security vendor that was also in a POC with the financial services institution. The customer was surprised because the vendor claimed to perform all analysis and machine learning "on-box"—meaning on the appliance deployed in the customer's environment.
ExtraHop's security advisory recommends that companies take the following actions to mitigate these kinds of phoning-home risks:
- Monitor for vendor activity: Watch for unexpected vendor activity on your network, whether they are an active vendor, a former vendor or even a vendor post-evaluation.
- Monitor egress traffic: Be aware of egress traffic, especially from sensitive assets such as domain controllers. When egress traffic is detected, always match it to approved applications and services.
- Track deployment: While under evaluation, track deployments of software agents.
- Understand regulatory considerations: Be informed about the regulatory and compliance considerations of data crossing political and geographic boundaries.
- Understand contract agreements: Track whether data is used in compliance with vendor contract agreements.
ExtraHop also urges companies to ask questions of their vendors to ensure they understand how their data is being used, where their data is going and the vendor protocols for phoning home. ExtraHop believes these actions will hold vendors more accountable and ultimately limit the exposure of sensitive enterprise data.
Click here to download the complete Phoning Home Security Advisory.