A Cognizant employee – a trusted insider – repeatedly gave, via telephone contact, a cybercriminal access to Clorox’s network by giving the cybercriminal access credentials to Clorox IT systems without properly authenticating the caller. This is a case of insider threat in the supply chain and is a risk that any enterprise, including those with obligations under Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act) are required to mitigate.
Let’s explore this case in detail.
In 2023, the IT service and cybersecurity provider Cognizant was sued for US$380 million in damages by its client Clorox.
U.S. media and court documents allege that a Cognizant employee – a trusted insider – repeatedly gave a cybercriminal access to Clorox’s network by handing the cybercriminal Clorox IT systems access credentials without properly authenticating the caller.
Cognizant manages Clorox’s internal networks, and employees who have issues with their passwords, multi-factor authentication (MFA) codes, and VPNs must coordinate with the IT provider to regain access to their system.
Under the court filing Clorox alleges that the Cognizant Service Desk gave access passwords without verifying the identity of the caller. Such action would contradict the policies that have been set in place to prevent unauthorized personnel from gaining access.
Clorox explained the hacker rang Cognizant’s helpdesk five separate times to successfully reset passwords and multi-factor authentication (MFA) details to gain access.
In the first phone call, for example, Cognizant allegedly conducted a password reset for identity management tool Okta and an MFA reset through Microsoft MFA despite never verifying the caller identity.
The hacker allegedly called back four times throughout the day to change a mobile number on a Clorox staff account, perform more resets, and eventually enact the same attack approach on a second staff account.
One partial call transcript provided to the court provides evidence of this, with the alleged hacker telling the Cognizant employee, “I don’t have a password, so I can’t connect.” The Cognizant employee then replied without hesitation, “Oh, ok. Ok. So, let me provide the password to you, okay?”
Assuming the identity of authorized personnel is one of the most basic social engineering attacks. However, Clorox believes that Cognizant’s employees were too trusting and violated protocol, potentially leading to millions of dollars in losses for Clorox. This goes to show that no matter how robust and sophisticated your cybersecurity is, it can always be breached at its weakest point – people.
Clorox said that Cognizant’s alleged action of providing system logins to a hacker inflicted $380 million in damages on Clorox, which stated that the hacker caused a “debilitating” cyberattack which “paralysed” its corporate network and “crippled” business operations.
Clorox refutes Cognizant’s claims.
This case illustrates that the risk posed by the trusted insider threat, including in supply chain, is faced by every organisation.
Understanding the insider threat
The insider threat is people – employees, contractors, volunteers, consultants – who have been granted access to an organisation’s assets and operations and use that access to harm the organisation. That harm may be caused by intentional insiders, that is people who act with the intention to cause harm, and unintentional insiders who do not intend to cause harm but whose actions do cause harm. Intentional and unintentional insiders can both inflict harm with a high level of consequence and so both are risk sources – threats – that need to be managed.
The insider threat exists outside an organisation in its supply chain. Whether the supply be for materiel or services, the insider threat can cause great harm. This case study examines an insider threat in the supply chain.
So, how might an enterprise try to mitigate the risk posed by third-party providers in the supply chain?
The SOCI Act provides a guide on mitigation, set out in nine obligations and other guidance, which can guide any enterprise in mitigating insider threat in the supply chain.
The key points in managing insider threat in the supply chain to consider are:
- Establish what your critical assets or operations are.
- Determine the supply chain dependencies that enable them.
- Identify the ‘critical workers’ in the third-party supplier – the positions which will have access to your enterprise critical assets and operations.
- Minimise or eliminate material risks arising from the misuse of privileged access to the asset by any provider in the supply chain.
- Minimise or eliminate risks arising from threats to people, assets, equipment, products, services, distribution, and intellectual property within the supply chain.
- Minimise or eliminate material risks of unauthorised access, interference, or exploitation of the asset’s supply chain.
To enable the actions above the enterprise needs to:
- have a current security risk assessment which identifies critical assets, the likely threats against them stemming from third-party providers, the vulnerabilities, and the mitigations that may be undertaken
- design contracts that include mitigation through contract stipulations that oblige the supplier to act in ways that mitigate risk to your enterprise assets and operations
- outside the contractual relationship, have an open dialogue with the supplier to make clear they understand the harm they could cause your assets and operations and explain all processes they are required to meet to best protect your assets and operations
- talk to suppliers about the evolving threat environment relevant to your assets and operations so they are better able to play their part in protecting your assets and operations
- oblige the supplier, contractually, to operate a personnel security function for its workers who can interact with your assets and operations by virtue of the trusted legitimate access you grant them to your critical assets and operations.
Whilst the actions listed above may look onerous, it is likely that your enterprise is already undertaking many of them. The SOCI Act encourages critical entities to look at their actions afresh to recognise them as part of an enterprise-wide activity to mitigate the risk of insider threat in the supply chain.
Pentagram knows from its experience of SOCI entities, and also the SOCI regulator Department of Home Affairs has made clear, that supply chain security is generally not well understood and has the least developed mitigation across the four SOCI hazard types. Within supply chain security, supplier critical workers and hence insider threat mitigation with respect to them, is the most challenging component.
Lessons for organisations
This case shows the significant harm that can be inflicted on an enterprise by a trusted insider in its supply chain. Whilst this risk may appear as too large and complex to effectively mitigate, it can be mitigated, perhaps not to the extent of elimination, but certainly the risk can be minimised. Success boils down to explaining to people what is required and monitoring, as best possible, their actions and behaviours to identify potential insider threat.
This case also demonstrates that insider threat in the supply chain is not an abstract risk but a real and potentially costly vulnerability, as seen in the Clorox/Cognizant breach. Organisations must therefore embed supplier oversight, contractual obligations, and personnel security practices as part of their critical infrastructure risk management program to ensure such risks are not only minimised but actively managed. The Clorox/Cognizant case serves as a reminder that even well-resourced enterprises are vulnerable to insider threat in the supply chain and so the mitigation of supplier oversight and personnel security measures need to be embedded through contract performance and monitored in the most effective ways available.
