The Digital Trust Imperative: When Risk Becomes Reality

There’s a maxim that once you lose someone’s trust, it will be difficult to get it back, if it’s even possible to do so. We all have stories of businesses we will no longer patronize because they did something which caused us to lose trust in them. For instance, we may have had horrible food or lousy service at a particular restaurant. Or we determine that a particular software as a service (SaaS) offering we used to use was collecting and selling our data. Even if it was perfectly legal and within the bounds of the terms of use, their doing so wasn’t transparent and we feel is a violation of our privacy. Or perhaps a particular vendor is notorious for overbilling, but each time they are “caught,” they claim it is an honest mistake. Whatever the cause, once trust is lost, business is often lost as well. Therefore, organizations must look closely at risk to their trust and especially their digital trust.

There are many categories for risk, but we’ll focus on two recent cases where risk became reality and had an impact on an organization’s digital trustworthiness. We’ll look at brand reputation, supply chain, and relationships factor into risk and to an organization’s digital trust.

Brand Reputation and Ability to Execute

At the time of the writing of this article, Boeing is heavily in the news. Its brand is being hit hard in key areas of concern for airlines and customers: safety failures,¹ claims of deceiving regulators,² and an admitted drain of institutional knowledge.³ Boeing’s well publicized failures are impacting the bottom line as no one ordered the 737 Max in April and May. Boeing only received order for four new planes for all of May.⁴

As I consider options for flying, I’ll be more likely to check what kind of plane I’ll be on. I may choose not to fly certain routes if the aircraft was made by Boeing. Airlines around the world expect this reaction and that’s likely what is impacting Boeing’s sales. After all, if Boeing has a culture that has serious issues with safety, then can I trust the company to deliver quality parts for repair and routine maintenance of Boeing-made aircraft? If I choose against certain routes, I may choose a different air carrier than I would have initially. This has a secondary, supply chain impact to those airlines.

Customers Impacting the Supplier of Services

While we may point out that the hits are to Boeing’s brand as a whole and not specifically to its digital brand, the next example is all digital: Snowflake. Snowflake came into the news after being linked with the Ticketmaster data breach impacting more than 500 million customers. Initially, no mention of Snowflake was made in the news on the breach.⁵ However, it soon became evident that at least 165 Snowflake customers have been targeted. At first, it was thought that Snowflake itself was breached. However, it appears that the logins themselves were compromised.⁶ The latest news, as of the writing of this article, is that the group responsible for the hacks claims they compromised a third-party contractor.⁷ Sound familiar? Remember, Okta was breached through a third-party contractor.⁸

Regardless of the avenue of the breach, Snowflake customers impacted by the account compromises are reportedly getting hit with ransom demands. Cybersecurity researchers investigating the details of the hack and the organization have also had to deal with fake nudes and death threats.⁹ Both point to what the bad actors are threatening: pay up in the case of the customers or cease and desist in the case of the security researchers, or have your reputations tarnished.

Relationships and their Impact to Risk

One of the key things to understand about digital trust, and specifically emphasized in the Digital Trust Ecosystem Framework (DTEF), is the impact of relationships to an organization’s digital trustworthiness. In the first case, with Boeing, we know that Boeing’s woes will have a negative impact on its airline customers. As a result, those airlines have slowed down or stopped purchases from Boeing. I don’t want to be the airline that puts a new 737 Max in the sky only to have it crash and people die because of safety concerns at Boeing. If I’m the airline and I’m thinking about buying from Boeing, I must evaluate that risk. It appears that the myriad airlines around the world have done so, and they’ve concluded, at least for the short term, the risk isn’t worth whatever profit they might earn from passengers being ferried from one location to another in a Boeing plane, especially a 737 Max. There is always residual risk in flying planes. Despite best efforts, things can and will go wrong. If all other considerations are equal, if an airline can mitigate additional risk by choosing a plane not made by Boeing, they likely will.

With Snowflake, despite the possible third-party contractor breach, customers were breached because those customers did not take advantage of offered enhanced security options designed to protect those logins. When Mandiant researchers investigated the breached logins, they found several reasons why those logins were compromised:¹⁰

• The compromised accounts did not utilize the offered multi-factor authentication (MFA).
• Credentials hadn’t been rotated/updated, even years after they were stolen.
• Customers did not have network allow lists (“whitelists”) in place to designate where legitimate traffic could come from.

While the news started as a Ticketmaster breach, it wasn’t too long before it morphed into a Snowflake breach. However, if the research is correct, Snowflake wasn’t breached; its customers were. Keep in mind that Snowflake provides MFA and network allow list configurations. Snowflake gave customers the options to better protect themselves. The customers chose not to. But it is still Snowflake’s name that is in the news. We could argue that Snowflake should have required customers to use MFA and network allow 7lists. However, there are possibly justifiable technical reasons why some organizations couldn’t implement either of those technical solutions. And Snowflake can’t control the credential issue, especially if a customer re-used already compromised credentials. Snowflake as an organization faces the risk of customers not fully utilizing the security options available to them. Snowflake made the decision to still permit customers to operate without those key security features enabled.

Even when I say there are possibly justifiable technical reasons to not implement MFA and network allow lists, the common reasons still have technical solutions to address the risk of not implementing said security features. However, implementing those solutions have a cost to them, both monetarily and in personnel. The cost versus the risk of a breach of data stored in Snowflake might have convinced a customer to go elsewhere, rather than use Snowflake. At the end of the day, it’s a business decision for the potential Snowflake customer, whether or not to require enhanced security and lose potential customers is also a business decision on Snowflake’s part.

What about Risk Identification and Mitigation?

Unfortunately, the news stories for both Boeing and Snowflake don’t have details regarding whether the organizations properly identified the risk in the scenarios that have now come to haunt them, much less if they acted appropriately from a risk mitigation perspective. We shouldn’t expect that kind of detail in news stories so close to the events themselves, but we might see follow-on research in the coming months and/or years. However, even though we don’t know if Boeing and Snowflake did execute proper risk management, the fact that these risks became reality should remind us of the importance of risk management for our organizations’ digital trust. Also, the examples of these two corporations should remind us to consider the risk in our relationships to other organizations and people. In Boeing’s case, its customers have to evaluate the risk of flying planes produced by Boeing, both from a safety perspective and a potential loss of revenue. In Snowflake’s case, Snowflake must continue to consider the risk to its reputation posed by customers who use its services and where to draw the line on the security side. Every day, organizations make decisions not to take on potential customers who pose too great a risk. If we want to protect our organization’s reputation and trustworthiness in a digital ecosystem, we must emphasize and execute on proper risk management.

Endnotes

¹ Shepardson, David and Lampert, Allison. “Boeing CEO Dave Calhoun blasted in US Senate hearing while apologizing for safety woes.” Reuters. June 19, 2024. https://www.reuters.com/business/aerospace-defense/boeing-ceo-face-harsh-senate-questions-new-whistleblower-claims-2024-06-18/
² Isidore, Chris and Wallace, Gregory. “Boeing hid questionable parts from regulators that may have been installed in 737 Max planes, new whistleblower alleges.” CNN.com. June 18, 2024. https://www.cnn.com/2024/06/18/business/boeing-whistleblower-calhoun-testimony/index.html
³ Wichter, Zach. “Boeing CEO faces heat in Senate hearing: 5 takeaways from his testimony.” USA Today. June 19, 2024. https://www.usatoday.com/story/travel/news/2024/06/18/boeing-ceo-dave-calhoun-testomony-takeaways/74140822007/
⁴ “Boeing sales tumble as the company gets no orders for the 737 Max for the second straight month.” Associated Press. June 11, 2024. https://apnews.com/article/boeing-sales-orders-drop-max-eac0c97322ceda981933f0f1e8447b6c
⁵ Schneid, Rebecca. “Ticketmaster Data Breach May Affect More Than 500 Million Customers. What to Know.” Time. June 2, 2024. https://time.com/6984811/ticketmaster-data-breach-customers-livenation-everything-to-know/
⁶ “Snowflake Breach Exposes 165 Customers’ Data in Ongoing Extortion Campaign.” The Hacker News. June 11, 2024. https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html
⁷ Riley, Duncan. “Ransom demands issued to Snowflake users amid alleged third-party contractor breach.” siliconAngle. June 17, 2024. https://siliconangle.com/2024/06/17/ransom-demands-issued-snowflake-users-amid-alleged-third-party-contractor-breach/
⁸ Brecken, Becky. “Okta Data Compromised Through Third-Party Vendor.” DarkReading.com. November 2, 2023. https://www.darkreading.com/endpoint-security/okta-employee-data-exposed-third-party-vendor
⁹ SC Staff. “Ransom demands issued to Snowflake hack victims.” SC Media. June 18, 2024. https://www.scmagazine.com/brief/ransom-demands-issued-to-snowflake-hack-victims
¹⁰ Mandiant. “UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion.” Google. June 10, 2024. https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion

K. BRIAN KELLEY | CISA, CDPSE, CSPO, MCSE, SECURITY+

Is an author and columnist focusing primarily on Microsoft SQL Server and Windows security. He currently serves as a data architect and an independent infrastructure/security architect concentrating on Active Directory, SQL Server, and Windows Server. He has served in a myriad of other positions, including senior database administrator, data warehouse architect, web developer, incident response team lead, and project manager. Kelley has spoken at 24 Hours of PASS, IT/Dev Connections, SQLConnections, the TechnoSecurity and Forensics Investigation Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays, Code Camps, and user groups.