Keeping Cyber Criminals from Breaking into Your Network via Your VendorsBy: Elizabeth Clarke
Your organization’s information security plan is in place, but how are your partners’ defenses?
The media has reported that several companies in the past year have suffered significant security breaches, as a result of hackers compromising companies’ third-party vendors. Instead of going after large organizations directly, some threat actors are opting to target smaller, third-party vendors who do business with the larger companies. The criminals are hoping these third-party vendors will have fewer security protections in place. If the hackers are able to break into one of these vendors, get their hands on the credentials the vendor uses to access the larger company’s network and successfully use those credentials, then the criminals have just gained their initial foothold into the target company--- all under the guise of a trusted partner. From there, the threat actors might target valuable trade secrets and intellectual property, customer credit and debit card data, or personal identifiable information for employees and customers (names, addresses, social security numbers, email addresses and phone numbers).
Regardless of the data being targeted, for those organizations which have valuable informational assets to protect, it is critical that they regularly assess their security posture, as well as that of their vendors. When it comes to considering whether to give third-party vendors access to one’s network, Dell SecureWorks Incident Response (IR) Team advises that the explicit need of the third party be critically evaluated and this should be based on the operational need of the primary entity, as well as the potential risk to which that the primary entity may be exposed.
Assess Your Risk – Engage Your Partners in Cyber-Attack Simulations
We asked the IR Team how a company can determine the risk a particular third-party vendor might pose.
“We believe Red Team Testing is the best way to assess the risk of a third-party vendor,” said Tom Sammel, Senior Manager of the Dell SecureWorks Incident Response Practice. Red Teaming is when a security team is hired to discover the vulnerabilities in the security protections of an organization.
“As part of any business agreement, we believe that an organization’s partners should be required to participate in Red Teaming events for the primary organization. This will inform both entities to the principal risk to the third party, and the translation risk to the primary entity (the company) on an ongoing basis,” continued Sammel.
The IR Team also advocates that organizations require their third-party vendors to provide them with semi-annual, quarterly or monthly results of internal vulnerability scans, external pen tests, and coinciding remediation plans and subsequent results. They also recommend that any groups, whether internal or external, who are responsible for web applications, provide the results of routine web application testing, along with any remediation plans, and proof that these remediation steps have been taken.
6 Security Tips When Working With Third-Party Vendors
Even if the security posture of a third-party vendor has been deemed adequate, our Incident Response Team suggests that organizations follow these steps to better secure themselves:
- Implement restrictive access controls for the third party. This may include restriction to certain times of day or maintenance windows. Access may also be restricted to occur through a separate virtual private network (VPN) device, where monitoring and logging can occur at a much higher level of fidelity
- Implement Two-Factor Authentication as another critical control for remote access
- Restrict third-party access to only occur from their designated IP address(es) and only using the protocols necessary for the communication. This limits the ability of the attacker from launching attacks from the attacker IP addresses, using stolen credentials
- Ensure that the client environment is configured to alert to geolocation, time, number of devices connected to, etc. If the vendor does not have a need to conduct Remote Desktop Protocol, then that should be explicitly prohibited or alerted as a high fidelity event if attempted
- Implement Application White Listing on systems touched by the third-party vendor (as best as is possible)
- Implement more frequent auditing of all third-party accounts, especially privileged accounts. Ensure that the third party is verifying, in writing, the continuing need for a specified account credential
Reducing the Risks of Cyber Threats – Inside and Out
Mitigating the risks of one’s third-party vendors is good business. However, organizations cannot get so focused on the potential threats their vendors pose, that they become lax in maintaining their own security. We have seen many examples where the security defenses of large, sophisticated companies have been bypassed because one of their executives accidentally clicked on a malicious email link or attachment or because the company was hosting a web application which was vulnerable to a critical, but common web attack. Ultimately, it is up to the network security team to make sure that current and emerging cyber risks are minimized, no matter where they originate.