Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
12/7/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Why Third-Party Security Is your Security

Managing third-party risk isn't just a good idea, in many cases, it's the law. This security framework can help you minimize the threat.

Depending on third parties is inescapable. Every organization needs software, hardware, Internet connectivity, power, and buildings. It's unlikely they're going to do all those things themselves. That means that organizations must be dependent on others outside themselves. With that dependence comes risk.

F5 recently partnered with Ponemon Institute to survey CISOs. In the report, The Evolving Role of CISOs and their Importance to the Business, CISOs were asked: Are your organization’s business partners, vendors, and other third parties held to high security standards? The responses:

  • Always — 22%
  • Yes, most of the time – 21%
  • Yes, some of the time – 29%
  • No – 28%

While 54% percent of the same survey respondents say they monitor third parties to ensure continued compliance with contractually required security requirements, only 21% say they hold third parties to a high security standard. Yet, interestingly, Beazley Insurance, in their breach insights blog from July 2017, reports that third-party suppliers account for 30% of breaches overall.

So, 28% of CISOs are ignoring 30% of their risk?

As my kids would say, "Seriously?"

To get some perspective, let’s look back at these serious security incidents from the past few years that involved third-party vendors:

  • From August 2016 until March 2017, Sabre’s central reservation system, SynXis, which was being used by 100,0000 hotels and more than 70 airlines was hacked and users’ personal data accessed. Thousands of companies who used Sabre’s reservation system had to send out breach notices to their respective customers.
  • In 2016, a compromise of "an unnamed third party" with remote access into Wendy's point-of-sale system resulted in malware infecting over a thousand Wendy's locations that stole customer payment card data.
  • Hackers had access to an Experian server from 2013 until 2015, which provided them access to the credit check records of 15 million T-Mobile customers.
  • The big story in third-party security is still Target. In 2013, cyber-crooks got in via an HVAC vendor and accessed data on 70 million customers. So far this has cost Target $202 million to clean up.

Who Are Third Parties?

  • Any vendor, customer or partner whose security failure can lead to a security failure of any of your critical assets or systems
  • Partners with direct access to your critical systems like building management firms, co-location facility providers, IT contractors, and off-site backup services
  • Partners of critical dependencies such as Internet service providers, managed IT services vendors, and major software vendors
  • Customers, business partners, and sub-tenants if they have network or physical access to your environment
  • In many hospitals, internal clinics and medical service facilities are often run by different organizations than the encompassing hospital, yet they all often share the same network, which creates a patchwork of third-party security environments

Compliance Requirements on Third Parties
Managing third-party risk isn't just a good idea, in many cases, it's the law. Your organization is required to contractually obligate security and privacy measures of third parties’ access to sensitive data if you:

  • Process personal data on EU citizens, per GDPR Article 28
  • Collect, access, or process medical insurance data, per HIPAA privacy and security rules
  • Collect or process payment card data, per PCI DSS
  • Are a New York State bank, per the New York State Department of Financial Services

These are just the direct regulations, there are many more that specify third-party security oversight but don’t get into specific detailed requirements like American banks and publicly traded companies.

Third-Party Controls
What to do about controls? Let’s learn from our fellow CISOs, per the same F5 and Ponemon report. To start, you will need to establish a third-party security policy. This policy should always begin with a statement that  communicates to the entire organization (and regulators) what your official stance is regarding a particular risk. In this case, you need a policy that says that your organization recognizes risk from third parties and will measure and control it to an acceptable level. Here’s how the surveyed CISOs defined the baseline:

  • 46% — Establish objective security requirements or protocols for third parties
  • 34% — Establish security requirements and controls for cloud providers
  • 33% — Establish security procedures to ensure that the supply chain is not corrupted, contaminated, or disruptive to business
  • 27% — Establish a direct communication channel security and contracts/procurement

Set a Standard for Evaluating Third-Party Security
Now that you have a policy, which is a general statement, you need to bolster it with some details. This third-party standard establishes the baseline that third parties must meet, so communicate it to them before you have to rely on them. The standard also serves as the benchmark that your organization will use to measure the third-party security. According to the survey, 57% of respondents  suggest establishing a process for evaluating the security protection capability of third parties before engaging in business activities, while 52% recommend establishing a vetting process to ensure all third parties are evaluated and screened against objective security requirements.

Monitor Third-Party Security
With a policy and standard in place, now you can set up on-going processes to do that measuring and feedback. Survey results show that 54% of respondents monitor third parties to ensure continued compliance with contractually required security requirements while 44% say they periodically review third parties to objective security requirements.

Enforce Violations from Standard
It’s one thing to set policies and measure against standards, but you need to something with those results or it’s all a waste of time. According to the survey:

  • 53% of respondents ensure compliance through third-party contracts that contain security, privacy, and responsibility/liability requirements in case of a breach
  • 37% of respondents establish enforcement actions and termination penalties against third parties that fail to comply with security requirements
  • 25% of respondents establish remediation procedures for third parties that fail to comply with security requirements

Hopefully we’ve spelled out the specifics you need to put together a complete third-party security framework for your organization. Note where your peers are going and make it happen.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.