Partner Perspectives  Connecting marketers to our tech communities.
4/27/2015
12:55 PM
Emilio Iasiello
Emilio Iasiello
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Third-Party Risk and Organizational Situational Awareness

A rigorous risk management approach will help organizations understand the potential risks posed by their partners.

In today’s interconnected business environment, organizations maintain close collaboration with trusted third parties, whether they are vendors, service providers, customers, or partners. While this has enhanced business processes, it has also introduced potential security vulnerabilities that can be manipulated and exploited by hostile actors. In order to reduce this threat, it is incumbent upon all organizations to understand the risks posed by the third-party connections to their networks, as well as conduct self-examinations to determine where they may be connecting to other larger organizations as well. Third-party risk management will help proactively identify potential threats, thereby reducing an organization’s exposure and increasing its capabilities to mitigate damage.

Target and Beyond

The 2013 Target breach highlighted the serious threat that seemingly innocuous third-party network access can pose to the cybersecurity posture of an organization. In the case of Target, hackers stole the login credentials belonging to a company that provided HVAC services to Target and used that access to gain a foothold on the retailer’s payment systems, compromising approximately 40 million customer credit cards.  

The potential risk posed by third parties has garnered significant attention in the wake of the Target breach and justifiably so, particularly as partnerships and outsourcing are increasingly relied upon to support business operations. The banking sector has immediately recognized the need for improvement in this area. In 2013, the Department of the Treasury’s Office of the Comptroller of the Currency issued guidance on third-party relationships to all national banks, federal savings associations, technology service providers, and other interested parties on adopting risk management processes commensurate with the level of risk of their third-party relationships.  The Federal Deposit Insurance Corp. issued similar guidance regarding third-party risk in its January 2014 Compliance Manual. However, this is representative of just one sector. A recent study revealed that one-third of U.S. retailers that experienced a data breach within the past year were compromised via third-party vendors. There is still much to do across all sectors.

The exploitation of third parties is not the tactic of a particular actor or group. The Target breach highlights just one incident where third-party access was compromised in the course of the fulfillment of cybercriminal pursuits. Other categories of hostile actors have targeted third parties for the purpose of finding information and/or access to their real objectives. For example, teams believed to be sponsored by the Chinese government have conducted cyber espionage operations against law firms in order to gather information on major U.S. companies. One Chinese APT (advanced persistent threat) group has been known to target trusted third-party relationships in order to gain access to their primary target. And in July 2013, the hacktivist group Syrian Electronic Army compromised a third-party to facilitate the takeover of the Twitter feed of the Reuters news agency. The SEA was able to redirect visitors to its own content, despite enhanced security, by going through a third-party advertising network instead.

What Can Organizations Do?

In this time where adversaries enjoy a marked operational advantage over network defenders, it is essential for organizations to look beyond their network perimeters in safeguarding the confidentiality, integrity, and availability of their information systems, the information on them, and the accesses in and out of their network.

The following is a list, although not exhaustive, of initiatives that organizations can undertake in order to minimize the risk of third-party access.

  • Continuously Monitor Third-Party Access. By robustly monitoring the activity of third-party users, organizations are able to engage in content and network monitoring for malware, command-and-control activity, and anomalous activity.
  • Set Strict Permission Levels for Third-party Users.Not all third parties require the same level of access into the network. Organizations should set strict permission settings for each individual third party based on the type of information or service to which they require access. This empowers organizations to be able to immediately sever access at any time.
  • Establish Security Compliance Standards. Third parties connecting to an organization’s network need to adhere to established security policies and security guidelines as set forth by the organization. Implementing these standards and verifying their compliance through frequent oversight will greatly minimize the risk. After the Target breach, a cloud security provider discovered that most of the 55,000 HVAC systems connected to the Internet had flaws that could be exploited. Customers of these HVAC systems and other similarly insecure third parties are invariably at risk if they haven’t imposed and enforced security standards.
  • Implement Multi-Factor Authorization. Passwords remain the first line of defense for many systems. In addition to using unique, strong password strings that are changed frequently, the implementation of multi-factor authorization will reduce risk posed by third parties, even if their credentials are compromised.
  • Evaluate Third Parties. Prior to engaging in a formal business relationship, an organization may want to evaluate the security processes and procedures of potential third parties to determine the robustness and resiliency of their cybersecurity postures. 

Conclusion

It’s important to understand that no company -- regardless of its size or global footprint -- is immune to this risk. A rigorous risk management approach will help organizations understand the potential risks posed by these partners, which will aid them in addressing their own security shortcomings. Third parties need to be held to high standards, particularly if they are accessing sensitive information, services, or operations. Monitoring third-party connections for compliance infractions or indicators of compromise via an endpoint solution is one way to maintain situation awareness over trusted partners. Analyzing real-time traffic ensures the detection of potentially malicious activity that can be blocked before the session completes. 

Emilio Iasiello has more than 12 years' experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.