Partner Perspectives  Connecting marketers to our tech communities.
4/27/2015
12:55 PM
Emilio Iasiello
Emilio Iasiello
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Third-Party Risk and Organizational Situational Awareness

A rigorous risk management approach will help organizations understand the potential risks posed by their partners.

In today’s interconnected business environment, organizations maintain close collaboration with trusted third parties, whether they are vendors, service providers, customers, or partners. While this has enhanced business processes, it has also introduced potential security vulnerabilities that can be manipulated and exploited by hostile actors. In order to reduce this threat, it is incumbent upon all organizations to understand the risks posed by the third-party connections to their networks, as well as conduct self-examinations to determine where they may be connecting to other larger organizations as well. Third-party risk management will help proactively identify potential threats, thereby reducing an organization’s exposure and increasing its capabilities to mitigate damage.

Target and Beyond

The 2013 Target breach highlighted the serious threat that seemingly innocuous third-party network access can pose to the cybersecurity posture of an organization. In the case of Target, hackers stole the login credentials belonging to a company that provided HVAC services to Target and used that access to gain a foothold on the retailer’s payment systems, compromising approximately 40 million customer credit cards.  

The potential risk posed by third parties has garnered significant attention in the wake of the Target breach and justifiably so, particularly as partnerships and outsourcing are increasingly relied upon to support business operations. The banking sector has immediately recognized the need for improvement in this area. In 2013, the Department of the Treasury’s Office of the Comptroller of the Currency issued guidance on third-party relationships to all national banks, federal savings associations, technology service providers, and other interested parties on adopting risk management processes commensurate with the level of risk of their third-party relationships.  The Federal Deposit Insurance Corp. issued similar guidance regarding third-party risk in its January 2014 Compliance Manual. However, this is representative of just one sector. A recent study revealed that one-third of U.S. retailers that experienced a data breach within the past year were compromised via third-party vendors. There is still much to do across all sectors.

The exploitation of third parties is not the tactic of a particular actor or group. The Target breach highlights just one incident where third-party access was compromised in the course of the fulfillment of cybercriminal pursuits. Other categories of hostile actors have targeted third parties for the purpose of finding information and/or access to their real objectives. For example, teams believed to be sponsored by the Chinese government have conducted cyber espionage operations against law firms in order to gather information on major U.S. companies. One Chinese APT (advanced persistent threat) group has been known to target trusted third-party relationships in order to gain access to their primary target. And in July 2013, the hacktivist group Syrian Electronic Army compromised a third-party to facilitate the takeover of the Twitter feed of the Reuters news agency. The SEA was able to redirect visitors to its own content, despite enhanced security, by going through a third-party advertising network instead.

What Can Organizations Do?

In this time where adversaries enjoy a marked operational advantage over network defenders, it is essential for organizations to look beyond their network perimeters in safeguarding the confidentiality, integrity, and availability of their information systems, the information on them, and the accesses in and out of their network.

The following is a list, although not exhaustive, of initiatives that organizations can undertake in order to minimize the risk of third-party access.

  • Continuously Monitor Third-Party Access. By robustly monitoring the activity of third-party users, organizations are able to engage in content and network monitoring for malware, command-and-control activity, and anomalous activity.
  • Set Strict Permission Levels for Third-party Users.Not all third parties require the same level of access into the network. Organizations should set strict permission settings for each individual third party based on the type of information or service to which they require access. This empowers organizations to be able to immediately sever access at any time.
  • Establish Security Compliance Standards. Third parties connecting to an organization’s network need to adhere to established security policies and security guidelines as set forth by the organization. Implementing these standards and verifying their compliance through frequent oversight will greatly minimize the risk. After the Target breach, a cloud security provider discovered that most of the 55,000 HVAC systems connected to the Internet had flaws that could be exploited. Customers of these HVAC systems and other similarly insecure third parties are invariably at risk if they haven’t imposed and enforced security standards.
  • Implement Multi-Factor Authorization. Passwords remain the first line of defense for many systems. In addition to using unique, strong password strings that are changed frequently, the implementation of multi-factor authorization will reduce risk posed by third parties, even if their credentials are compromised.
  • Evaluate Third Parties. Prior to engaging in a formal business relationship, an organization may want to evaluate the security processes and procedures of potential third parties to determine the robustness and resiliency of their cybersecurity postures. 

Conclusion

It’s important to understand that no company -- regardless of its size or global footprint -- is immune to this risk. A rigorous risk management approach will help organizations understand the potential risks posed by these partners, which will aid them in addressing their own security shortcomings. Third parties need to be held to high standards, particularly if they are accessing sensitive information, services, or operations. Monitoring third-party connections for compliance infractions or indicators of compromise via an endpoint solution is one way to maintain situation awareness over trusted partners. Analyzing real-time traffic ensures the detection of potentially malicious activity that can be blocked before the session completes. 

Emilio Iasiello has more than 12 years' experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.