Partner Perspectives  Connecting marketers to our tech communities.
4/27/2015
12:55 PM
Emilio Iasiello
Emilio Iasiello
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Third-Party Risk and Organizational Situational Awareness

A rigorous risk management approach will help organizations understand the potential risks posed by their partners.

In today’s interconnected business environment, organizations maintain close collaboration with trusted third parties, whether they are vendors, service providers, customers, or partners. While this has enhanced business processes, it has also introduced potential security vulnerabilities that can be manipulated and exploited by hostile actors. In order to reduce this threat, it is incumbent upon all organizations to understand the risks posed by the third-party connections to their networks, as well as conduct self-examinations to determine where they may be connecting to other larger organizations as well. Third-party risk management will help proactively identify potential threats, thereby reducing an organization’s exposure and increasing its capabilities to mitigate damage.

Target and Beyond

The 2013 Target breach highlighted the serious threat that seemingly innocuous third-party network access can pose to the cybersecurity posture of an organization. In the case of Target, hackers stole the login credentials belonging to a company that provided HVAC services to Target and used that access to gain a foothold on the retailer’s payment systems, compromising approximately 40 million customer credit cards.  

The potential risk posed by third parties has garnered significant attention in the wake of the Target breach and justifiably so, particularly as partnerships and outsourcing are increasingly relied upon to support business operations. The banking sector has immediately recognized the need for improvement in this area. In 2013, the Department of the Treasury’s Office of the Comptroller of the Currency issued guidance on third-party relationships to all national banks, federal savings associations, technology service providers, and other interested parties on adopting risk management processes commensurate with the level of risk of their third-party relationships.  The Federal Deposit Insurance Corp. issued similar guidance regarding third-party risk in its January 2014 Compliance Manual. However, this is representative of just one sector. A recent study revealed that one-third of U.S. retailers that experienced a data breach within the past year were compromised via third-party vendors. There is still much to do across all sectors.

The exploitation of third parties is not the tactic of a particular actor or group. The Target breach highlights just one incident where third-party access was compromised in the course of the fulfillment of cybercriminal pursuits. Other categories of hostile actors have targeted third parties for the purpose of finding information and/or access to their real objectives. For example, teams believed to be sponsored by the Chinese government have conducted cyber espionage operations against law firms in order to gather information on major U.S. companies. One Chinese APT (advanced persistent threat) group has been known to target trusted third-party relationships in order to gain access to their primary target. And in July 2013, the hacktivist group Syrian Electronic Army compromised a third-party to facilitate the takeover of the Twitter feed of the Reuters news agency. The SEA was able to redirect visitors to its own content, despite enhanced security, by going through a third-party advertising network instead.

What Can Organizations Do?

In this time where adversaries enjoy a marked operational advantage over network defenders, it is essential for organizations to look beyond their network perimeters in safeguarding the confidentiality, integrity, and availability of their information systems, the information on them, and the accesses in and out of their network.

The following is a list, although not exhaustive, of initiatives that organizations can undertake in order to minimize the risk of third-party access.

  • Continuously Monitor Third-Party Access. By robustly monitoring the activity of third-party users, organizations are able to engage in content and network monitoring for malware, command-and-control activity, and anomalous activity.
  • Set Strict Permission Levels for Third-party Users.Not all third parties require the same level of access into the network. Organizations should set strict permission settings for each individual third party based on the type of information or service to which they require access. This empowers organizations to be able to immediately sever access at any time.
  • Establish Security Compliance Standards. Third parties connecting to an organization’s network need to adhere to established security policies and security guidelines as set forth by the organization. Implementing these standards and verifying their compliance through frequent oversight will greatly minimize the risk. After the Target breach, a cloud security provider discovered that most of the 55,000 HVAC systems connected to the Internet had flaws that could be exploited. Customers of these HVAC systems and other similarly insecure third parties are invariably at risk if they haven’t imposed and enforced security standards.
  • Implement Multi-Factor Authorization. Passwords remain the first line of defense for many systems. In addition to using unique, strong password strings that are changed frequently, the implementation of multi-factor authorization will reduce risk posed by third parties, even if their credentials are compromised.
  • Evaluate Third Parties. Prior to engaging in a formal business relationship, an organization may want to evaluate the security processes and procedures of potential third parties to determine the robustness and resiliency of their cybersecurity postures. 

Conclusion

It’s important to understand that no company -- regardless of its size or global footprint -- is immune to this risk. A rigorous risk management approach will help organizations understand the potential risks posed by these partners, which will aid them in addressing their own security shortcomings. Third parties need to be held to high standards, particularly if they are accessing sensitive information, services, or operations. Monitoring third-party connections for compliance infractions or indicators of compromise via an endpoint solution is one way to maintain situation awareness over trusted partners. Analyzing real-time traffic ensures the detection of potentially malicious activity that can be blocked before the session completes. 

Emilio Iasiello has more than 12 years' experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19349
PUBLISHED: 2018-11-17
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
CVE-2018-19350
PUBLISHED: 2018-11-17
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
CVE-2018-19341
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader...
CVE-2018-19342
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x00000000...
CVE-2018-19343
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faul...