6 Ways Third Parties Can Trip Up Your Security
Poor access control, inadequate patch management, and non-existent DR practices are just some of the ways a third party can cause problems
May 29, 2018
The security risks posed by third parties connecting to enterprise networks are well understood.
In recent years, countless organizations have suffered data breaches as the result of a security failure at a vendor, supplier, partner or other third-party with access to their network.
Fifty-six percent of organizations in a 2017 Ponemon Institute survey say they had experienced a data breach stemming from a third-party security failure. More than 4-in-10 (42%) of the respondents say that attacks on their third parties resulted in a misuse of their organization's sensitive and confidential data and 75% believe that risks from third parties is increasing.
One big issue that survey respondents identify is the lack of visibility into the security status of third-party networks and systems. Although third parties have access to an increasing amount of enterprise data, more than half of the respondents in the survey have no inventory of all the external people accessing their networks and data.
The issue is a problematic one for enterprises, especially with regulations such as the EU's General Data Protection Regulation, which went into effect recently. Organizations increasingly are being held directly responsible for breaches stemming from third-party failures and are therefore under the gun to do more about ensuring their vendors and others follow security best practices.
"Third-party vendor risk is the unseen threat for enterprises dealing with cyber-risk," says Dan O'Sullivan, an analyst with UpGuard. "Like a rip in the back of a jacket, the fact that risks taken on by third-party vendors are not visible does not mean they do not expose you to the world," he notes.
Here in no specific order are some of the most typical ways your third-party can trip up your security:
One of the most common ways in which attackers have broken into target networks is by stealing and misusing third-party access credentials.
Suppliers, contractors, technology vendors and others often require direct access to your system for a variety of reasons. Poorly managed access privileges give attackers a way to gain access to your network via a third-party account and to use that access to try and jump onto other more systems and network segments. Target is perhaps the best-known example. But over the years scores of other organizations have experienced similar breaches.
"Attackers can more easily leverage overextended credentials through third parties," says Sam Abadir, vice president of industry solutions at Lockpath. Often third-parties do not pay as much attention to security training for phishing and social engineering attacks, making them relatively easy targets for credential theft. "Companies we work with are starting to realize the risk around identity management, as it relates to the access given to third parties, which is often overlooked," Abadir says.
Breach notification requirements have become increasingly stringent in the past few years. Regulations like GDPR impose significant penalties on organizations for delayed disclosures. So any slowness on your third-party vendor's part to disclose an incident involving client data and systems can have a direct impact on you.
Often downstream clients are learning of incidents at a point where some of their options are limited or the time they have to react is constrained," McMillan from CynergisTek says. "This can lead to larger than expected consequences when incidents occur."
Poorly configured third-party systems represent a major risk says Dan O'Sullivan an analyst at security vendor UpGuard. Bad things can happen when a business partner or other third-party stores your sensitive data on incorrectly setup IT systems. "In the case of third-party vendors and misconfigurations, the results can be doubly disastrous for the hiring enterprise," O'Sullivan says.
"While the enterprise does not have direct visibility into or control over the leaky systems, they will suffer the consequences when their sensitive information, shared with the vendor, is exposed," he says.
As one example, he points to a recent incident where an engineering firm accidentally exposed sensitive data belonging to clients like Dell and the City of Austin when it put the data on a server that was publicly accessible via the Internet. In a near identical mistake, a military contractor exposed a file repository containing highly sensitive military data late last year, O'Sullivan notes.
Credit monitoring giant Equifax' failure to properly address a known vulnerability in one of its software components led to arguably one of the biggest breaches ever involving sensitive data. The same kind of breach can happen to you if your third-party vendors fail to follow secure patch management practices.
Vulnerabilities that are left unchecked as a result of process errors and failure represent a seemingly simple to address but potent third-party threat, O'Sullivan says. "What is frustrating about this threat vector is that rugged, resilient [enterprise IT] practices should largely mitigate this issue," he says. "Unfortunately, this has not always been the case, and the result has been a string of hugely damaging data breaches which were largely preventable."
Open source and third-party components can significantly accelerate software development. But third-party software tools can also introduce a lot of vulnerabilities in your software if you are not careful.
Considering that 50% to 75%--and sometimes even 95%--of executing digital code in an organization is from third-party vendors, the risks posed by vulnerable components is especially high says Chris Olson, CEO of The Media Trust.
"As evidenced by several high-profile attacks, website operators need to be more vigilant about their analytics, data management, customer identification, chat, image library platform providers." Olson says. To mitigate third-party component risk, organizations need to implement a risk-management program that, among other things, develops and continuously updates your inventory of direct and indirect vendors, he notes.
Open source and third-party components can significantly accelerate software development. But third-party software tools can also introduce a lot of vulnerabilities in your software if you are not careful.
Considering that 50% to 75%--and sometimes even 95%--of executing digital code in an organization is from third-party vendors, the risks posed by vulnerable components is especially high says Chris Olson, CEO of The Media Trust.
"As evidenced by several high-profile attacks, website operators need to be more vigilant about their analytics, data management, customer identification, chat, image library platform providers." Olson says. To mitigate third-party component risk, organizations need to implement a risk-management program that, among other things, develops and continuously updates your inventory of direct and indirect vendors, he notes.
The security risks posed by third parties connecting to enterprise networks are well understood.
In recent years, countless organizations have suffered data breaches as the result of a security failure at a vendor, supplier, partner or other third-party with access to their network.
Fifty-six percent of organizations in a 2017 Ponemon Institute survey say they had experienced a data breach stemming from a third-party security failure. More than 4-in-10 (42%) of the respondents say that attacks on their third parties resulted in a misuse of their organization's sensitive and confidential data and 75% believe that risks from third parties is increasing.
One big issue that survey respondents identify is the lack of visibility into the security status of third-party networks and systems. Although third parties have access to an increasing amount of enterprise data, more than half of the respondents in the survey have no inventory of all the external people accessing their networks and data.
The issue is a problematic one for enterprises, especially with regulations such as the EU's General Data Protection Regulation, which went into effect recently. Organizations increasingly are being held directly responsible for breaches stemming from third-party failures and are therefore under the gun to do more about ensuring their vendors and others follow security best practices.
"Third-party vendor risk is the unseen threat for enterprises dealing with cyber-risk," says Dan O'Sullivan, an analyst with UpGuard. "Like a rip in the back of a jacket, the fact that risks taken on by third-party vendors are not visible does not mean they do not expose you to the world," he notes.
Here in no specific order are some of the most typical ways your third-party can trip up your security:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024