Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/29/2018
11:10 AM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

6 Ways Third Parties Can Trip Up Your Security

Poor access control, inadequate patch management, and non-existent DR practices are just some of the ways a third party can cause problems
Previous
1 of 7
Next

Image Source: arka38 via Shutterstock

Image Source: arka38 via Shutterstock

The security risks posed by third parties connecting to enterprise networks are well understood.

In recent years, countless organizations have suffered data breaches as the result of a security failure at a vendor, supplier, partner or other third-party with access to their network.

Fifty-six percent of organizations in a 2017 Ponemon Institute survey say they had experienced a data breach stemming from a third-party security failure. More than 4-in-10 (42%) of the respondents say that attacks on their third parties resulted in a misuse of their organization's sensitive and confidential data and 75% believe that risks from third parties is increasing.

One big issue that survey respondents identify is the lack of visibility into the security status of third-party networks and systems. Although third parties have access to an increasing amount of enterprise data, more than half of the respondents in the survey have no inventory of all the external people accessing their networks and data.

The issue is a problematic one for enterprises, especially with regulations such as the EU's General Data Protection Regulation, which went into effect recently. Organizations increasingly are being held directly responsible for breaches stemming from third-party failures and are therefore under the gun to do more about ensuring their vendors and others follow security best practices.

"Third-party vendor risk is the unseen threat for enterprises dealing with cyber-risk," says Dan O'Sullivan, an analyst with UpGuard.  "Like a rip in the back of a jacket, the fact that risks taken on by third-party vendors are not visible does not mean they do not expose you to the world," he notes.

Here in no specific order are some of the most typical ways your third-party can trip up your security:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Previous
1 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17789
PUBLISHED: 2019-09-20
Prospecta Master Data Online (MDO) allows CSRF.
CVE-2019-11280
PUBLISHED: 2019-09-20
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain ...
CVE-2019-11326
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product is protected by a login. A guest is allowed to login. Once logged in as a guest, an attacker can browse a URL to read the password of the administrative user. The same pro...
CVE-2019-11327
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product has a local file inclusion vulnerability. An attacker with administrative privileges can craft a special URL to read arbitrary files from the device's files system.
CVE-2019-14814
PUBLISHED: 2019-09-20
There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.